Projects
Kolab:3.4
roundcubemail
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 46
View file
roundcubemail-1.1-appjs.patch
Added
@@ -0,0 +1,21 @@ +--- roundcubemail-1.1.orig/program/js/app.js 2014-09-26 16:12:22.610968447 +0200 ++++ roundcubemail-1.1/program/js/app.js 2014-09-26 16:15:03.962081230 +0200 +@@ -58,7 +58,7 @@ + request_timeout: 180, // seconds + draft_autosave: 0, // seconds + comm_path: './', +- blankpage: 'program/resources/blank.gif', ++ blankpage: (rcmail.env.assets_path || '') + 'program/resources/blank.gif', + recipients_separator: ',', + recipients_delimiter: ', ', + popup_width: 1150, +@@ -7972,7 +7972,7 @@ + + img.onload = function() { ref.env.browser_capabilities.tif = 1; }; + img.onerror = function() { ref.env.browser_capabilities.tif = 0; }; +- img.src = 'program/resources/blank.tif'; ++ img.src = (rcmail.env.assets_path || '') + 'program/resources/blank.tif'; + }; + + this.pdf_support_check = function() +
View file
roundcubemail-1.1-assets-csrf.patch
Deleted
@@ -1,865 +0,0 @@ -diff --git a/config/defaults.inc.php b/config/defaults.inc.php -index 6f61a4c..7af56a8 100644 ---- a/config/defaults.inc.php -+++ b/config/defaults.inc.php -@@ -532,6 +532,23 @@ $config['email_dns_check'] = false; - // Note: useful when SMTP server stores sent mail in user mailbox - $config['no_save_sent_messages'] = false; - -+// Improve system security by using special URL with security token. -+// This can be set to a number defining token length. Default: 16. -+// Warning: This requires http server configuration. Sample: -+// RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT] -+// Alias /roundcubemail /var/www/roundcubemail/ -+// Note: Use assets_path to not prevent the browser from caching assets -+$config['use_secure_urls'] = false; -+ -+// Allows to define separate server/path for image/js/css files -+// Warning: If the domain is different cross-domain access to some -+// resources need to be allowed -+// Sample: -+// <FilesMatch ".(eot|ttf|woff)"> -+// Header set Access-Control-Allow-Origin "*" -+// </FilesMatch> -+$config['assets_path'] = ''; -+ - // ---------------------------------- - // PLUGINS - // ---------------------------------- -diff --git a/index.php b/index.php -index 9c87f9a..df05fd8 100644 ---- a/index.php -+++ b/index.php -@@ -90,9 +90,9 @@ $RCMAIL->action = $startup['action']; - - // try to log in - if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { -- $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(rcube_utils::INPUT_POST, 'login'); -+ $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(); - -- // purge the session in case of new login when a session already exists -+ // purge the session in case of new login when a session already exists - $RCMAIL->kill_session(); - - $auth = $RCMAIL->plugins->exec_hook('authenticate', array( -@@ -140,7 +140,7 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { - unset($redir['abort'], $redir['_err']); - - // send redirect -- $OUTPUT->redirect($redir); -+ $OUTPUT->redirect($redir, 0, true); - } - else { - if (!$auth['valid']) { -@@ -171,10 +171,10 @@ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { - } - } - --// end session (after optional referer check) --else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) -- && (!$RCMAIL->config->get('referer_check') || rcube_utils::check_referer()) --) { -+// end session -+else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) { -+ $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET); -+ - $userdata = array( - 'user' => $_SESSION['username'], - 'host' => $_SESSION['storage_host'], -@@ -234,32 +234,9 @@ if (empty($RCMAIL->user->ID)) { - - $OUTPUT->send($plugin['task']); - } --// CSRF prevention - else { -- // don't check for valid request tokens in these actions -- $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1); -- -- if (!$request_check_whitelist[$RCMAIL->action]) { -- // check client X-header to verify request origin -- if ($OUTPUT->ajax_call) { -- if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { -- header('HTTP/1.1 403 Forbidden'); -- die("Invalid Request"); -- } -- } -- // check request token in POST form submissions -- else if (!empty($_POST) && !$RCMAIL->check_request()) { -- $OUTPUT->show_message('invalidrequest', 'error'); -- $OUTPUT->send($RCMAIL->task); -- } -- -- // check referer if configured -- if ($RCMAIL->config->get('referer_check') && !rcube_utils::check_referer()) { -- raise_error(array( -- 'code' => 403, 'type' => 'php', -- 'message' => "Referer check failed"), true, true); -- } -- } -+ // CSRF prevention -+ $RCMAIL->request_security_check(); - - // check access to disabled actions - $disabled_actions = (array) $RCMAIL->config->get('disabled_actions'); -diff --git a/plugins/acl/acl.js b/plugins/acl/acl.js -index e59ac72..1463453 100644 ---- a/plugins/acl/acl.js -+++ b/plugins/acl/acl.js -@@ -58,8 +58,11 @@ rcube_webmail.prototype.acl_delete = function() - var users = this.acl_get_usernames(); - - if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) { -- this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(',')) -- + '&_mbox='+urlencode(this.env.mailbox), -+ this.http_post('settings/plugin.acl', { -+ _act: 'delete', -+ _user: users.join(','), -+ _mbox: this.env.mailbox -+ }, - this.set_busy(true, 'acl.deleting')); - } - } -@@ -67,7 +70,7 @@ rcube_webmail.prototype.acl_delete = function() - // Save ACL data - rcube_webmail.prototype.acl_save = function() - { -- var user = $('#acluser', this.acl_form).val(), rights = '', type; -+ var data, type, rights = '', user = $('#acluser', this.acl_form).val(); - - $((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() { - if (this.checked) -@@ -88,12 +91,18 @@ rcube_webmail.prototype.acl_save = function() - return; - } - -- this.http_request('settings/plugin.acl', '_act=save' -- + '&_user='+urlencode(user) -- + '&_acl=' +rights -- + '&_mbox='+urlencode(this.env.mailbox) -- + (this.acl_id ? '&_old='+this.acl_id : ''), -- this.set_busy(true, 'acl.saving')); -+ data = { -+ _act: 'save', -+ _user: user, -+ _acl: rights, -+ _mbox: this.env.mailbox -+ } -+ -+ if (this.acl_id) { -+ data._old = this.acl_id; -+ } -+ -+ this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving')); - } - - // Cancel/Hide form -diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php -index 33bd91e..cb1a720 100644 ---- a/plugins/acl/acl.php -+++ b/plugins/acl/acl.php -@@ -452,10 +452,10 @@ class acl extends rcube_plugin - */ - private function action_save() - { -- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); // UTF7-IMAP -- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); -- $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_GPC)); -- $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_GPC)); -+ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); // UTF7-IMAP -+ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); -+ $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_POST)); -+ $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_POST)); - - $acl = array_intersect(str_split($acl), $this->rights_supported()); - $users = $oldid ? array($user) : explode(',', $user); -@@ -508,8 +508,8 @@ class acl extends rcube_plugin - */ - private function action_delete() - { -- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); //UTF7-IMAP -- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); -+ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); //UTF7-IMAP -+ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); - - $user = explode(',', $user); - -diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php -index 302c7c7..cb214a1 100644 ---- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php -+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php -@@ -349,7 +349,7 @@ class rcube_sieve_engine - } - } - else if ($action == 'setact' && !$error) { -- $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); -+ $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_POST, true); - $result = $this->activate_script($script_name); - $kep14 = $this->rc->config->get('managesieve_kolab_master'); - -@@ -363,7 +363,7 @@ class rcube_sieve_engine
View file
roundcubemail-1.1-assets.patch
Added
@@ -0,0 +1,67 @@ +diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php +index aae54d4..3df5589 100644 +--- a/program/include/rcmail_output_html.php ++++ b/program/include/rcmail_output_html.php +@@ -184,7 +184,7 @@ EOF; + } + + $path = (rcube_utils::https_check() ? 'https' : 'http') . '://' +- . $_SERVER['SERVER_NAME'] . $base . '/' . $path; ++ . $_SERVER['HTTP_HOST'] . rtrim($base, '/') . '/' . ltrim($path, '/'); + } + + $this->assets_path = $path; +@@ -306,10 +306,27 @@ EOF; + } + + foreach ($skin_paths as $skin_path) { +- $path = realpath($skin_path . $file); ++ $path = $skin_path . $file; ++ ++ if (is_file($path)) { ++ return $skin_path . $file; ++ } ++ ++ $path = rtrim(RCUBE_INSTALL_PATH, '/'); ++ $path .= '/' . 'public_html/assets/'; ++ $path .= rtrim($skin_path, '/') . '/' . $file; ++ + if (is_file($path)) { + return $skin_path . $file; + } ++ ++ $path = rtrim(RCUBE_INSTALL_PATH, '/'); ++ $path .= '/' . $skin_path . $file; ++ $path = realpath($path); ++ ++ if ($skin_path[0] != '/' && is_file($path)) { ++ return $path; ++ } + } + + return false; +@@ -491,9 +491,10 @@ EOF; + + // fallback to deprecated template names + if (!is_readable($path) && $this->deprecated_templates[$realname]) { +- $path = "$skin_path/templates/" . $this->deprecated_templates[$realname] . ".html"; ++ // Try an old path ++ $tpath = "$skin_path/templates/" . $this->deprecated_templates[$realname] . ".html"; + +- if (is_readable($path)) { ++ if (is_readable($tpath)) { + rcube::raise_error(array( + 'code' => 502, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, +@@ -552,6 +569,10 @@ EOF; + } + } + ++ if (!is_readable($path) && $path[0] != '/' && is_readable(rtrim(RCUBE_INSTALL_PATH, '/') . '/' . $path)) { ++ $path = rtrim(RCUBE_INSTALL_PATH, '/') . '/' . $path; ++ } ++ + if (is_readable($path)) { + $this->config->set('skin_path', $skin_path); + $this->base_path = preg_replace('!plugins/\w+/!', '', $skin_path); // set base_path to core skin directory (not plugin's skin) +
View file
roundcubemail-1.1-csrf.patch
Added
@@ -0,0 +1,786 @@ +diff -ur roundcubemail-1.1.orig/config/defaults.inc.php roundcubemail-1.1/config/defaults.inc.php +--- roundcubemail-1.1.orig/config/defaults.inc.php 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/config/defaults.inc.php 2014-09-06 14:30:33.910366429 +0200 +@@ -532,6 +532,23 @@ + // Note: useful when SMTP server stores sent mail in user mailbox + $config['no_save_sent_messages'] = false; + ++// Improve system security by using special URL with security token. ++// This can be set to a number defining token length. Default: 16. ++// Warning: This requires http server configuration. Sample: ++// RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT] ++// Alias /roundcubemail /var/www/roundcubemail/ ++// Note: Use assets_path to not prevent the browser from caching assets ++$config['use_secure_urls'] = false; ++ ++// Allows to define separate server/path for image/js/css files ++// Warning: If the domain is different cross-domain access to some ++// resources need to be allowed ++// Sample: ++// <FilesMatch ".(eot|ttf|woff)"> ++// Header set Access-Control-Allow-Origin "*" ++// </FilesMatch> ++$config['assets_path'] = ''; ++ + // ---------------------------------- + // PLUGINS + // ---------------------------------- +diff -ur roundcubemail-1.1.orig/.htaccess roundcubemail-1.1/.htaccess +--- roundcubemail-1.1.orig/.htaccess 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/.htaccess 2014-09-06 14:30:33.908366428 +0200 +@@ -31,7 +31,7 @@ + # security rules: + # - deny access to files not containing a dot or starting with a dot + # in all locations except installer directory +-RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] ++RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F] + # - deny access to some locations + RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] + # - deny access to some documentation files +diff -ur roundcubemail-1.1.orig/index.php roundcubemail-1.1/index.php +--- roundcubemail-1.1.orig/index.php 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/index.php 2014-09-06 14:30:33.911366430 +0200 +@@ -90,9 +90,9 @@ + + // try to log in + if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { +- $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(rcube_utils::INPUT_POST, 'login'); ++ $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(); + +- // purge the session in case of new login when a session already exists ++ // purge the session in case of new login when a session already exists + $RCMAIL->kill_session(); + + $auth = $RCMAIL->plugins->exec_hook('authenticate', array( +@@ -140,7 +140,7 @@ + unset($redir['abort'], $redir['_err']); + + // send redirect +- $OUTPUT->redirect($redir); ++ $OUTPUT->redirect($redir, 0, true); + } + else { + if (!$auth['valid']) { +@@ -171,10 +171,10 @@ + } + } + +-// end session (after optional referer check) +-else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) +- && (!$RCMAIL->config->get('referer_check') || rcube_utils::check_referer()) +-) { ++// end session ++else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) { ++ $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET); ++ + $userdata = array( + 'user' => $_SESSION['username'], + 'host' => $_SESSION['storage_host'], +@@ -234,32 +234,9 @@ + + $OUTPUT->send($plugin['task']); + } +-// CSRF prevention + else { +- // don't check for valid request tokens in these actions +- $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1); +- +- if (!$request_check_whitelist[$RCMAIL->action]) { +- // check client X-header to verify request origin +- if ($OUTPUT->ajax_call) { +- if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { +- header('HTTP/1.1 403 Forbidden'); +- die("Invalid Request"); +- } +- } +- // check request token in POST form submissions +- else if (!empty($_POST) && !$RCMAIL->check_request()) { +- $OUTPUT->show_message('invalidrequest', 'error'); +- $OUTPUT->send($RCMAIL->task); +- } +- +- // check referer if configured +- if ($RCMAIL->config->get('referer_check') && !rcube_utils::check_referer()) { +- raise_error(array( +- 'code' => 403, 'type' => 'php', +- 'message' => "Referer check failed"), true, true); +- } +- } ++ // CSRF prevention ++ $RCMAIL->request_security_check(); + + // check access to disabled actions + $disabled_actions = (array) $RCMAIL->config->get('disabled_actions'); +diff -ur roundcubemail-1.1.orig/plugins/acl/acl.js roundcubemail-1.1/plugins/acl/acl.js +--- roundcubemail-1.1.orig/plugins/acl/acl.js 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/plugins/acl/acl.js 2014-09-06 14:30:33.911366430 +0200 +@@ -58,8 +58,11 @@ + var users = this.acl_get_usernames(); + + if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) { +- this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(',')) +- + '&_mbox='+urlencode(this.env.mailbox), ++ this.http_post('settings/plugin.acl', { ++ _act: 'delete', ++ _user: users.join(','), ++ _mbox: this.env.mailbox ++ }, + this.set_busy(true, 'acl.deleting')); + } + } +@@ -67,7 +70,7 @@ + // Save ACL data + rcube_webmail.prototype.acl_save = function() + { +- var user = $('#acluser', this.acl_form).val(), rights = '', type; ++ var data, type, rights = '', user = $('#acluser', this.acl_form).val(); + + $((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() { + if (this.checked) +@@ -88,12 +91,18 @@ + return; + } + +- this.http_request('settings/plugin.acl', '_act=save' +- + '&_user='+urlencode(user) +- + '&_acl=' +rights +- + '&_mbox='+urlencode(this.env.mailbox) +- + (this.acl_id ? '&_old='+this.acl_id : ''), +- this.set_busy(true, 'acl.saving')); ++ data = { ++ _act: 'save', ++ _user: user, ++ _acl: rights, ++ _mbox: this.env.mailbox ++ } ++ ++ if (this.acl_id) { ++ data._old = this.acl_id; ++ } ++ ++ this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving')); + } + + // Cancel/Hide form +diff -ur roundcubemail-1.1.orig/plugins/acl/acl.php roundcubemail-1.1/plugins/acl/acl.php +--- roundcubemail-1.1.orig/plugins/acl/acl.php 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/plugins/acl/acl.php 2014-09-06 14:30:33.912366431 +0200 +@@ -452,10 +452,10 @@ + */ + private function action_save() + { +- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); // UTF7-IMAP +- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); +- $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_GPC)); +- $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_GPC)); ++ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); // UTF7-IMAP ++ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); ++ $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_POST)); ++ $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_POST)); + + $acl = array_intersect(str_split($acl), $this->rights_supported()); + $users = $oldid ? array($user) : explode(',', $user); +@@ -508,8 +508,8 @@ + */ + private function action_delete() + { +- $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); //UTF7-IMAP +- $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); ++ $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); //UTF7-IMAP ++ $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); + + $user = explode(',', $user); + +diff -ur roundcubemail-1.1.orig/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php roundcubemail-1.1/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +--- roundcubemail-1.1.orig/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php 2014-09-04 13:26:10.000000000 +0200 ++++ roundcubemail-1.1/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php 2014-09-06 14:30:33.914366432 +0200 +@@ -349,7 +349,7 @@ + } + }
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.