[Pkg-roundcube-maintainers] CVE-2023-5631/roundcube: {bullseye, bookworm}-security uploads
Guilhem Moulin
guilhem at debian.org
Thu Oct 19 00:21:58 BST 2023
Dear security team,
I'd like to propose the attach debdiffs (patch-applied, excluding
debian/patches) to fix CVE-2023-5631/roundcube.
Bullseye and Bookworm have respectively been following upstream's LTS
(1.4) and stable (1.6) branch, so I imported 1.4.15 resp. 1.6.4 rather
than doing a targeted fix. For 1.4.15 the diff contains only that fix,
for 1.6.4 there are a few other changes, but no new features.
The d/rules change for 1.6 is because upstream used to update version
numbers incl. the minor version in the tagged code, but since 1.6.2 this
is no longer the case and the about dialog shows ‘1.6-git’ rather than
‘1.6.4’. The new sed command are taken from the upstream Makefile, and
the result (checked via DEP-8) matches what can be found in the upstream
tarball. The effect is only cosmetic, but if you prefer I can replace
it with a static patch in debian/patches.
Both 1.4.15+dfsg.1-1~deb11u1 and 1.6.4+dfsg-1~deb12u1 have been tested.
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.4.14+dfsg.1 roundcube-1.4.15+dfsg.1
CHANGELOG | 5 +++++
debian/changelog | 10 ++++++++++
debian/patches/series | 1 +
debian/salsa-ci.yml | 2 ++
index.php | 2 +-
installer/index.php | 2 +-
program/include/iniset.php | 2 +-
program/lib/Roundcube/bootstrap.php | 2 +-
program/lib/Roundcube/rcube_washtml.php | 13 +++++++------
public_html/index.php | 2 +-
tests/Framework/Washtml.php | 18 ++++++++++++++++++
11 files changed, 48 insertions(+), 11 deletions(-)
diff -Nru roundcube-1.4.14+dfsg.1/CHANGELOG roundcube-1.4.15+dfsg.1/CHANGELOG
--- roundcube-1.4.14+dfsg.1/CHANGELOG 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/CHANGELOG 2023-10-19 01:06:28.000000000 +0200
@@ -1,5 +1,10 @@
# Changelog Roundcube Webmail
+RELEASE 1.4.15
+--------------
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
+- Fix PHP 5.4 compatibility by using pear-core-minimal 1.10.11 (#9148)
+
RELEASE 1.4.14
--------------
- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
diff -Nru roundcube-1.4.14+dfsg.1/debian/changelog roundcube-1.4.15+dfsg.1/debian/changelog
--- roundcube-1.4.14+dfsg.1/debian/changelog 2023-09-25 11:32:59.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/debian/changelog 2023-10-18 23:40:57.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.4.15+dfsg.1-1~deb11u1) bullseye-security; urgency=high
+
+ * New security/bugfix upstream release:
+ + Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
+ of SVG in HTML messages. (Closes: #1054079)
+ * Salsa CI: Disable lintian and reprotest jobs.
+ * Refresh patches.
+
+ -- Guilhem Moulin <guilhem at debian.org> Wed, 18 Oct 2023 23:40:57 +0200
+
roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high
* New security/bugfix upstream release:
diff -Nru roundcube-1.4.14+dfsg.1/debian/salsa-ci.yml roundcube-1.4.15+dfsg.1/debian/salsa-ci.yml
--- roundcube-1.4.14+dfsg.1/debian/salsa-ci.yml 2023-09-25 11:32:59.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/debian/salsa-ci.yml 2023-10-18 23:40:57.000000000 +0200
@@ -5,3 +5,5 @@
variables:
RELEASE: 'bullseye'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
diff -Nru roundcube-1.4.14+dfsg.1/index.php roundcube-1.4.15+dfsg.1/index.php
--- roundcube-1.4.14+dfsg.1/index.php 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/index.php 2023-10-19 01:06:28.000000000 +0200
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.14 |
+ | Version 1.4.15 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.14+dfsg.1/installer/index.php roundcube-1.4.15+dfsg.1/installer/index.php
--- roundcube-1.4.14+dfsg.1/installer/index.php 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/installer/index.php 2023-10-19 01:06:28.000000000 +0200
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.4.14 |
+ | Version 1.4.15 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.14+dfsg.1/program/include/iniset.php roundcube-1.4.15+dfsg.1/program/include/iniset.php
--- roundcube-1.4.14+dfsg.1/program/include/iniset.php 2023-10-19 01:06:27.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/program/include/iniset.php 2023-10-19 01:06:28.000000000 +0200
@@ -26,7 +26,7 @@
}
// application constants
-define('RCMAIL_VERSION', '1.4.14');
+define('RCMAIL_VERSION', '1.4.15');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.15+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/program/lib/Roundcube/bootstrap.php 2023-10-19 01:06:28.000000000 +0200
@@ -58,7 +58,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.4.14');
+define('RCUBE_VERSION', '1.4.15');
define('RCUBE_CHARSET', 'UTF-8');
define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
diff -Nru roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.4.15+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2023-10-14 18:34:32.000000000 +0200
@@ -412,17 +412,18 @@
return $this->config['blocked_src'];
}
}
- else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/i', $uri, $matches)) { // RFC2397
+ else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+ $type = preg_replace('/\s/', '', $matches[1]);
+
// svg images can be insecure, we'll sanitize them
- if (stripos($matches[1], 'svg') !== false) {
+ if (stripos($type, 'svg') !== false) {
$svg = $matches[2];
- if (stripos($matches[1], ';base64') !== false) {
- $svg = base64_decode($svg);
- $type = $matches[1];
+ if (stripos($type, ';base64') !== false) {
+ $svg = base64_decode($svg);
}
else {
- $type = $matches[1] . ';base64';
+ $type .= ';base64';
}
$washer = new self($this->config);
diff -Nru roundcube-1.4.14+dfsg.1/public_html/index.php roundcube-1.4.15+dfsg.1/public_html/index.php
--- roundcube-1.4.14+dfsg.1/public_html/index.php 2023-09-16 22:01:19.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/public_html/index.php 2023-10-19 01:06:28.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.14 |
+ | Version 1.4.15 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.14+dfsg.1/tests/Framework/Washtml.php roundcube-1.4.15+dfsg.1/tests/Framework/Washtml.php
--- roundcube-1.4.14+dfsg.1/tests/Framework/Washtml.php 2023-10-19 01:06:27.000000000 +0200
+++ roundcube-1.4.15+dfsg.1/tests/Framework/Washtml.php 2023-10-19 01:06:28.000000000 +0200
@@ -401,6 +401,24 @@
'<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
'<svg><!-- script not allowed --><text x="20" y="20">XSS</text></svg>'
],
+ [
+ '<html><svg><use href="data:image/s vg+xml;base64,' // space
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<!-- html ignored --><!-- body ignored --><svg xmlns="http://www.w3.org/1999/xhtml"><use x-washed="href"></use></svg>'
+ ],
+ [
+ '<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<!-- html ignored --><!-- body ignored --><svg xmlns="http://www.w3.org/1999/xhtml"><use x-washed="href"></use></svg>'
+ ],
+ [
+ '<html><svg><use href="data:image/s vg+xml;base64,' // tab
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<!-- html ignored --><!-- body ignored --><svg xmlns="http://www.w3.org/1999/xhtml"><use x-washed="href"></use></svg>'
+ ],
];
}
-------------- next part --------------
diffstat for roundcube-1.6.3+dfsg roundcube-1.6.4+dfsg
CHANGELOG.md | 7 +++++
Makefile | 2 -
debian/changelog | 15 ++++++++++++
debian/rules | 7 +++++
debian/salsa-ci.yml | 2 +
debian/tests/check-upstream-version-number | 30 +++++++++++++++++++++++++
debian/tests/control | 4 +++
installer/test.php | 6 ++---
plugins/managesieve/Changelog | 1
plugins/managesieve/managesieve.js | 12 ++++++----
program/include/rcmail.php | 2 -
program/include/rcmail_install.php | 5 +---
program/lib/Roundcube/rcube_mime.php | 2 -
program/lib/Roundcube/rcube_washtml.php | 11 +++++----
program/localization/es_ES/labels.inc | 2 -
public_html/plugins/managesieve/Changelog | 1
public_html/plugins/managesieve/managesieve.js | 12 ++++++----
tests/Framework/Washtml.php | 18 +++++++++++++++
19 files changed, 116 insertions(+), 25 deletions(-)
diff -Nru roundcube-1.6.3+dfsg/CHANGELOG.md roundcube-1.6.4+dfsg/CHANGELOG.md
--- roundcube-1.6.3+dfsg/CHANGELOG.md 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/CHANGELOG.md 2023-10-14 18:17:17.000000000 +0200
@@ -2,6 +2,13 @@
## Unreleased
+- Fix PHP8 warnings (#9142, #9160)
+- Fix default 'mime.types' path on Windows (#9113)
+- Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
+
+## Release 1.6.3
+
- Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
- Update jQuery-UI to version 1.13.2 (#9041)
- Fix regression that broke use_secure_urls feature (#9052)
diff -Nru roundcube-1.6.3+dfsg/debian/changelog roundcube-1.6.4+dfsg/debian/changelog
--- roundcube-1.6.3+dfsg/debian/changelog 2023-09-25 14:22:10.000000000 +0200
+++ roundcube-1.6.4+dfsg/debian/changelog 2023-10-19 00:20:52.000000000 +0200
@@ -1,3 +1,18 @@
+roundcube (1.6.4+dfsg-1~deb12u1) bookworm-security; urgency=high
+
+ * New upstream security and bugfix release:
+ + Fix CVE-2023-5631: Cross-site scripting (XSS) vulnerability in handling
+ of SVG in HTML messages. (Closes: #1054079)
+ + Managesieve plugin: Fix javascript error when relational or spamtest
+ extension is not enabled.
+ + Fix PHP8 warnings.
+ * Replace upstream release “version” 1.6-git with the actual tagged version.
+ * Add DEP-8 test to check RCMAIL_VERSION against d/changelog.
+ * Salsa CI: Disable lintian and reprotest jobs.
+ * Refresh patches.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 19 Oct 2023 00:20:52 +0200
+
roundcube (1.6.3+dfsg-1~deb12u1) bookworm; urgency=medium
* Rebuild for bookworm.
diff -Nru roundcube-1.6.3+dfsg/debian/rules roundcube-1.6.4+dfsg/debian/rules
--- roundcube-1.6.3+dfsg/debian/rules 2023-09-25 14:22:10.000000000 +0200
+++ roundcube-1.6.4+dfsg/debian/rules 2023-10-19 00:20:52.000000000 +0200
@@ -1,5 +1,9 @@
#!/usr/bin/make -f
+include /usr/share/dpkg/pkg-info.mk
+DEB_VERSION_UPSTREAM_MINOR = $(shell echo "$(DEB_VERSION_UPSTREAM)" | sed -r 's/\+dfsg(\.[0-9])?[0-9]*$$//')
+DEB_VERSION_UPSTREAM_BRANCH = $(shell echo "$(DEB_VERSION_UPSTREAM_MINOR)" | sed -r 's/\.[0-9]+$$/-git/')
+
SRC_FILES := $(shell find program skins plugins -path program/js/tinymce -prune -o -type f -print)
PLUGINS := $(patsubst plugins/%/composer.json,%,$(wildcard plugins/*/composer.json))
SKINS := $(patsubst skins/%/meta.json,%,$(wildcard skins/*/meta.json))
@@ -90,6 +94,9 @@
@rm -rf -- program/js/tinymce
override_dh_auto_build: $(GENERATED_FILES) ;
+ sed -ri 's/^(#+\s+)Unreleased(\s|$$)/\1Release $(DEB_VERSION_UPSTREAM_MINOR)\2/' CHANGELOG.md
+ sed -ri 's/\<$(DEB_VERSION_UPSTREAM_BRANCH)\>/$(DEB_VERSION_UPSTREAM_MINOR)/' \
+ index.php public_html/index.php program/include/iniset.php program/lib/Roundcube/bootstrap.php
.SECONDARY:
PHPUNIT_EXCLUDE_GROUPS = flaky
diff -Nru roundcube-1.6.3+dfsg/debian/salsa-ci.yml roundcube-1.6.4+dfsg/debian/salsa-ci.yml
--- roundcube-1.6.3+dfsg/debian/salsa-ci.yml 2023-09-25 14:22:10.000000000 +0200
+++ roundcube-1.6.4+dfsg/debian/salsa-ci.yml 2023-10-19 00:20:52.000000000 +0200
@@ -4,5 +4,7 @@
variables:
RELEASE: 'bookworm'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
# install suitable RDBMS before running piuparts (workaround for #1015732)
SALSA_CI_PIUPARTS_PRE_INSTALL_SCRIPT: 'debian/salsa-ci/pre_install_database-server'
diff -Nru roundcube-1.6.3+dfsg/debian/tests/check-upstream-version-number roundcube-1.6.4+dfsg/debian/tests/check-upstream-version-number
--- roundcube-1.6.3+dfsg/debian/tests/check-upstream-version-number 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.6.4+dfsg/debian/tests/check-upstream-version-number 2023-10-19 00:20:52.000000000 +0200
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -eu
+PATH="/usr/bin:/bin"
+export PATH
+
+UPSTREAM_VERSION="$(dpkg-query -f '${source:Upstream-Version}' -W 'roundcube-core')"
+if [ "${UPSTREAM_VERSION%+ds*}" != "$UPSTREAM_VERSION" ]; then
+ UPSTREAM_VERSION="${UPSTREAM_VERSION%+ds*}"
+else
+ UPSTREAM_VERSION="${UPSTREAM_VERSION%+dfsg*}"
+fi
+
+RV=0
+check_version() {
+ local var="$1" path="$2" v str
+ str="include_once(\"$path\"); echo($var);"
+ if ! v="$(php -r "$str")"; then
+ echo "ERROR: \`php -r \"$str\"\` failed" >&2
+ RV=1
+ elif [ "$v" != "$UPSTREAM_VERSION" ]; then
+ echo "ERROR: Got $var=$v (expected $UPSTREAM_VERSION)" >&2
+ RV=1
+ fi
+}
+
+check_version RCMAIL_VERSION /usr/share/roundcube/program/include/iniset.php
+check_version RCUBE_VERSION /usr/share/roundcube/program/lib/Roundcube/bootstrap.php
+
+exit $RV
diff -Nru roundcube-1.6.3+dfsg/debian/tests/control roundcube-1.6.4+dfsg/debian/tests/control
--- roundcube-1.6.3+dfsg/debian/tests/control 2023-09-25 14:22:10.000000000 +0200
+++ roundcube-1.6.4+dfsg/debian/tests/control 2023-10-19 00:20:52.000000000 +0200
@@ -22,6 +22,10 @@
# XXX for better coverage (Browser tests) we would need Laravel Dusk, see .github/run.sh and tests/Browser/README.md
Restrictions: superficial, needs-root, rw-build-tree
+Tests: check-upstream-version-number
+Depends: roundcube-sqlite3, roundcube-core
+Restrictions: superficial
+
# out of the box deployment with default HTTPd
Tests: apache2, cleanup, installer-checks
Depends: apache2, default-mysql-server, roundcube, curl
diff -Nru roundcube-1.6.3+dfsg/installer/test.php roundcube-1.6.4+dfsg/installer/test.php
--- roundcube-1.6.3+dfsg/installer/test.php 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/installer/test.php 2023-10-14 18:17:17.000000000 +0200
@@ -53,7 +53,7 @@
echo '<br />';
if ($RCI->configured && ($messages = $RCI->check_config())) {
- if (is_array($messages['replaced'])) {
+ if (!empty($messages['replaced'])) {
echo '<h3 class="warning">Replaced config options</h3>';
echo '<p class="hint">The following config options have been replaced or renamed. ';
echo 'Please update them accordingly in your config files.</p>';
@@ -66,7 +66,7 @@
echo '</ul>';
}
- if (is_array($messages['obsolete'])) {
+ if (!empty($messages['obsolete'])) {
echo '<h3>Obsolete config options</h3>';
echo '<p class="hint">You still have some obsolete or inexistent properties set. This isn\'t a problem but should be noticed.</p>';
@@ -82,7 +82,7 @@
echo html::a(['href' => './?_mergeconfig=1'], 'config.inc.php') . ' ';
echo "</p>";
- if (is_array($messages['dependencies'])) {
+ if (!empty($messages['dependencies'])) {
echo '<h3 class="warning">Dependency check failed</h3>';
echo '<p class="hint">Some of your configuration settings require other options to be configured or additional PHP modules to be installed</p>';
diff -Nru roundcube-1.6.3+dfsg/Makefile roundcube-1.6.4+dfsg/Makefile
--- roundcube-1.6.3+dfsg/Makefile 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/Makefile 2023-10-14 18:17:17.000000000 +0200
@@ -7,13 +7,11 @@
GPGKEY=devs at roundcube.net
VERSION=1.6-git
SEDI=sed -i
-WHICH=which
PHP_VERSION=7.3
UNAME_S := $(shell uname -s)
ifeq ($(UNAME_S),Darwin)
SEDI=sed -i ''
- WHICH=which -s
endif
all: clean complete dependent framework
diff -Nru roundcube-1.6.3+dfsg/plugins/managesieve/Changelog roundcube-1.6.4+dfsg/plugins/managesieve/Changelog
--- roundcube-1.6.3+dfsg/plugins/managesieve/Changelog 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/plugins/managesieve/Changelog 2023-10-14 18:17:17.000000000 +0200
@@ -1,3 +1,4 @@
+- Fix javascript error when relational or spamtest extension is not enabled (#9139)
- Removed managesieve_usetls option (in favor of the scheme prefix in managesieve_host)
- Plugin API: Removed `port` parameter in `managesieve_connect` hook
- Plugin API: Removed `usetls` parameter in `managesieve_connect` hook
diff -Nru roundcube-1.6.3+dfsg/plugins/managesieve/managesieve.js roundcube-1.6.4+dfsg/plugins/managesieve/managesieve.js
--- roundcube-1.6.3+dfsg/plugins/managesieve/managesieve.js 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/plugins/managesieve/managesieve.js 2023-10-14 18:17:17.000000000 +0200
@@ -647,13 +647,15 @@
if (h == 'size') {
if (msg) set.push(msg);
$.each(set, function() { if (this != window) this.style.display = 'none'; });
- spamtest.style.display = 'none';
+ if (spamtest)
+ spamtest.style.display = 'none';
size.style.display = '';
}
else if (h == 'spamtest') {
if (msg) set.push(msg);
$.each(set, function() { if (this != window) this.style.display = 'none'; });
- spamtest.style.display = '';
+ if (spamtest)
+ spamtest.style.display = '';
size.style.display = 'none';
}
else if (h == 'message' && msg) {
@@ -665,11 +667,12 @@
header.style.display = h != '...' ? 'none' : '';
custstr.style.display = h != 'string' ? 'none' : '';
size.style.display = 'none';
- spamtest.style.display = 'none';
op.style.display = '';
comp.style.display = '';
mod.style.display = is_header ? '' : 'none';
trans.style.display = h == 'body' ? '' : 'none';
+ if (spamtest)
+ spamtest.style.display = 'none';
if (mime)
mime.style.display = is_header ? '' : 'none';
if (mime_part)
@@ -690,7 +693,8 @@
rule_op_select(op, id, h);
rule_mod_select(id, h, !is_header);
rule_mime_select(id);
- rule_spamtest_select(id);
+ if (spamtest)
+ rule_spamtest_select(id);
obj.style.width = h == '...' ? '40px' : '';
};
diff -Nru roundcube-1.6.3+dfsg/program/include/rcmail_install.php roundcube-1.6.4+dfsg/program/include/rcmail_install.php
--- roundcube-1.6.3+dfsg/program/include/rcmail_install.php 2023-10-19 01:12:14.000000000 +0200
+++ roundcube-1.6.4+dfsg/program/include/rcmail_install.php 2023-10-19 01:12:15.000000000 +0200
@@ -357,7 +357,8 @@
return;
}
- $out = $seen = [];
+ $seen = [];
+ $out = ['defaults' => [], 'obsolete' => [], 'replaced' => [], 'dependencies' => [], 'missing' => []];
// iterate over the current configuration
foreach (array_keys($this->config) as $prop) {
@@ -430,8 +431,6 @@
}
if ($version) {
- $out['defaults'] = [];
-
foreach ($this->defaults_changes as $v => $opts) {
if (version_compare($v, $version, '>')) {
$out['defaults'] = array_merge($out['defaults'], $opts);
diff -Nru roundcube-1.6.3+dfsg/program/include/rcmail.php roundcube-1.6.4+dfsg/program/include/rcmail.php
--- roundcube-1.6.3+dfsg/program/include/rcmail.php 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/program/include/rcmail.php 2023-10-14 18:17:17.000000000 +0200
@@ -968,7 +968,7 @@
list(, $domain) = rcube_utils::explode('@', $post_user);
// direct match in default_host array
- if ($default_host[$post_host] || in_array($post_host, array_values($default_host))) {
+ if (!empty($default_host[$post_host]) || in_array($post_host, array_values($default_host))) {
$host = $post_host;
}
// try to select host by mail domain
diff -Nru roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_mime.php roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_mime.php
--- roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_mime.php 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_mime.php 2023-10-14 18:17:17.000000000 +0200
@@ -832,7 +832,7 @@
// try common locations
if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
- $file_paths[] = 'C:/xampp/apache/conf/mime.types.';
+ $file_paths[] = 'C:/xampp/apache/conf/mime.types';
}
else {
$file_paths[] = '/etc/mime.types';
diff -Nru roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_washtml.php roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.6.3+dfsg/program/lib/Roundcube/rcube_washtml.php 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/program/lib/Roundcube/rcube_washtml.php 2023-10-14 18:17:17.000000000 +0200
@@ -428,16 +428,17 @@
}
}
else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+ $type = preg_replace('/\s/', '', $matches[1]);
+
// svg images can be insecure, we'll sanitize them
- if (stripos($matches[1], 'svg') !== false) {
+ if (stripos($type, 'svg') !== false) {
$svg = $matches[2];
- if (stripos($matches[1], ';base64') !== false) {
- $svg = base64_decode($svg);
- $type = $matches[1];
+ if (stripos($type, ';base64') !== false) {
+ $svg = base64_decode($svg);
}
else {
- $type = $matches[1] . ';base64';
+ $type .= ';base64';
}
$washer = new self($this->config);
diff -Nru roundcube-1.6.3+dfsg/program/localization/es_ES/labels.inc roundcube-1.6.4+dfsg/program/localization/es_ES/labels.inc
--- roundcube-1.6.3+dfsg/program/localization/es_ES/labels.inc 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/program/localization/es_ES/labels.inc 2023-10-14 18:17:17.000000000 +0200
@@ -231,7 +231,7 @@
$labels['searchinterval-1Y'] = 'más antiguo que un año';
$labels['searchinterval1W'] = 'más reciente que una semana';
$labels['searchinterval1M'] = 'más reciente que un mes';
-$labels['searchinterval1Y'] = 'más reciente que un mes';
+$labels['searchinterval1Y'] = 'más reciente que un año';
$labels['openinextwin'] = 'Abrir en nueva ventana';
$labels['emlsave'] = 'Descargar (.eml)';
$labels['changeformattext'] = 'Mostrar en formato de texto simple';
diff -Nru roundcube-1.6.3+dfsg/public_html/plugins/managesieve/Changelog roundcube-1.6.4+dfsg/public_html/plugins/managesieve/Changelog
--- roundcube-1.6.3+dfsg/public_html/plugins/managesieve/Changelog 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/public_html/plugins/managesieve/Changelog 2023-10-14 18:17:17.000000000 +0200
@@ -1,3 +1,4 @@
+- Fix javascript error when relational or spamtest extension is not enabled (#9139)
- Removed managesieve_usetls option (in favor of the scheme prefix in managesieve_host)
- Plugin API: Removed `port` parameter in `managesieve_connect` hook
- Plugin API: Removed `usetls` parameter in `managesieve_connect` hook
diff -Nru roundcube-1.6.3+dfsg/public_html/plugins/managesieve/managesieve.js roundcube-1.6.4+dfsg/public_html/plugins/managesieve/managesieve.js
--- roundcube-1.6.3+dfsg/public_html/plugins/managesieve/managesieve.js 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/public_html/plugins/managesieve/managesieve.js 2023-10-14 18:17:17.000000000 +0200
@@ -647,13 +647,15 @@
if (h == 'size') {
if (msg) set.push(msg);
$.each(set, function() { if (this != window) this.style.display = 'none'; });
- spamtest.style.display = 'none';
+ if (spamtest)
+ spamtest.style.display = 'none';
size.style.display = '';
}
else if (h == 'spamtest') {
if (msg) set.push(msg);
$.each(set, function() { if (this != window) this.style.display = 'none'; });
- spamtest.style.display = '';
+ if (spamtest)
+ spamtest.style.display = '';
size.style.display = 'none';
}
else if (h == 'message' && msg) {
@@ -665,11 +667,12 @@
header.style.display = h != '...' ? 'none' : '';
custstr.style.display = h != 'string' ? 'none' : '';
size.style.display = 'none';
- spamtest.style.display = 'none';
op.style.display = '';
comp.style.display = '';
mod.style.display = is_header ? '' : 'none';
trans.style.display = h == 'body' ? '' : 'none';
+ if (spamtest)
+ spamtest.style.display = 'none';
if (mime)
mime.style.display = is_header ? '' : 'none';
if (mime_part)
@@ -690,7 +693,8 @@
rule_op_select(op, id, h);
rule_mod_select(id, h, !is_header);
rule_mime_select(id);
- rule_spamtest_select(id);
+ if (spamtest)
+ rule_spamtest_select(id);
obj.style.width = h == '...' ? '40px' : '';
};
diff -Nru roundcube-1.6.3+dfsg/tests/Framework/Washtml.php roundcube-1.6.4+dfsg/tests/Framework/Washtml.php
--- roundcube-1.6.3+dfsg/tests/Framework/Washtml.php 2023-09-14 10:09:46.000000000 +0200
+++ roundcube-1.6.4+dfsg/tests/Framework/Washtml.php 2023-10-14 18:17:17.000000000 +0200
@@ -455,6 +455,24 @@
'<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
'<svg><text x="20" y="20">XSS</text></svg>'
],
+ [
+ '<html><svg><use href="data:image/s vg+xml;base64,' // space
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<svg><use x-washed="href"></use></svg>'
+ ],
+ [
+ '<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<svg><use x-washed="href"></use></svg>'
+ ],
+ [
+ '<html><svg><use href="data:image/s vg+xml;base64,' // tab
+ . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+ . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+ '<svg><use x-washed="href"></use></svg>'
+ ],
];
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20231019/17bd5f53/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list