diff -u squirrelmail-1.4.10a/config/conf.pl squirrelmail-1.4.10a/config/conf.pl --- squirrelmail-1.4.10a/config/conf.pl +++ squirrelmail-1.4.10a/config/conf.pl @@ -354,6 +354,9 @@ $abook_global_file_listing = 'true' if ( !$abook_global_file_listing ); $abook_file_line_length = 2048 if ( !$abook_file_line_length ); +# Added in 1.4.16 +$only_secure_cookies = 'true' if ( !$only_secure_cookies ); + if ( $ARGV[0] eq '--install-plugin' ) { print "Activating plugin " . $ARGV[1] . "\n"; push @plugins, $ARGV[1]; @@ -524,23 +527,24 @@ print "R Return to Main Menu\n"; } elsif ( $menu == 4 ) { print $WHT. "General Options\n" . $NRM; - print "1. Data Directory : $WHT$data_dir$NRM\n"; - print "2. Attachment Directory : $WHT$attachment_dir$NRM\n"; - print "3. Directory Hash Level : $WHT$dir_hash_level$NRM\n"; - print "4. Default Left Size : $WHT$default_left_size$NRM\n"; - print "5. Usernames in Lowercase : $WHT$force_username_lowercase$NRM\n"; - print "6. Allow use of priority : $WHT$default_use_priority$NRM\n"; - print "7. Hide SM attributions : $WHT$hide_sm_attributions$NRM\n"; - print "8. Allow use of receipts : $WHT$default_use_mdn$NRM\n"; - print "9. Allow editing of identity : $WHT$edit_identity$NRM\n"; - print " Allow editing of name : $WHT$edit_name$NRM\n"; - print " Remove username from header : $WHT$hide_auth_header$NRM\n"; - print "10. Allow server thread sort : $WHT$allow_thread_sort$NRM\n"; - print "11. Allow server-side sorting : $WHT$allow_server_sort$NRM\n"; - print "12. Allow server charset search : $WHT$allow_charset_search$NRM\n"; - print "13. Enable UID support : $WHT$uid_support$NRM\n"; - print "14. PHP session name : $WHT$session_name$NRM\n"; - print "15. Location base : $WHT$config_location_base$NRM\n"; + print "1. Data Directory : $WHT$data_dir$NRM\n"; + print "2. Attachment Directory : $WHT$attachment_dir$NRM\n"; + print "3. Directory Hash Level : $WHT$dir_hash_level$NRM\n"; + print "4. Default Left Size : $WHT$default_left_size$NRM\n"; + print "5. Usernames in Lowercase : $WHT$force_username_lowercase$NRM\n"; + print "6. Allow use of priority : $WHT$default_use_priority$NRM\n"; + print "7. Hide SM attributions : $WHT$hide_sm_attributions$NRM\n"; + print "8. Allow use of receipts : $WHT$default_use_mdn$NRM\n"; + print "9. Allow editing of identity : $WHT$edit_identity$NRM\n"; + print " Allow editing of name : $WHT$edit_name$NRM\n"; + print " Remove username from header : $WHT$hide_auth_header$NRM\n"; + print "10. Allow server thread sort : $WHT$allow_thread_sort$NRM\n"; + print "11. Allow server-side sorting : $WHT$allow_server_sort$NRM\n"; + print "12. Allow server charset search : $WHT$allow_charset_search$NRM\n"; + print "13. Enable UID support : $WHT$uid_support$NRM\n"; + print "14. PHP session name : $WHT$session_name$NRM\n"; + print "15. Location base : $WHT$config_location_base$NRM\n"; + print "16. Only secure cookies if poss. : $WHT$only_secure_cookies$NRM\n"; print "\n"; print "R Return to Main Menu\n"; } elsif ( $menu == 5 ) { @@ -757,6 +761,7 @@ elsif ( $command == 13 ) { $uid_support = command313(); } elsif ( $command == 14 ) { $session_name = command314(); } elsif ( $command == 15 ) { $config_location_base = command_config_location_base(); } + elsif ( $command == 16 ) { $only_secure_cookies = command316(); } } elsif ( $menu == 5 ) { if ( $command == 1 ) { command41(); } elsif ( $command == 2 ) { $theme_css = command42(); } @@ -2296,6 +2301,34 @@ } +# only_secure_cookies (since 1.4.16) +sub command316 { + print "This option allows you to specify that if a user session is initiated\n"; + print "under a secure (HTTPS, SSL-encrypted) connection, the cookies given to\n"; + print "the browser will ONLY be transmitted via a secure connection henceforth.\n\n"; + print "Generally this is a Good Thing, and should NOT be disabled. However,\n"; + print "if you intend to use the Secure Login or Show SSL Link plugins to\n"; + print "encrypt the user login, but not the rest of the SquirrelMail session,\n"; + print "this can be turned off. Think twice before doing so.\n"; + print "\n"; + + if ( lc($only_secure_cookies) eq 'true' ) { + $default_value = "y"; + } else { + $default_value = "n"; + } + print "Transmit cookies only on secure connection when available? (y/n) [$WHT$default_value$NRM]: $WHT"; + $only_secure_cookies = ; + if ( ( $only_secure_cookies =~ /^y\n/i ) || ( ( $only_secure_cookies =~ /^\n/ ) && ( $default_value eq "y" ) ) ) { + $only_secure_cookies = 'true'; + } else { + $only_secure_cookies = 'false'; + } + return $only_secure_cookies; +} + + + #################################################################################### #### THEMES #### sub command41 { @@ -3332,6 +3365,9 @@ print CF "\$session_name = '$session_name';\n"; + # boolean + print CF "\$only_secure_cookies = $only_secure_cookies;\n"; + print CF "\n"; print CF "\$config_location_base = '$config_location_base';\n"; diff -u squirrelmail-1.4.10a/debian/changelog squirrelmail-1.4.10a/debian/changelog --- squirrelmail-1.4.10a/debian/changelog +++ squirrelmail-1.4.10a/debian/changelog @@ -1,3 +1,17 @@ +squirrelmail (2:1.4.10a-2ubuntu0.1) gutsy-security; urgency=low + + * SECURITY UPDATE: cross site scripting issue in the HTML filter. + Patch taken from upstream release. (LP: #306536) + - CVE-2008-2379 + - http://www.squirrelmail.org/security/issue/2008-12-04 + * SECURITY UPDATE: Cookies sent over HTTPS will now be confined to + HTTPS only (cookie secure flag) and more support for the HTTPOnly + cookie attribute. Patch taken from upstream release. (LP: #328938) + - CVE-2008-3663 + - http://www.squirrelmail.org/security/issue/2008-09-28 + + -- Andreas Wenning Fri, 13 Feb 2009 08:03:02 +0100 + squirrelmail (2:1.4.10a-2) unstable; urgency=low * Make use of new dictionaries-common SquirrelMail interface to only in patch2: unchanged: --- squirrelmail-1.4.10a.orig/src/webmail.php +++ squirrelmail-1.4.10a/src/webmail.php @@ -62,7 +62,7 @@ */ $my_language = getPref($data_dir, $username, 'language'); if ($my_language != $squirrelmail_language) { - setcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri); + sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri); } set_up_language(getPref($data_dir, $username, 'language')); only in patch2: unchanged: --- squirrelmail-1.4.10a.orig/src/redirect.php +++ squirrelmail-1.4.10a/src/redirect.php @@ -33,7 +33,6 @@ header('Pragma: no-cache'); $location = get_location(); -session_set_cookie_params (0, $base_uri); sqsession_is_active(); sqsession_unregister ('user_is_logged_in'); @@ -56,8 +55,7 @@ set_up_language($squirrelmail_language, true); /* Refresh the language cookie. */ -setcookie('squirrelmail_language', $squirrelmail_language, time()+2592000, - $base_uri); +sqsetcookie('squirrelmail_language', $squirrelmail_language, time()+2592000, $base_uri); if (!isset($login_username)) { include_once(SM_PATH . 'functions/display_messages.php' ); @@ -91,7 +89,7 @@ $username = $login_username; sqsession_register ($username, 'username'); - setcookie('key', $key, 0, $base_uri); + sqsetcookie('key', $key, 0, $base_uri); do_hook ('login_verified'); } only in patch2: unchanged: --- squirrelmail-1.4.10a.orig/functions/global.php +++ squirrelmail-1.4.10a/functions/global.php @@ -373,9 +373,9 @@ global $base_uri; - if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', 0, $base_uri); - if (isset($_COOKIE['username'])) setcookie('username', '', 0, $base_uri); - if (isset($_COOKIE['key'])) setcookie('key', '', 0, $base_uri); + if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri); + if (isset($_COOKIE['username'])) sqsetcookie('username', '', 0, $base_uri); + if (isset($_COOKIE['key'])) sqsetcookie('key', '', 0, $base_uri); $sessid = session_id(); if (!empty( $sessid )) { @@ -398,7 +398,105 @@ */ function sqsession_is_active() { + sqsession_start(); +} + +/** + * Function to start the session and store the cookie with the session_id as + * HttpOnly cookie which means that the cookie isn't accessible by javascript + * (IE6 only) + * Note that as sqsession_is_active() no longer discriminates as to when + * it calls this function, session_start() has to have E_NOTICE suppression + * (thus the @ sign). + * + * @return void + * + * @since 1.4.16 + * + */ +function sqsession_start() { + global $base_uri; + + session_set_cookie_params (0, $base_uri); @session_start(); + // could be: sq_call_function_suppress_errors('session_start'); + $session_id = session_id(); + + // session_starts sets the sessionid cookie but without the httponly var + // setting the cookie again sets the httponly cookie attribute + // + // need to check if headers have been sent, since sqsession_is_active() + // has become just a passthru to this function, so the sqsetcookie() + // below is called every time, even after headers have already been sent + // + if (!headers_sent()) + sqsetcookie(session_name(),$session_id,false,$base_uri); +} + +/** + * Set a cookie + * + * @param string $sName The name of the cookie. + * @param string $sValue The value of the cookie. + * @param int $iExpire The time the cookie expires. This is a Unix + * timestamp so is in number of seconds since + * the epoch. + * @param string $sPath The path on the server in which the cookie + * will be available on. + * @param string $sDomain The domain that the cookie is available. + * @param boolean $bSecure Indicates that the cookie should only be + * transmitted over a secure HTTPS connection. + * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6/FF2) + * @param boolean $bReplace Replace previous cookies with same name? + * + * @return void + * + * @since 1.4.16 and 1.5.1 + * + */ +function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="", + $bSecure=false, $bHttpOnly=true, $bReplace=false) { + + // if we have a secure connection then limit the cookies to https only. + if ($sName && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) { + $bSecure = true; + } + + // admin config can override the restriction of secure-only cookies + // + // (we have to check if the value is set and default it to true if + // not because when upgrading without re-running conf.pl, it will + // not be found in config/config.php and thusly evaluate to false, + // but we want to default people who upgrade to true due to security + // implications of setting this to false) + // + global $only_secure_cookies; + if (!isset($only_secure_cookies)) $only_secure_cookies = true; + if (!$only_secure_cookies) + $bSecure = false; + + if (false && check_php_version(5,2)) { + // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit + // broken we use the header function for php 5.2 as well. We might change that later. + //setcookie($sName,$sValue,(int) $iExpire,$sPath,$sDomain,$bSecure,$bHttpOnly); + } else { + if (!empty($sDomain)) { + // Fix the domain to accept domains with and without 'www.'. + if (strtolower(substr($sDomain, 0, 4)) == 'www.') $sDomain = substr($sDomain, 4); + $sDomain = '.' . $sDomain; + + // Remove port information. + $Port = strpos($sDomain, ':'); + if ($Port !== false) $sDomain = substr($sDomain, 0, $Port); + } + if (!$sValue) $sValue = 'deleted'; + header('Set-Cookie: ' . rawurlencode($sName) . '=' . rawurlencode($sValue) + . (empty($iExpire) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s', $iExpire) . ' GMT') + . (empty($sPath) ? '' : '; path=' . $sPath) + . (empty($sDomain) ? '' : '; domain=' . $sDomain) + . (!$bSecure ? '' : '; secure') + . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace); + } } // vim: et ts=4 only in patch2: unchanged: --- squirrelmail-1.4.10a.orig/functions/mime.php +++ squirrelmail-1.4.10a/functions/mime.php @@ -1720,6 +1720,8 @@ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; } } + } else { + $attvalue = $sQuote . $attvalue . $sQuote; } break; case 'outbind': @@ -1728,13 +1730,13 @@ * One day MS might actually make it match something useful, for now, falling * back to using cid2http, so we can grab the blank.png. */ - $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote; break; case 'cid': /** * Turn cid: urls into http-friendly ones. */ - $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote; break; default: $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;