Subject: CVS commit: pkgsrc/mail/mhonarc
To: None <pkgsrc-changes@NetBSD.org>
From: Jim Wise <jwise@netbsd.org>
List: pkgsrc-changes
Date: 07/31/2003 14:30:31
Module Name:	pkgsrc
Committed By:	jwise
Date:		Thu Jul 31 14:30:30 UTC 2003

Modified Files:
	pkgsrc/mail/mhonarc: Makefile PLIST distinfo

Log Message:
Update MHonarc to version 2.6.4.  Changes since last pkgsrc version (2.5.14):

============================================================================
2003/06/20	(2.6.4)

* Bug Fixes:

  + Official:

      Bug ID  Summary
      ------  ------------------------------------------------------------
      3478    Quoted-Printable decoding should also work with
	      lowercase hex numbers
      ------  ------------------------------------------------------------
      <http://savannah.nongnu.org/bugs/index.php?group_id=1968
       &set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
       &fix_release=2.6.4&chunksz=50>

  + Unoffical:

      - It appears that the UTF8 mapping table for cp1252,
	MHonArc::UTF8::CP1252, had bad data.  This has been
	fixed.

* Management of character mapping tables have been changed.  The
  various .pm module tables are now auto-generated by ucm, and
  similiar, map files.  For the end-user, the change should be
  transparent.  The change only affects how developers maintain
  the tables, and the change should make it much easier to make
  fixes to any mappings.

============================================================================
2003/04/05	(2.6.3)

* Bug Fixes:

    Bug ID  Summary
    ------  --------------------------------------------------------------
    3020    Trailing \ in regex
    3128    XSS Vulnerabilies
    2971    spammode option interferes with iso-2022-jp
    ------  --------------------------------------------------------------
  <http://savannah.nongnu.org/bugs/index.php?group_id=1968
   &set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
   &fix_release=2.6.3&chunksz=50>

============================================================================
2003/03/11	(2.6.2)

* Bug Fixes:

  Bug   Resolution Fixed       Summary
  ID               Release
  2738  Fixed      2.6.2       An illegal From: address can cause MHonArc
			       to hang

  <http://savannah.nongnu.org/bugs/index.php?group_id=1968
   &set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
   &fix_release=2.6.2&chunksz=50>

============================================================================
2003/02/22	(2.6.1)

* Bug Fixes: See
    <http://savannah.nongnu.org/bugs/index.php?group_id=1968
     &set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
     &fix_release=2.6.1&chunksz=50>

* Corrected character mapping tables for VISCII based on a
  message to the perl-unicode mailing list.

* Added FASTTEMPFILES resource which causes MHonArc to use
  non-random temporary files.  This is less secure, but provides
  a little bit of speed improvement.

============================================================================
2003/02/10	(2.6.0)

* Bug Fixes: See
    <http://savannah.gnu.org/bugs/index.php?group_id=1968
     &set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
     &fix_release=2.6.0&chunksz=50>

* New resources:

    DEFCHARSET		Default character set of message text data.
    CHARSETALIASES	Define aliases for base charset names.
    DBFILEPERMS		File permissions for DBFILE.
    FIELDSTORE		Message header fields to store in database.
    FILEPERMS		File permissions for archive files.
    ICONURLPREFIX	URL string to prepend to ICONS URLs.
    MODIFYBODYADDRESSES	Apply ADDRESSMODIFYCODE to text message bodies.
    RECONVERT		Reconvert existing messages.
    TENDBUTTON		Button to last message in thread.
    TENDBUTTONIA	Inactive button to last message in thread.
    TENDLINKIA		Inactive link to last message in thread.
    TENDLINK		Link to last message in thread.
    TEXTENCODE		Encode message text to given character encoding.
    TTOPBUTTON		Button to first message in thread.
    TTOPBUTTONIA	Inactive button to first message in thread.
    TTOPLINKIA		Inactive link to first message in thread.
    TTOPLINK		Link to first message in thread.

* New resource variables:

    $ICONURLPREFIX$	Value of ICONURLPREFIX resource.
    $MSGHFIELD$		Retrieve header field value stored via
			FIELDSTORE.

* MHonArc::CharEnt:
  + Several charset mappings added to MHonArc::CharEnt with the
    default value for CHARSETCONVERTERS updated to reflect the new
    mappings.  New charset supported include UTF-8, various Cyrillic
    sets, VISCII, Chinese sets, Japanese (iso-2022-jp and euc-jp),
    Korean, Apple-based charsets, etc.  See the documentation for
    the CHARSETCONVERTERS and CHARSETALIASES for complete list of
    character sets supported.

    Note: Sets that have bidirectional rendering (Hebrew, Arabic)
    exist, but automatic directional re-ording for rendering is
    currently not supported.

  . Some existing mappings have been updated to use Unicode numeric
    character entity references (&#xHHHH;) instead of standard SGML
    character entity references (eg. &Aelig;).  Most, if not all,
    web browsers only support the set of SGML entity references
    defined in the HTML 4.0 specification.

    All existing tables should now generate entity references
    recognized by all HTML 4.0 compliant browsers.

* MHonArc::UTF8:
  . Module completely redone to support various versions of Perl.
    utf8 support code added to all conversion to utf8 with perl
    installations that do not have utf8 support, but to also
    leverage perl installations with utf8-related modules.

* Default filter for iso-8859-1 and iso-2022-jp changed to
  MHonArc::CharEnt::str2sgml.  This helps keep MHonArc locale
  neutral in its default configuration.  Special note added
  to release notes for Japanese users about the change.

* m2h_text_plain::filter (mhtxtplain.pl):
  + Added more robust handling of format=flowed data.  By default,
    all text is rendered in a monospaced font to provide visual
    consistency between flowed and fixed text.  Proportional spaced
    font can be generated using the "nonfixed" option (where
    "keepspace" option should also be used to help preserve the
    formatting characteristics of the data).

  + Added "fancyquote" option to provide highlight of quoted text
    similiar to text/plain;format=flowed data.

  + Added "disableflowed" option to disable the flowed data
    conversion.  Data will be converted as regular text/plain.
    This option is useful for archives that cater to text-based
    browsers.

  + Added "quoteclass=<classname>" option to specify a CSS classname
    to assign to BLOCKQUOTE elements added when processing flowed
    data or when "fancyquote" is active.  This suppresses inline
    style generation.

  + Added "subdir" option for use when "uudecode" is enabled.

  - Reduced set of quote characters to just '>'.  Other characters
    are used by some people (eg. '}', '|', '+'), especially on the
    USENET, but supporting them tends to produce undesirable
    results, especially when using fancyquote.
    (Maybe make it configurable?)

  + If uudecode and usename specified, check if file ends in
    .s?html?, and if so, pass data to HTML filter.

  . Make sure to return a non-empty string for an empty body
    when in uudecode mode.  Avoids bogus warning message that
    data could not be converted.

* MIMEEXCS automatically handles unofficial version of a media type.
  For example:

    <MIMEEXCS>
    text/html
    </MIMEEXCS>

  Will exclude text/html and text/x-html data.

* m2h_text_html::filter (mhtxthtml.pl):
  + CHARSETCONVERTERS is used for converting character data.

  - Removed default=charset option.  This option is no longer
    needed with new character encoding processing features and
    CHARSETALIASES resource.

  + Convert javascript:... URLs to "_javascript_:..." when scripting
    is disabled (the default).  This is an extra measure ontop of
    element and attribute stripping.

  * <a href>'s are now preserved when cid: only URLs enabled (the
    default).  This prevents regular hyperlinks in HTML messages from
    getting stripped, which I think most people desire.  Otherwise,
    the allownoncidurls option must be used, and then this opens one
    up to potential XSS attacks.

    Due to the javascript: URL munging, preserving <a href>'s should
    be safe from auto-XSS attacks.  Readers should still be careful
    about any links they activate.

  + Added "subdir" option to specify that MHTML referenced data
    (e.g. images) are saved in a subdirectory.

  + Added "disablerelated" to disable cid: URL resolution.

  . STYLE and CLASS attributes stripped if nofont argument specified.

* m2h_text_enriched::filter (mhtxtenrich.pl):
  + CHARSETCONVERTERS is used for converting character data.
  + <lang><param>lang</param> is now mapped to <dir lang="lang">.
  + Added handling of some text/richtext tags.
  . Escape unrecognized tags.

* Archive file creation modified to minimize the local symlink exploits:

  1.  A temp file with a random name is first created and written to.
  2.  Temp file is compressed if GZIPFILES is active.
  3.  Temp file is renamed to final filename.
  4.  File permissions are set according to FILEPERMS/DBFILEPERMS.

  Using a random temp filename makes it difficult for someone to
  predict filenames to execute a symlink exploit.  The rename operation
  is immune to symlink exploits, hence trying to using well-known names
  (e.g. maillist.html, threads.html) for exploitation will not work.

  A similiar technique is used for directory creation for filters
  that support the "subdir" option.

  Generation of temp files is done via the File::Temp module, if
  installed.  If not installed, a homegrown implementation is used.
  Although not as secure and robust as File::Temp, it's better than
  nothing and should provide a decent deterrent.

* Setuid/setgid execution causes mhonarc to terminate with an error.
  Mhonarc does not pass taint checks, so we abort with an error that
  setuid/setgid execution is not supported.  MHonArc is too insecure
  for setuid operation and trying to make it setuid-safe would require
  alot of work and potentially limit a large amount of functionality.

* More robust parsing used for determining $FROMNAME$ and $FROMADDR*$
  resource variables.

* rfc822.pl library removed and replaced with MHonArc::RFC822 module.

* Warning message, "Unable to process data..." removed from message
  page when unable to convert any part of a message (usually due to
  user-defined MIMEFILTERS settings).  Instead, a warning message
  is generated to standard error (like other mhonarc warnings) and
  the resulting message page will have a blank message body.

* m2h_msg_extbody::filter: (mhmsgextbody.pl)
  + Added support for http/x-http access type.  This appears to
    be an experimental access type since the general URI type can be
    used instead.
  . Properly sanitize parameter data.
  . Some minor cosmetic changes in the HTML generated.

* m2h_text_tsv::filter (mhtxttsv.pl):
  . Sanitize field data.

* m2h_text_setext::filter (mhtxtsetext.pl) has been removed.  It
  appears this media-type is part of document history.


To generate a diff of this commit:
cvs rdiff -r1.13 -r1.14 pkgsrc/mail/mhonarc/Makefile
cvs rdiff -r1.3 -r1.4 pkgsrc/mail/mhonarc/PLIST
cvs rdiff -r1.7 -r1.8 pkgsrc/mail/mhonarc/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.