Earl Hood wrote:
> With that said, do have an available patch that fixes
> the problem?
>
> If not, I can look into it during the holiday break to
> get a fix for it. Note, even if there is a fix for the
> case you provided, there is no 100% guarantee that there
> could be other data input sequences that get by the filter.
> Hence, those concerned about security disable the
> HTML filter:
Attached patch is a quick way to fix it. It increases the processing time
(it has to run filter() at least twice per message,) but ensures that no
undesired html is returned (unless one of the existing routines misses
something.)
What do you think about it?
Regards,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
diff -urpN mhonarc-2.6.16-1.orig/lib/mhtxthtml.pl mhonarc-2.6.16-1/lib/mhtxthtml.pl
--- mhonarc-2.6.16-1.orig/lib/mhtxthtml.pl 2005-05-01 19:04:39.000000000 -0500
+++ mhonarc-2.6.16-1/lib/mhtxthtml.pl 2010-12-21 21:09:52.000000000 -0600
@@ -125,6 +125,7 @@ sub filter {
}
local(@files) = (); # XXX: Used by resolve_cid!!!
+ my $orig_data = $$data;
my $base = '';
my $title = '';
my $noscript = 1;
@@ -352,6 +353,10 @@ sub filter {
## <http://www.google.com/googleblog/2005/01/preventing-comment-spam.html>
$$data =~ s/(<a\b)/$1 rel="nofollow"/gi;
+ if ($$data ne $orig_data) {
+ undef $orig_data;
+ return filter(@_);
+ }
($title.$$data, @files);
}
