Kolab Groupware OBS

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 2

roundcubemail-1.1-csrf-old.patch Deleted

@@ -1,615 +0,0 @@
-diff -ur roundcubemail-1.1.orig/config/defaults.inc.php roundcubemail-1.1/config/defaults.inc.php
---- roundcubemail-1.1.orig/config/defaults.inc.php	2014-08-02 09:03:29.000000000 +0200
-+++ roundcubemail-1.1/config/defaults.inc.php	2014-08-03 11:30:31.369886557 +0200
-@@ -521,6 +521,23 @@
- // Note: useful when SMTP server stores sent mail in user mailbox
- $config['no_save_sent_messages'] = false;
- 
-+// Improve system security by using special URL with security token.
-+// This can be set to a number defining token length. Default: 16.
-+// Warning: This requires http server configuration. Sample:
-+//    RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT]
-+//    Alias /roundcubemail /var/www/roundcubemail/
-+// Note: Use assets_path to not prevent the browser from caching assets
-+$config['use_secure_urls'] = true;
-+
-+// Allows to define separate server/path for image/js/css files
-+// Warning: If the domain is different cross-domain access to some
-+// resources need to be allowed
-+// Sample:
-+//    <FilesMatch ".(eot|ttf|woff)">
-+//    Header set Access-Control-Allow-Origin "*"
-+//    </FilesMatch>
-+$config['assets_path'] = '';
-+
- // ----------------------------------
- // PLUGINS
- // ----------------------------------
-diff -ur roundcubemail-1.1.orig/.htaccess roundcubemail-1.1/.htaccess
---- roundcubemail-1.1.orig/.htaccess	2014-08-02 09:03:29.000000000 +0200
-+++ roundcubemail-1.1/.htaccess	2014-08-03 11:30:31.370886557 +0200
-@@ -31,7 +31,7 @@
- # security rules:
- # - deny access to files not containing a dot or starting with a dot
- #   in all locations except installer directory
--RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
-+RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
- # - deny access to some locations
- RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
- # - deny access to some documentation files
-diff -ur roundcubemail-1.1.orig/index.php roundcubemail-1.1/index.php
---- roundcubemail-1.1.orig/index.php	2014-08-02 09:03:29.000000000 +0200
-+++ roundcubemail-1.1/index.php	2014-08-03 11:30:31.371886557 +0200
-@@ -90,9 +90,9 @@
- 
- // try to log in
- if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
--    $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(rcube_utils::INPUT_POST, 'login');
-+    $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();
- 
--    // purge the session in case of new login when a session already exists 
-+    // purge the session in case of new login when a session already exists
-     $RCMAIL->kill_session();
- 
-     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
-@@ -140,7 +140,7 @@
-         unset($redir['abort'], $redir['_err']);
- 
-         // send redirect
--        $OUTPUT->redirect($redir);
-+        $OUTPUT->redirect($redir, 0, true);
-     }
-     else {
-         if (!$auth['valid']) {
-@@ -171,10 +171,10 @@
-     }
- }
- 
--// end session (after optional referer check)
--else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])
--    && (!$RCMAIL->config->get('referer_check') || rcube_utils::check_referer())
--) {
-+// end session
-+else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
-+    $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
-+
-     $userdata = array(
-         'user' => $_SESSION['username'],
-         'host' => $_SESSION['storage_host'],
-@@ -236,32 +236,10 @@
- }
- // CSRF prevention
- else {
--    // don't check for valid request tokens in these actions
--    $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1);
--
--    if (!$request_check_whitelist[$RCMAIL->action]) {
--        // check client X-header to verify request origin
--        if ($OUTPUT->ajax_call) {
--            if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
--                header('HTTP/1.1 403 Forbidden');
--                die("Invalid Request");
--            }
--        }
--        // check request token in POST form submissions
--        else if (!empty($_POST) && !$RCMAIL->check_request()) {
--            $OUTPUT->show_message('invalidrequest', 'error');
--            $OUTPUT->send($RCMAIL->task);
--        }
--
--        // check referer if configured
--        if ($RCMAIL->config->get('referer_check') && !rcube_utils::check_referer()) {
--            raise_error(array(
--                'code' => 403, 'type' => 'php',
--                'message' => "Referer check failed"), true, true);
--        }
--    }
-+    $RCMAIL->request_security_check();
- }
- 
-+
- // we're ready, user is authenticated and the request is safe
- $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
- $RCMAIL->set_task($plugin['task']);
-diff -ur roundcubemail-1.1.orig/program/include/rcmail_output_html.php roundcubemail-1.1/program/include/rcmail_output_html.php
---- roundcubemail-1.1.orig/program/include/rcmail_output_html.php	2014-08-02 09:03:29.000000000 +0200
-+++ roundcubemail-1.1/program/include/rcmail_output_html.php	2014-08-03 11:30:31.373886557 +0200
-@@ -45,6 +45,7 @@
-     protected $footer = '';
-     protected $body = '';
-     protected $base_path = '';
-+    protected $assets_path;
-     protected $devel_mode = false;
- 
-     // deprecated names of templates used before 0.5
-@@ -80,6 +81,8 @@
-         $this->set_skin($skin);
-         $this->set_env('skin', $skin);
- 
-+        $this->set_assets_path($this->config->get('assets_path'));
-+
-         if (!empty($_REQUEST['_extwin']))
-             $this->set_env('extwin', 1);
-         if ($this->framed || $framed)
-@@ -145,6 +148,39 @@
-     }
- 
-     /**
-+     * Parse and set assets path
-+     *
-+     * @param string Assets path (relative or absolute URL)
-+     */
-+    public function set_assets_path($path)
-+    {
-+        $path = trim($path, '/') . '/';
-+
-+        if (empty($path)) {
-+            return;
-+        }
-+
-+        // convert to absolute URL
-+        if (!preg_match('|^https?://|', $path)) {
-+            $base = preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI']);
-+            $base = rtrim($base, '/');
-+
-+            // remove url token if exists
-+            if ($token = $this->app->get_secure_url_token()) {
-+                if (strpos($base, $token)) {
-+                    $base = substr($base, 0, -(strlen($token)+1));
-+                }
-+            }
-+
-+            $path = (rcube_utils::https_check() ? 'https' : 'http') . '://'
-+                . $_SERVER['SERVER_NAME'] . $base . '/' . $path;
-+        }
-+
-+        $this->assets_path = $path;
-+        $this->set_env('assets_path', $path);
-+    }
-+
-+    /**
-      * Getter for the current page title
-      *
-      * @return string The page title
-@@ -367,14 +403,15 @@
-     /**
-      * Redirect to a certain url
-      *
--     * @param mixed $p     Either a string with the action or url parameters as key-value pairs
--     * @param int   $delay Delay in seconds
-+     * @param mixed $p      Either a string with the action or url parameters as key-value pairs
-+     * @param int   $delay  Delay in seconds
-+     * @param bool  $secure Redirect to secure location (see rcmail::url())
-      */
--    public function redirect($p = array(), $delay = 1)
-+    public function redirect($p = array(), $delay = 1, $secure = false)
-     {
-         if ($this->env['extwin'])
-             $p['extwin'] = 1;
--        $location = $this->app->url($p);
-+        $location = $this->app->url($p, $secure);
-         header('Location: ' . $location);
-         exit;
-     }
-@@ -659,6 +696,24 @@
-         exit;
-     }
- 
-+    /**
-+     * Modify path by adding URL prefix if configured

roundcubemail.conf.r67 Deleted

@@ -1,59 +0,0 @@
-# Those aliases do not work properly with several hosts on your apache server
-# Uncomment them to use it or adapt them to your configuration
-#    Alias /roundcube/program/js/tiny_mce/ /usr/share/tinymce/www/
-#    Alias /roundcube /var/lib/roundcube
-
-<ifModule mod_rewrite.c>
-    RewriteEngine On
-    RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT,L]
-    RewriteRule ^/webmail/[a-f0-9]{16}/(.*) /webmail/$1 [PT,L]
-
-    # Be compatible with older packages and installed plugins.
-    RewriteCond %{REQUEST_URI} ^/roundcubemail/assets/
-    RewriteCond %{REQuEST_URI} !-f
-    RewriteCond %{REQuEST_URI} !-d
-    RewriteRule .*/roundcubemail/assets/(.*)$ /roundcubemail/$1 [PT,L]
-
-</ifModule>
-
-Alias /roundcubemail /usr/share/roundcubemail/
-Alias /webmail /usr/share/roundcubemail/
-
-# Access to tinymce files
-#<Directory "/usr/share/tinymce/www/">
-#    Options Indexes MultiViews FollowSymLinks
-#    AllowOverride None
-#    Order allow,deny
-#    Allow from all
-#</Directory>
-
-<Directory /usr/share/roundcubemail/>
-    Options +FollowSymLinks
-    AllowOverride All
-    <ifModule mod_authz_core.c>
-        Require all granted
-    </ifModule>
-    <ifModule !mod_authz_core.c>
-        Order Allow,Deny
-        Allow from All
-    </ifModule>
-</Directory>
-
-# Protecting basic directories:
-<Directory /usr/share/roundcubemail/config>
-    Options -FollowSymLinks
-    AllowOverride None
-</Directory>
-
-<Directory /usr/share/roundcubemail/logs>
-    Options -FollowSymLinks
-    AllowOverride None
-    <ifModule mod_authz_core.c>
-        Require all denied
-    </ifModule>
-    <ifModule !mod_authz_core.c>
-        Order Deny,Allow
-        Deny from All
-    </ifModule>
-</Directory>
-