Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv7466/lib
Modified Files:
mhamain.pl mhidxrc.pl mhinit.pl mhopt.pl mhtxthtml.pl
Log Message:
* Strip more tags and attributes that could potentially be used for
XSS exploits in the HTML filter. This is a more of a preemptive
change since no new exploits have been reported.
* DATEFIELDS resource now supports indexed field names. For example:
<DateFields>
received[1]:received[0]:date
</DateFields>
The example says that mhonarc should check the second received
field, then the first received field, and then the first date field
to determine the date of a message.
Index: mhamain.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhamain.pl,v
retrieving revision 2.46
retrieving revision 2.47
diff -C2 -r2.46 -r2.47
*** mhamain.pl 4 Aug 2002 03:47:06 -0000 2.46
--- mhamain.pl 4 Sep 2002 04:09:30 -0000 2.47
***************
*** 8,12 ****
##---------------------------------------------------------------------------##
## MHonArc -- Internet mail-to-HTML converter
! ## Copyright (C) 1995-2001 Earl Hood, mhonarc(_at_)mhonarc(_dot_)org
##
## This program is free software; you can redistribute it and/or modify
--- 8,12 ----
##---------------------------------------------------------------------------##
## MHonArc -- Internet mail-to-HTML converter
! ## Copyright (C) 1995-2002 Earl Hood, mhonarc(_at_)mhonarc(_dot_)org
##
## This program is free software; you can redistribute it and/or modify
***************
*** 30,34 ****
require 5;
! $VERSION = "2.5.11";
$VINFO =<<EndOfInfo;
MHonArc v$VERSION (Perl $] $^O)
--- 30,34 ----
require 5;
! $VERSION = '2.5.12';
$VINFO =<<EndOfInfo;
MHonArc v$VERSION (Perl $] $^O)
***************
*** 719,723 ****
sub read_mail_header {
my $handle = shift;
! my($index, $date, $tmp);
my($from, $sub, $msgid, $ctype);
local($_);
--- 719,723 ----
sub read_mail_header {
my $handle = shift;
! my($index, $date, $tmp, $i, $field, $value);
my($from, $sub, $msgid, $ctype);
local($_);
***************
*** 782,795 ****
##----------##
$date = "";
! foreach (@DateFields) {
! next unless defined($fields->{$_});
## Treat received field specially
! if ($_ eq 'received') {
! @array = split(/;/, $fields->{$_}[0]);
$date = pop @array;
## Any other field should just be a date
} else {
! $date = $fields->{$_}[0];
}
$date =~ s/^\s+//; $date =~ s/\s+$//;
--- 782,802 ----
##----------##
$date = "";
! foreach (@_DateFields) {
! ($field, $i) = @{$_}[0,1];
! next unless defined($fields->{$field}) &&
! defined($value = $fields->{$field}[$i]);
## Treat received field specially
! if ($field eq 'received') {
! @array = split(/;/, $value);
! if ((scalar(@array) <= 1) || (scalar(@array) > 2)) {
! warn qq/\nWarning: Received header field looks improper:\n/,
! qq/ Received: $value\n/,
! qq/ Message-Id: <$msgid>\n/;
! }
$date = pop @array;
## Any other field should just be a date
} else {
! $date = $value;
}
$date =~ s/^\s+//; $date =~ s/\s+$//;
Index: mhidxrc.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhidxrc.pl,v
retrieving revision 2.11
retrieving revision 2.12
diff -C2 -r2.11 -r2.12
*** mhidxrc.pl 23 Nov 2001 20:42:39 -0000 2.11
--- mhidxrc.pl 4 Sep 2002 04:09:30 -0000 2.12
***************
*** 362,367 ****
unless (@DateFields) {
! @DateFields = ('received', 'date');
$IsDefault{'DATEFIELDS'} = 1;
}
unless (@FromFields) {
--- 362,380 ----
unless (@DateFields) {
! @DateFields = ('received', 'date');
! @_DateFields = ( ['received',0], ['date',0] );
$IsDefault{'DATEFIELDS'} = 1;
+ } else {
+ local($_);
+ my $f;
+ foreach (@DateFields) {
+ s/\s//g; tr/A-Z/a-z/;
+ $f = $_;
+ if ($f =~ s/\[(\d+)\]//) {
+ push(@_DateFields, [ $f, $1 ]);
+ } else {
+ push(@_DateFields, [ $f, 0 ]);
+ }
+ }
}
unless (@FromFields) {
Index: mhinit.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhinit.pl,v
retrieving revision 2.36
retrieving revision 2.37
diff -C2 -r2.36 -r2.37
*** mhinit.pl 27 Jul 2002 05:13:13 -0000 2.36
--- mhinit.pl 4 Sep 2002 04:09:30 -0000 2.37
***************
*** 399,402 ****
--- 399,405 ----
split(/:/, $ENV{'M2H_FROMFIELDS'}) : ();
+ # Version of @Datefiles in parsed format
+ @_DateFields = ( );
+
($TSliceNBefore, $TSliceNAfter, $TSliceInclusive) =
defined($ENV{'M2H_TSLICE'}) ?
Index: mhopt.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhopt.pl,v
retrieving revision 2.30
retrieving revision 2.31
diff -C2 -r2.30 -r2.31
*** mhopt.pl 27 Jul 2002 05:13:13 -0000 2.30
--- mhopt.pl 4 Sep 2002 04:09:30 -0000 2.31
***************
*** 570,576 ****
$MAIN = 0 if $IDXONLY && $THREAD;
! @DateFields = split(/:/, $opt{'datefields'}) if $opt{'datefields'};
! foreach (@DateFields) { s/\s//g; tr/A-Z/a-z/; }
! @FromFields = split(/:/, $opt{'fromfields'}) if $opt{'fromfields'};
foreach (@FromFields) { s/\s//g; tr/A-Z/a-z/; }
--- 570,575 ----
$MAIN = 0 if $IDXONLY && $THREAD;
! @DateFields = split(/[:;]/, $opt{'datefields'}) if $opt{'datefields'};
! @FromFields = split(/[:;]/, $opt{'fromfields'}) if $opt{'fromfields'};
foreach (@FromFields) { s/\s//g; tr/A-Z/a-z/; }
Index: mhtxthtml.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhtxthtml.pl,v
retrieving revision 2.20
retrieving revision 2.21
diff -C2 -r2.20 -r2.21
*** mhtxthtml.pl 24 Dec 2001 13:10:33 -0000 2.20
--- mhtxthtml.pl 4 Sep 2002 04:09:30 -0000 2.21
***************
*** 38,53 ****
# Script related attributes
my $SAttr = q/\b(?:onload|onunload|onclick|ondblclick|/.
! q/onmouse(?:down|up|over|move|out)|/.
! q/onkey(?:press|down|up))\b/;
# Script/questionable related elements
! my $SElem = q/\b(?:applet|base|embed|form|ilayer|input|layer|link|meta|object|/.
! q/option|param|select|textarea)\b/;
# Elements with auto-loaded URL attributes
my $AElem = q/\b(?:img|body|iframe|frame|object|script|input)\b/;
- # XXX: What about INS, DEL?
# URL attributes
! my $UAttr = q/\b(?:href|src|background|classid|data|longdesc)\b/;
! # XXX: What about codebase, usemap?
##---------------------------------------------------------------------------
--- 38,52 ----
# Script related attributes
my $SAttr = q/\b(?:onload|onunload|onclick|ondblclick|/.
! q/onmouse(?:down|up|over|move|out)|/.
! q/onkey(?:press|down|up)|style)\b/;
# Script/questionable related elements
! my $SElem = q/\b(?:applet|base|embed|form|ilayer|input|layer|link|meta|/.
! q/object|option|param|select|textarea)\b/;
# Elements with auto-loaded URL attributes
my $AElem = q/\b(?:img|body|iframe|frame|object|script|input)\b/;
# URL attributes
! my $UAttr = q/\b(?:action|background|cite|classid|codebase|data|datasrc|/.
! q/dynsrc|for|href|longdesc|profile|src|url|usemap)\b/;
##---------------------------------------------------------------------------
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV