On Wed, 8 Jan 2003, Jouko Pynnonen informed us that: > The vendor has been informed about this bug last month. Although there > hasn't been any direct reply, there was a comment on this on the IMP > mailing list: "2.2.x is officially deprecated/unsupported. This does not > apply to 3.x.". > > Versions up to and including 2.2.8 seem vulnerable. According to the > author, version 3 isn't affected so upgrading to IMP 3 is recommended. > This, and more information about IMP is available at http://horde.org/imp/. What many software developpers (including, but apparently not limitted to, many commercial software vendors) seem to fail to realize is that some sites use their applications in production environments, with (in my case tens of thousands of) real users and upgrading to the latest version which includes numerous changes above and beyond the fix for the reported bug is often difficult in the best of cases. In the case of Imp-2 -> Imp-3, the changes are much too significant for some of us to simply switch versions and hope our user community doesn't notice. It's a lot easier for us to patch-in-place to deal with the bug itself, and leave the upgrade to new features (and new bugs!) to be done in a more coordinated fashion, with time for users to evaluate the new interface, etc. That being said, and thanks to the information in Jouko's advisory, I've patched our own Imp installation (which has now had so many patches applied I should start giving it local version numbers!) according to the appended. I hope others will be able to make use of this patch, and I especially hope that if I've overlooked something, others will point it out... -- ---------------------------------------------------------------------- Sylvain Robitaille sylat_private Systems analyst Concordia University Instructional & Information Technology Montreal, Quebec, Canada ---------------------------------------------------------------------- # Of course, folks using Imp-2 with non-PostgreSQL databases will # need to adapt the following to the appropriate db.* file --- lib/db.pgsql.20030108 2000-12-20 15:45:33.000000000 -0500 +++ lib/db.pgsql 2003-01-08 15:18:25.000000000 -0500 @@ -26,6 +26,13 @@ function imp_add_address ($address, $nickname, $fullname, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $address = addslashes($address); + $nickname = addslashes($nickname); + $fullname = addslashes($fullname); + $user = addslashes($user); + $server = addslashes($server); + /* post: adds $address, $nickname, $fullname to the addressbook for $user@$server returns true on success and false on failure */ @@ -41,6 +48,10 @@ function imp_check_prefs ($user, $server) { global $_imp_prefs_exist, $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + if (isset($_imp_prefs_exist)) { return $_imp_prefs_exist; } @@ -59,6 +70,11 @@ function imp_delete_address ($address, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $address = addslashes($address); + $user = addslashes($user); + $server = addslashes($server); + /* post: deletes $address from the addressbook of $user@$server returns true on success and false on failure */ @@ -72,6 +88,10 @@ function imp_get_addresses ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns a 2d array of addresses where each element is an array in which element 0 is the address, element 1 is the nickname, and element 2 is the fullname. @@ -92,6 +112,10 @@ function imp_get_from ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -105,6 +129,10 @@ function imp_get_fullname ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -118,6 +146,10 @@ function imp_get_lang ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -131,6 +163,10 @@ function imp_get_signature ($user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $user = addslashes($user); + $server = addslashes($server); + /* post: returns the signature for the database key $user@$server (a string), or false on failure. */ @@ -144,6 +180,11 @@ function imp_set_from ($from, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $from = addslashes($from); + $user = addslashes($user); + $server = addslashes($server); + /* post: sets the replyto to $from for the database key $user@$server returns true on success and false on failure */ @@ -165,6 +206,11 @@ function imp_set_fullname ($fullname, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $fullname = addslashes($fullname); + $user = addslashes($user); + $server = addslashes($server); + /* post: sets the fullname to $fullname for the database key $user@$server returns true on success and false on failure */ @@ -186,6 +232,11 @@ function imp_set_lang ($lang, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $lang = addslashes($lang); + $user = addslashes($user); + $server = addslashes($server); + /* post: sets the language to $lang for the database key $user@$server returns true on success and false on failure */ @@ -208,6 +259,11 @@ function imp_set_signature ($signature, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $signature = addslashes($signature); + $user = addslashes($user); + $server = addslashes($server); + /* post: sets the signature to $signature for the database key $user@$server returns true on success and false on failure */ @@ -230,6 +286,14 @@ function imp_update_address ($old_address, $address, $nickname, $fullname, $user, $server) { global $default; + /* 2003/01/08 Sylvain Robitaille: Sanitize our input. */ + $old_address = addslashes($old_address); + $address = addslashes($address); + $nickname = addslashes($nickname); + $fullname = addslashes($fullname); + $user = addslashes($user); + $server = addslashes($server); + /* post: changes the entry for $old_address to $address, $nickname, $fullname. returns true on success and false on failure */
This archive was generated by hypermail 2b30 : Wed Jan 15 2003 - 10:34:04 PST