Description: Fix a vulnerability in the web interface (wwsympa)
 which allows one to send himself by email any readable file by the
 sympa user on the filesystem
Author: David Verdin <david.verdin@renater.fr>
Origin: upstream, https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.1-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=11562&r2=11778&view=patch
Applied-Upstream: 6.1.24
Last-Update: 2015-01-16
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wwsympa/wwsympa.fcgi.in
+++ b/wwsympa/wwsympa.fcgi.in
@@ -15394,9 +15394,14 @@
 	 $pages_url = $in{'url'};
 	 
 	 # parse return the MIME::Lite part to send 
-	 my $MIMEmail = $mailHTML->parse($pages_url); 
-
-	 $in{'body'} = $MIMEmail->as_string;
+         $mailHTML->{_AGENT}->protocols_allowed(['http', 'https', 'ftp', 'nntp']);
+         my $MIMEmail = eval { $mailHTML->parse($pages_url) };
+         if ($MIMEmail) {
+             $in{'body'} = $MIMEmail->as_string;
+         } else {
+             report::reject_report_web('user', 'wrong_value', {'argument' => 'url'}, $param->{'action'});
+             return undef;
+         }
 	 
      }else{
 	 
