[roundcubemail] 0.7.3, XSS fix.
Jon Ciesla
limb at fedoraproject.org
Mon Aug 20 14:44:59 UTC 2012
commit ac0541ca40878a5daf0fcae3457c41239b308462
Author: Jon Ciesla <limburgher at gmail.com>
Date: Mon Aug 20 09:44:47 2012 -0500
0.7.3, XSS fix.
.gitignore | 1 +
roundcubemail-0.7.3-xss-sig.patch | 103 +++++++++++++++++++++++++++++++++++++
roundcubemail.spec | 9 +++-
sources | 2 +-
4 files changed, 112 insertions(+), 3 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index efe7217..440e8e9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@ roundcubemail-0.3.1-dep.tar.gz
/roundcubemail-0.7-dep.tar.gz
/roundcubemail-0.7.1-dep.tar.gz
/roundcubemail-0.7.2-dep.tar.gz
+/roundcubemail-0.7.3-dep.tar.gz
diff --git a/roundcubemail-0.7.3-xss-sig.patch b/roundcubemail-0.7.3-xss-sig.patch
new file mode 100644
index 0000000..dd01a01
--- /dev/null
+++ b/roundcubemail-0.7.3-xss-sig.patch
@@ -0,0 +1,103 @@
+--- program/steps/mail/compose.inc.orig 2012-08-15 11:44:45.000000000 -0500
++++ program/steps/mail/compose.inc 2012-08-20 09:31:27.376369309 -0500
+@@ -520,7 +520,7 @@
+
+ function rcmail_compose_header_from($attrib)
+ {
+- global $MESSAGE, $OUTPUT;
++ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
+
+ // pass the following attributes to the form class
+ $field_attrib = array('name' => '_from');
+@@ -531,6 +531,8 @@
+ if (count($MESSAGE->identities))
+ {
+ $a_signatures = array();
++ $separator = $RCMAIL->config->get('sig_above')
++ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
+
+ $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
+ $select_from = new html_select($field_attrib);
+@@ -544,13 +546,26 @@
+ // add signature to array
+ if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
+ {
+- $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
+- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
+- if ($a_signatures[$identity_id]['is_html'])
+- {
+- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
+- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
++ $text = $html = $sql_arr['signature'];
++ if ($sql_arr['html_signature']) {
++ $h2t = new html2text($sql_arr['signature'], false, false);
++ $text = trim($h2t->get_text());
+ }
++ else {
++ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
++ }
++
++ if (!preg_match('/^--[ -]\r?\n/m', $text)) {
++ $text = $separator . "\n" . $text;
++ $html = $separator . "<br>" . $html;
++ }
++
++ if (!$sql_arr['html_signature']) {
++ $html = "<pre>" . $html . "</pre>";
++ }
++
++ $a_signatures[$identity_id]['text'] = $text;
++ $a_signatures[$identity_id]['html'] = $html;
+ }
+ }
+
+--- program/js/app.js.src~ 2012-08-15 11:44:45.000000000 -0500
++++ program/js/app.js.src 2012-08-20 09:41:02.876568088 -0500
+@@ -3192,8 +3192,7 @@
+ input_message = $("[name='_message']"),
+ message = input_message.val(),
+ is_html = ($("input[name='_is_html']").val() == '1'),
+- sig = this.env.identity,
+- sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
++ sig = this.env.identity;
+
+ // enable manual signature insert
+ if (this.env.signatures && this.env.signatures[id]) {
+@@ -3207,12 +3206,9 @@
+ // remove the 'old' signature
+ if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
+
+- sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
++ sig = this.env.signatures[sig].text;
+ sig = sig.replace(/\r\n/g, '\n');
+
+- if (!sig.match(/^--[ -]\n/m))
+- sig = sig_separator + '\n' + sig;
+-
+ p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
+ if (p >= 0)
+ message = message.substring(0, p) + message.substring(p+sig.length, message.length);
+@@ -3288,21 +3284,8 @@
+ }
+ }
+
+- if (this.env.signatures[id]) {
+- if (this.env.signatures[id].is_html) {
+- sig = this.env.signatures[id].text;
+- if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '<br />' + sig;
+- }
+- else {
+- sig = this.env.signatures[id].text;
+- if (!sig.match(/^--[ -]\r?\n/m))
+- sig = sig_separator + '\n' + sig;
+- sig = '<pre>' + sig + '</pre>';
+- }
+-
+- sigElem.innerHTML = sig;
+- }
++ if (this.env.signatures[id])
++ sigElem.innerHTML = this.env.signatures[id].html;
+ }
+
+ this.env.identity = id;
diff --git a/roundcubemail.spec b/roundcubemail.spec
index fc04ab7..8575915 100644
--- a/roundcubemail.spec
+++ b/roundcubemail.spec
@@ -1,8 +1,8 @@
%define roundcubedir %{_datadir}/roundcubemail
%global _logdir /var/log
Name: roundcubemail
-Version: 0.7.2
-Release: 3%{?dist}
+Version: 0.7.3
+Release: 1%{?dist}
Summary: Round Cube Webmail is a browser-based multilingual IMAP client
Group: Applications/System
@@ -15,6 +15,7 @@ Source4: roundcubemail-README.fedora
# Non-upstremable: Adjusts config path to Fedora policy
Patch6: roundcubemail-0.4.1-confpath.patch
Patch7: roundcubemail-0.7.2-strict.patch
+Patch8: roundcubemail-0.7.3-xss-sig.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root%(%{__id_u} -n)
@@ -47,6 +48,7 @@ interface is fully skinnable using XHTML and CSS 2.
%patch6 -p0
%patch7 -p0
+%patch8 -p0
# fix permissions and remove any .htaccess files
find . -type f -print | xargs chmod a-x
@@ -138,6 +140,9 @@ exit 0
%config(noreplace) %{_sysconfdir}/logrotate.d/roundcubemail
%changelog
+* Mon Aug 20 2012 Jon Ciesla <limburgher at gmail.com> - 0.7.3-1
+- 0.7.3, patch for XSS in signature issue, BZ 849616, 849617.
+
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
diff --git a/sources b/sources
index a252c10..319f0ee 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2b77fe823de00a7ebd85b8919e40d78d roundcubemail-0.7.2-dep.tar.gz
+43c78a7fe9801d145442d20a68c02f07 roundcubemail-0.7.3-dep.tar.gz
More information about the scm-commits
mailing list