Projects
Kolab:Winterfell
roundcubemail
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 100
View file
roundcubemail.spec
Changed
@@ -68,6 +68,12 @@ Source200: 2017111400.sql +Patch0001: 0001-Fix-PHP-Warning-Use-of-undefined-constant-IDNA_DEFAU.patch +Patch0002: 0002-Parse-all-quotas-from-GETQUOTAROOT-6280.patch +Patch0003: 0003-Update-changelog.patch +Patch0004: 0004-Fix-bug-where-some-escape-sequences-in-html-styles-c.patch +Patch0005: 0005-Fix-bug-where-some-forbidden-characters-on-Cyrus-IMA.patch + Patch201: default-configuration.patch Patch202: roundcubemail-1.3.6-plugin-enigma-homedir.patch @@ -1068,6 +1074,12 @@ cp -vf %{SOURCE101} plugins/password/config.inc.php.dist %endif +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 + %patch201 -p1 %patch202 -p1 @@ -2857,6 +2869,9 @@ %defattr(-,root,root,-) %changelog +* Mon May 14 2018 Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> - 1.3.6-2 +- Patch issues fixed upstream + * Thu Apr 12 2018 Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> - 1.3.6-1 - Check in 1.3.6 release
View file
0001-Fix-PHP-Warning-Use-of-undefined-constant-IDNA_DEFAU.patch
Added
@@ -0,0 +1,40 @@ +From 8477b881e5515d6520eb64f760fb49d586fb5689 Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <alec@alec.pl> +Date: Thu, 12 Apr 2018 09:39:33 +0200 +Subject: [PATCH 1/5] Fix PHP Warning: Use of undefined constant IDNA_DEFAULT + on systems without php-intl (#6244) + +--- + CHANGELOG | 2 ++ + program/lib/Roundcube/rcube_utils.php | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 3021068ac..b9044a497 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,6 +1,8 @@ + CHANGELOG Roundcube Webmail + =========================== + ++- Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) ++ + RELEASE 1.3.6 + ------------- + - Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216) +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index c9afe1e14..77b084a99 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -905,7 +905,7 @@ class rcube_utils + // Note that in PHP 7.2/7.3 calling idn_to_* functions with default arguments + // throws a warning, so we have to set the variant explicitely (#6075) + $variant = defined('INTL_IDNA_VARIANT_UTS46') ? INTL_IDNA_VARIANT_UTS46 : null; +- $options = IDNA_DEFAULT; ++ $options = 0; + + // Because php-intl extension lowercases domains and return false + // on invalid input (#6224), we skip conversion when not needed +-- +2.14.3 +
View file
0002-Parse-all-quotas-from-GETQUOTAROOT-6280.patch
Added
@@ -0,0 +1,28 @@ +From 7dfbb62b78e3949daa8e49db9ebed46ddd8f964e Mon Sep 17 00:00:00 2001 +From: Edgaras L <edgaras.lukosevicius@gmail.com> +Date: Sat, 5 May 2018 13:48:15 +0300 +Subject: [PATCH 2/5] Parse all quotas from GETQUOTAROOT (#6280) + +--- + program/lib/Roundcube/rcube_imap_generic.php | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php +index 3899b235e..61564bb1a 100644 +--- a/program/lib/Roundcube/rcube_imap_generic.php ++++ b/program/lib/Roundcube/rcube_imap_generic.php +@@ -3125,8 +3125,9 @@ class rcube_imap_generic + if (preg_match('/^\* QUOTA /', $line)) { + list(, , $quota_root) = $this->tokenizeResponse($line, 3); + +- while ($line) { +- list($type, $used, $total) = $this->tokenizeResponse($line, 1); ++ $quotas = $this->tokenizeResponse($line, 1); ++ foreach (array_chunk($quotas, 3) as $quota) { ++ list($type, $used, $total) = $quota; + $type = strtolower($type); + + if ($type && $total) { +-- +2.14.3 +
View file
0003-Update-changelog.patch
Added
@@ -0,0 +1,24 @@ +From 13b35e3c0eb0920ee19e3aaacb5e79845e45225e Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <alec@alec.pl> +Date: Sat, 5 May 2018 12:49:45 +0200 +Subject: [PATCH 3/5] Update changelog + +--- + CHANGELOG | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CHANGELOG b/CHANGELOG +index b9044a497..729b4b363 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail + =========================== + + - Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) ++- Fix bug where some parts of quota information could be ignored (#6280) + + RELEASE 1.3.6 + ------------- +-- +2.14.3 +
View file
0004-Fix-bug-where-some-escape-sequences-in-html-styles-c.patch
Added
@@ -0,0 +1,106 @@ +From d9eed3625bf06cd2946b0efb6d88ff9986ba4864 Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <alec@alec.pl> +Date: Sat, 5 May 2018 17:12:18 +0200 +Subject: [PATCH 4/5] Fix bug where some escape sequences in html styles could + bypass security checks + +--- + CHANGELOG | 3 ++- + program/lib/Roundcube/rcube_utils.php | 3 ++- + program/lib/Roundcube/rcube_washtml.php | 5 ++++- + tests/Framework/Utils.php | 8 +++++++- + tests/MailFunc.php | 2 +- + 5 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 729b4b363..21eedff5b 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -2,7 +2,8 @@ CHANGELOG Roundcube Webmail + =========================== + + - Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) +-- Fix bug where some parts of quota information could be ignored (#6280) ++- Fix bug where some parts of quota information could have been ignored (#6280) ++- Fix bug where some escape sequences in html styles could bypass security checks + + RELEASE 1.3.6 + ------------- +diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php +index 77b084a99..03de534f4 100644 +--- a/program/lib/Roundcube/rcube_utils.php ++++ b/program/lib/Roundcube/rcube_utils.php +@@ -500,7 +500,8 @@ class rcube_utils + + $out = html_entity_decode(html_entity_decode($content)); + $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out))); +- $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i', $callback, $out); ++ $out = preg_replace_callback('/\\\([0-9a-f]{2,6})\s*/i', $callback, $out); ++ $out = preg_replace('/\\\([^0-9a-f])/i', '\\1', $out); + $out = preg_replace('#/\*.*\*/#Ums', '', $out); + $out = strip_tags($out); + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index ac1af74ef..44173f0b0 100644 +--- a/program/lib/Roundcube/rcube_washtml.php ++++ b/program/lib/Roundcube/rcube_washtml.php +@@ -242,8 +242,11 @@ class rcube_washtml + // Remove unwanted white-space characters so regular expressions below work better + $style = preg_replace('/[\n\r\s\t]+/', ' ', $style); + ++ // Decode insecure character sequences ++ $style = rcube_utils::xss_entity_decode($style); ++ + foreach (explode(';', $style) as $declaration) { +- if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) { ++ if (preg_match('/^\s*([a-z\\\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) { + $cssid = $match[1]; + $str = $match[2]; + $value = ''; +diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php +index dc28907be..8543fe991 100644 +--- a/tests/Framework/Utils.php ++++ b/tests/Framework/Utils.php +@@ -203,12 +203,15 @@ class Framework_Utils extends PHPUnit_Framework_TestCase + $mod = rcube_utils::mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); + $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks"); + +- $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); ++ $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\00006c( javascript:alert('xss') )", 'rcmbody'); + $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)"); + + $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody'); + $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)"); + ++ $mod = rcube_utils::mod_css_styles("background: u\\r\\l('/images/img.png')", 'rcmbody'); ++ $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (4)"); ++ + // position: fixed (#5264) + $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); + $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); +@@ -234,6 +237,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase + $mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}'); + $this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property"); + ++ $mod = rcube_utils::xss_entity_decode("background: u\\r\\00006c('/images/img.png')"); ++ $this->assertContains("url(", $mod, "Escape sequences resolving"); ++ + // #5747 + $mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->'); + $this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content"); +diff --git a/tests/MailFunc.php b/tests/MailFunc.php +index 69b8a3517..bccdb5f2a 100644 +--- a/tests/MailFunc.php ++++ b/tests/MailFunc.php +@@ -215,7 +215,7 @@ class MailFunc extends PHPUnit_Framework_TestCase + $body = rcmail_print_body($html, $this->get_html_part(), array('safe' => false, 'plain' => false)); + + $this->assertNotContains('onerror=alert(1)//">test', $body); +- $this->assertContains('<a style="x: ><img src=x onerror=alert(1)//"', $body); ++ $this->assertContains('<a style="x: >"', $body); + } + + /** +-- +2.14.3 +
View file
0005-Fix-bug-where-some-forbidden-characters-on-Cyrus-IMA.patch
Added
@@ -0,0 +1,122 @@ +From 16b5a345e0000c1909f5a7bcb309f083cae50878 Mon Sep 17 00:00:00 2001 +From: Aleksander Machniak <machniak@kolabsys.com> +Date: Tue, 8 May 2018 12:20:11 +0200 +Subject: [PATCH 5/5] Fix bug where some forbidden characters on Cyrus-IMAP + were not prevented from use in folder names + +Conflicts: + plugins/archive/archive.php +--- + CHANGELOG | 1 + + program/lib/Roundcube/rcube_imap.php | 29 +++++++++++++++++++++++++++++ + program/lib/Roundcube/rcube_storage.php | 20 ++++++++++++++++++++ + program/steps/settings/save_folder.inc | 10 ++-------- + 4 files changed, 52 insertions(+), 8 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 21eedff5b..6cbd10164 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -4,6 +4,7 @@ CHANGELOG Roundcube Webmail + - Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) + - Fix bug where some parts of quota information could have been ignored (#6280) + - Fix bug where some escape sequences in html styles could bypass security checks ++- Fix bug where some forbidden characters on Cyrus-IMAP were not prevented from use in folder names + + RELEASE 1.3.6 + ------------- +diff --git a/program/lib/Roundcube/rcube_imap.php b/program/lib/Roundcube/rcube_imap.php +index be359d066..eaae624c8 100644 +--- a/program/lib/Roundcube/rcube_imap.php ++++ b/program/lib/Roundcube/rcube_imap.php +@@ -3722,6 +3722,35 @@ class rcube_imap extends rcube_storage + } + } + ++ /** ++ * Check if the folder name is valid ++ * ++ * @param string $folder Folder name (UTF-8) ++ * @param string &$char First forbidden character found ++ * ++ * @return bool True if the name is valid, False otherwise ++ */ ++ public function folder_validate($folder, &$char = null) ++ { ++ if (parent::folder_validate($folder, $char)) { ++ $vendor = $this->get_vendor(); ++ $regexp = '\\x00-\\x1F\\x7F%*'; ++ ++ if ($vendor == 'cyrus') { ++ // List based on testing Kolab's Cyrus-IMAP 2.5 ++ $regexp .= '!`@(){}|\\?<;"'; ++ } ++ ++ if (!preg_match("/[$regexp]/", $folder, $m)) { ++ return true; ++ } ++ ++ $char = $m[0]; ++ } ++ ++ return false; ++ } ++ + /** + * Get message header names for rcube_imap_generic::fetchHeader(s) + * +diff --git a/program/lib/Roundcube/rcube_storage.php b/program/lib/Roundcube/rcube_storage.php +index 56703177c..faacd4f65 100644 +--- a/program/lib/Roundcube/rcube_storage.php ++++ b/program/lib/Roundcube/rcube_storage.php +@@ -796,6 +796,26 @@ abstract class rcube_storage + */ + abstract function mod_folder($folder, $mode = 'out'); + ++ /** ++ * Check if the folder name is valid ++ * ++ * @param string $folder Folder name (UTF-8) ++ * @param string &$char First forbidden character found ++ * ++ * @return bool True if the name is valid, False otherwise ++ */ ++ public function folder_validate($folder, &$char = null) ++ { ++ $delim = $this->get_hierarchy_delimiter(); ++ ++ if (strpos($folder, $delim) !== false) { ++ $char = $delim; ++ return false; ++ } ++ ++ return true; ++ } ++ + /** + * Create all folders specified as default + */ +diff --git a/program/steps/settings/save_folder.inc b/program/steps/settings/save_folder.inc +index ed1b09fc1..0b777798b 100644 +--- a/program/steps/settings/save_folder.inc ++++ b/program/steps/settings/save_folder.inc +@@ -45,14 +45,8 @@ else if (mb_strlen($name) > 128) { + else if ($name[0] == '.' && $RCMAIL->config->get('imap_skip_hidden_folders')) { + $error = $RCMAIL->gettext('namedotforbidden'); + } +-else { +- // these characters are problematic e.g. when used in LIST/LSUB +- foreach (array($delimiter, '%', '*') as $char) { +- if (strpos($name, $char) !== false) { +- $error = $RCMAIL->gettext('forbiddencharacter') . " ($char)"; +- break; +- } +- } ++else if (!$STORAGE->folder_validate($name, $char)) { ++ $error = $RCMAIL->gettext('forbiddencharacter') . " ($char)"; + } + + if ($error) { +-- +2.14.3 +
View file
debian.changelog
Changed
@@ -1,3 +1,9 @@ +roundcubemail (1.3.6-0~kolab2) unstable; urgency=low + + * Patch issues fixed upstream + + -- Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> Mon, 14 May 2018 11:11:11 +0200 + roundcubemail (1.3.6-0~kolab1) unstable; urgency=low * Check in 1.3.6 release
View file
debian.series
Changed
@@ -1,2 +1,7 @@ default-configuration.patch -p1 roundcubemail-1.3.6-plugin-enigma-homedir.patch -p1 +0001-Fix-PHP-Warning-Use-of-undefined-constant-IDNA_DEFAU.patch -p1 +0002-Parse-all-quotas-from-GETQUOTAROOT-6280.patch -p1 +0003-Update-changelog.patch -p1 +0004-Fix-bug-where-some-escape-sequences-in-html-styles-c.patch -p1 +0005-Fix-bug-where-some-forbidden-characters-on-Cyrus-IMA.patch -p1
View file
roundcubemail.dsc
Changed
@@ -2,7 +2,7 @@ Source: roundcubemail Binary: roundcubemail Architecture: all -Version: 1:1.3.6-0~kolab1 +Version: 1:1.3.6-0~kolab2 Maintainer: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> Uploaders: Paul Klos <kolab@klos2day.nl> Homepage: http://www.roundcube.net/
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.