courier-webmail-sec_fix.patch

   1 diff -Nur old/webmail/html.c new/webmail/html.c
   2 --- old/webmail/html.c  2003-10-06 00:16:13.000000000 +0000
   3 +++ new/webmail/html.c  2005-08-31 21:32:48.117085448 +0000
   4 @@ -187,9 +187,16 @@
   5                                         if (tai)        ++tai->tagvaluelen;
   6                                 }
   7                                 if (*p) p++;
   8 +                               else
   9 +                               {
  10 +                                       memset(tagbuf, ' ', strlen(tagbuf));
  11 +                               }
  12                         }
  13                         else
  14                         {
  15 +                               if (c == 0)
  16 +                                       memset(tagbuf, ' ', strlen(tagbuf));
  17 +
  18                                 if (tai)
  19                                 {
  20                                         tai->tagvalue=p;
  21 @@ -222,6 +229,31 @@
  22         while ((p=strchr(tagbuf, '<')) != NULL)
  23                 *p=' ';
  24
  25 +       for (p=tagbuf; *p; p++)
  26 +       {
  27 +               char *q;
  28 +
  29 +               if (*p != '&')
  30 +                       continue;
  31 +
  32 +               q=p;
  33 +
  34 +               ++p;
  35 +
  36 +               while (*p)
  37 +               {
  38 +                       if (strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", *p) == NULL)
  39 +                               break;
  40 +                       ++p;
  41 +               }
  42 +
  43 +               if (*p != ';')
  44 +               {
  45 +                       *q=0;
  46 +               }
  47 +               --p;
  48 +       }
  49 +
  50          tagattrlen=parseattr(0);
  51          if ( tagattrlen > tagattrsize)
  52          {