From: Vincent Bernat Date: Sat, 14 Mar 2009 16:55:28 +0000 (+0000) Subject: Prepare new release 0.2.1 X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=20c4a5d7310e222a457f9e73b81c63941bb25afd;p=roundcube.git Prepare new release 0.2.1 --- diff --git a/debian/changelog b/debian/changelog index 5cc61b2..741708e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +roundcube (0.2.1-1) unstable; urgency=low + + * New upstream release: + + Fix use_packaged_tinymce.patch to apply to this new version + + Remove cve-2009-0413.patch which has been applied upstream + + -- Vincent Bernat Sat, 14 Mar 2009 17:42:07 +0100 + roundcube (0.2~stable-2) unstable; urgency=low * Update debconf translations: diff --git a/debian/patches/cve-2009-0413.patch b/debian/patches/cve-2009-0413.patch deleted file mode 100644 index 8b4349b..0000000 --- a/debian/patches/cve-2009-0413.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2009-0413 by handling carefully background attribute. ---- roundcubemail/CHANGELOG (revision 2242) -+++ roundcubemail/CHANGELOG (revision 2245) -@@ -1,4 +1,8 @@ - CHANGELOG RoundCube Webmail - --------------------------- -+ -+2009/01/20 (thomasb) -+---------- -+- Fix XSS vulnerability through background attributes as reported by Julien Cayssol - - 2009/01/18 (alec) ---- roundcubemail/program/lib/washtml.php (revision 1811) -+++ roundcubemail/program/lib/washtml.php (revision 2245) -@@ -81,5 +81,5 @@ - - /* Allowed HTML attributes */ -- static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background'); -+ static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir'); - - /* State for linked objects in HTML */ -@@ -161,13 +161,13 @@ - $value = $node->getAttribute($key); - if(isset($this->_html_attribs[$key]) || -- ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value))) -+ ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value))) - $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; - else if($key == 'style' && ($style = $this->wash_style($value))) - $t .= ' style="' . $style . '"'; -- else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway -+ else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway - if($src = $this->config['cid_map'][$value]) { - $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"'; - } -- else if(preg_match('/^(http|https|ftp):.*/i', $value)) { -+ else if(preg_match('/^(http|https|ftp):.+/i', $value)) { - if($this->config['allow_remote']) - $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; -@@ -175,5 +175,5 @@ - $this->extlinks = true; - if ($this->config['blocked_src']) -- $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"'; -+ $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"'; - } - } diff --git a/debian/patches/series b/debian/patches/series index 8e2bd18..e148aed 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,5 +2,4 @@ dbconfig-common_support.patch correct_install_path.patch use_packaged_tinymce.patch correct-magic-path.patch -cve-2009-0413.patch too-old-mdb2.patch diff --git a/debian/patches/use_packaged_tinymce.patch b/debian/patches/use_packaged_tinymce.patch index 7b3a1ff..f2a7a91 100644 --- a/debian/patches/use_packaged_tinymce.patch +++ b/debian/patches/use_packaged_tinymce.patch @@ -4,10 +4,10 @@ Use tinymce from tinycme package instead of the shipped one. +++ roundcube-0.1~rc2/program/steps/mail/sendmail.inc 2007-11-26 11:44:04.000000000 +0100 @@ -123,7 +123,7 @@ - // sanitize image name so resulting attachment doesn't leave images dir - $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name); -- $img_file = INSTALL_PATH . '/' . $searchstr . $image_name; -+ $img_file = '/usr/share/tinymce/www/plugins/emotions/img/' . $image_name; + // sanitize image name so resulting attachment doesn't leave images dir + $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i', '', $image_name); +- $img_file = INSTALL_PATH . '/' . $searchstr . $image_name; ++ $img_file = '/usr/share/tinymce/www/plugins/emotions/img/' . $image_name; - if (! in_array($image_name, $included_images)) - { + if (! in_array($image_name, $included_images)) { + // add the image to the MIME message