From: Romain Beauxis Date: Sat, 26 Jan 2008 02:26:42 +0000 (+0100) Subject: Imported Debian patch 0.1~rc2-6 X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=4cef627c5cce5763d2386230a6918ef89d12027c;p=roundcube.git Imported Debian patch 0.1~rc2-6 --- diff --git a/debian/changelog b/debian/changelog index d022326..bd10872 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +roundcube (0.1~rc2-6) unstable; urgency=high + + [ Vincent Bernat ] + * Bug fix: "CVE-2007-6321: Cross-site scripting (XSS) vulnerability", + thanks to Micah Anderson (Closes: #455840). The patch is from + http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html and + provided by Robin Elfrink. It has been modified with some functions + stolen from Squirrelmail. + * Finnish debconf template, thanks to Esko Arajärvi (Closes: #458244). + + [ Romain Beauxis ] + * Added DM-Upload-Allowed: yes to control file. + * Moved po-debconf to Build-Dep since it is needed for clean + target. Thanks to lintian. + + -- Romain Beauxis Sat, 26 Jan 2008 03:26:42 +0100 + roundcube (0.1~rc2-5) unstable; urgency=low * Deal with old /etc/logrotate.d/roundcube by removing it if left diff --git a/debian/control b/debian/control index 804ca98..82b4690 100644 --- a/debian/control +++ b/debian/control @@ -3,10 +3,10 @@ Section: web Priority: extra Maintainer: Debian Roundcube Maintainers Uploaders: Vincent Bernat , Romain Beauxis -Build-Depends: debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27-1) -Build-Depends-Indep: po-debconf +Build-Depends: debhelper (>= 5), quilt, patchutils (>= 0.2.25), cdbs (>= 0.4.27-1), po-debconf Homepage: http://www.roundcube.net/ Standards-Version: 3.7.3 +DM-Upload-Allowed: yes Vcs-Svn: svn://svn.debian.org/pkg-roundcube/roundcube Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube diff --git a/debian/control.in b/debian/control.in index 9849b2b..cb97fcf 100644 --- a/debian/control.in +++ b/debian/control.in @@ -3,10 +3,10 @@ Section: web Priority: extra Maintainer: Debian Roundcube Maintainers Uploaders: Vincent Bernat , Romain Beauxis -Build-Depends: @cdbs@ -Build-Depends-Indep: po-debconf +Build-Depends: @cdbs@, po-debconf Homepage: http://www.roundcube.net/ Standards-Version: 3.7.3 +DM-Upload-Allowed: yes Vcs-Svn: svn://svn.debian.org/pkg-roundcube/roundcube Vcs-Browser: http://svn.debian.org/wsvn/pkg-roundcube/roundcube diff --git a/debian/copyright b/debian/copyright index d3ebfd1..e6a5620 100644 --- a/debian/copyright +++ b/debian/copyright @@ -16,6 +16,7 @@ Some files are taken from other projects : - lib/html2text.inc from jon@chuggnutt.com, GPL license - lib/{enriched,icl_commons,imap,mime,utf7}.inc from IlohaMail project, GPL license - lib/encoding/*.map from Unicode, Inc., with "BSD-lite" license + - debian/patches/xss-fix.patch contains code from Squirrelmail, GPLv2 All licenses can be found in the corresponding source file. diff --git a/debian/patches/series b/debian/patches/series index af70f21..2cdc720 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ dbconfig-common_support.patch correct_install_path.patch use_packaged_tinymce.patch ob_gzhandler.patch +xss-fix.patch diff --git a/debian/patches/xss-fix.patch b/debian/patches/xss-fix.patch new file mode 100644 index 0000000..225283c --- /dev/null +++ b/debian/patches/xss-fix.patch @@ -0,0 +1,136 @@ +--- roundcube/program/steps/mail/func.inc 2007-10-17 08:50:28.000000000 +0200 ++++ roundcube/program/steps/mail/func.inc 2008-01-22 21:59:30.000000000 +0100 +@@ -481,6 +481,124 @@ + return Q($out); + } + ++/* Stolen from Squirrelmail */ ++function sq_deent(&$attvalue, $regex, $hex=false){ ++ $ret_match = false; ++ preg_match_all($regex, $attvalue, $matches); ++ if (is_array($matches) && sizeof($matches[0]) > 0){ ++ $repl = Array(); ++ for ($i = 0; $i < sizeof($matches[0]); $i++){ ++ $numval = $matches[1][$i]; ++ if ($hex){ ++ $numval = hexdec($numval); ++ } ++ $repl{$matches[0][$i]} = chr($numval); ++ } ++ $attvalue = strtr($attvalue, $repl); ++ return true; ++ } else { ++ return false; ++ } ++} ++ ++/* Stolen verbatim from Squirrelmail */ ++function sq_defang(&$attvalue){ ++ /** ++ * Skip this if there aren't ampersands or backslashes. ++ */ ++ if (strpos($attvalue, '&') === false ++ && strpos($attvalue, '\\') === false){ ++ return; ++ } ++ $m = false; ++ do { ++ $m = false; ++ $m = $m || sq_deent($attvalue, '/\�*(\d+);*/s'); ++ $m = $m || sq_deent($attvalue, '/\�*((\d|[a-f])+);*/si', true); ++ $m = $m || sq_deent($attvalue, '/\\\\(\d+)/s', true); ++ } while ($m == true); ++ $attvalue = stripslashes($attvalue); ++} ++ ++function rcmail_html_filter($html) ++ { ++ preg_match_all('/<\/?\w+((\s+\w+(\s*=\s*(?:".*?"|\'.*?\'|[^\'">\s]+))?)+\s*|\s*)\/?>/', $html, $tags); ++ ++ /* From Squirrelmail: Translate all dangerous Unicode or Shift_JIS characters which are accepted by ++ * IE as regular characters. */ ++ $replace = array(array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ ++ 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ ++ 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ ++ 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ ++ 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ ++ 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ ++ 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ ++ 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ ++ 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */ ++ 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ ++ 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */ ++ 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ ++ 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */ ++ 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ ++ 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */ ++ 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ ++ 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */ ++ 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ ++ 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */ ++ 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ ++ 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */ ++ 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ ++ 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ ++ 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ ++ "\xEF\xBC\xA5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ ++ /* in unicode this is some Chinese char range */ ++ "\xEF\xBD\x85", /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ ++ "\xEF\xBC\xB8", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ ++ "\xEF\xBD\x98", /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ ++ "\xEF\xBC\xB0", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ ++ "\xEF\xBD\x90", /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ ++ "\xEF\xBC\xB2", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ ++ "\xEF\xBD\x92", /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ ++ "\xEF\xBC\xB3", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ ++ "\xEF\xBD\x93", /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ ++ "\xEF\xBC\xA9", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ ++ "\xEF\xBD\x89", /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ ++ "\xEF\xBC\xAF", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ ++ "\xEF\xBD\x8F", /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ ++ "\xEF\xBC\xAE", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ ++ "\xEF\xBD\x8E", /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ ++ "\xEF\xBC\xAC", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER L */ ++ "\xEF\xBD\x8C", /* Shift JIS FULLWIDTH LATIN SMALL LETTER L */ ++ "\xEF\xBC\xB5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER U */ ++ "\xEF\xBD\x95", /* Shift JIS FULLWIDTH LATIN SMALL LETTER U */ ++ "\xE2\x81\xBF", /* Shift JIS FULLWIDTH SUPERSCRIPT N */ ++ "\xCA\x9F", /* L UNICODE IPA Extension */ ++ "\xCA\x80", /* R UNICODE IPA Extension */ ++ "\xC9\xB4"), /* N UNICODE IPA Extension */ ++ array('l', 'l', 'r', 'r', 'n', 'n', 'E', 'E', 'e', 'e', 'X', 'X', 'x', 'x', ++ 'P', 'P', 'p', 'p', 'R', 'R', 'r', 'r', 'S', 'S', 's', 's', 'I', 'I', ++ 'i', 'i', 'O', 'O', 'o', 'o', 'N', 'N', 'n', 'n', 'L', 'L', 'l', 'l', ++ 'U', 'U', 'u', 'u', 'n', 'n', 'E', 'e', 'X', 'x', 'P', 'p', 'R', 'r', ++ 'S', 's', 'I', 'i', 'O', 'o', 'N', 'n', 'L', 'l', 'U', 'u', 'n', 'l', 'r', 'n')); ++ if ((count($tags)>3) && (count($tags[3])>0)) ++ foreach ($tags[3] as $nr=>$value) ++ { ++ /* Remove comments */ ++ $newvalue = preg_replace('/(\/\*.*\*\/)/','$2',$value); ++ /* Translate dangerous characters */ ++ $newvalue = str_replace($replace[0], $replace[1], $newvalue); ++ sq_defang($newvalue); ++ /* Rename dangerous CSS */ ++ $newvalue = preg_replace('/expression/i', 'idiocy', $newvalue); ++ $newvalue = preg_replace('/url/i', 'idiocy', $newvalue); ++ $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]); ++ $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]); ++ $html = preg_replace('/'.preg_quote($tags[0][$nr], '/').'/', $newtag, $html); ++ } ++ ++ return $html; ++ } ++ + + function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) + { +@@ -533,7 +651,7 @@ + $body = preg_replace($remote_patterns, $remote_replaces, $body); + } + +- return Q($body, 'show', FALSE); ++ return Q(rcmail_html_filter($body), 'show', FALSE); + } + + // text/enriched diff --git a/debian/po/fi.po b/debian/po/fi.po new file mode 100644 index 0000000..dc86e03 --- /dev/null +++ b/debian/po/fi.po @@ -0,0 +1,116 @@ +msgid "" +msgstr "" +"Project-Id-Version: roundcube_0.1~rc2-4\n" +"Report-Msgid-Bugs-To: pkg-roundcube-maintainers@lists.alioth.debian.org\n" +"POT-Creation-Date: 2007-05-26 09:36+0200\n" +"PO-Revision-Date: 2007-12-29 22:04+0200\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: Finland\n" + +#. Type: multiselect +#. Choices +#: ../templates:2001 +msgid "apache" +msgstr "apache" + +#. Type: multiselect +#. Choices +#: ../templates:2001 +msgid "apache-ssl" +msgstr "apache-ssl" + +#. Type: multiselect +#. Choices +#: ../templates:2001 +msgid "apache-perl" +msgstr "apache-perl" + +#. Type: multiselect +#. Choices +#: ../templates:2001 +msgid "apache2" +msgstr "apache2" + +#. Type: multiselect +#. Description +#: ../templates:2002 +msgid "Web server(s) to configure automatically:" +msgstr "Automaattisesti asetettavat verkkopalvelimet:" + +#. Type: multiselect +#. Description +#: ../templates:2002 +msgid "RoundCube supports any web server supported by PHP, however only Apache can be configured automatically." +msgstr "RoundCube tukee kaikkia verkkopalvelimia, jotka tukevat PHP:ta, mutta vain Apachen asetukset voidaan tehdä automaattisesti." + +#. Type: multiselect +#. Description +#: ../templates:2002 +msgid "Please select the web server(s) that should be configured automatically for RoundCube." +msgstr "Valitse verkkopalvelimet, joiden asetukset tulisi automaattisesti tehdä RoundCubea varten." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should the webserver(s) be restarted now?" +msgstr "Tulisiko verkkopalvelimet käynnistää uudelleen nyt?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "In order to activate the new configuration, the reconfigured web server(s) have to be restarted." +msgstr "Uusien asetusten käyttöönottamiseksi asetetut verkkopalvelimet tulee käynnistää uudelleen." + +#. Type: string +#. Description +#: ../templates:4001 +msgid "IMAP server(s) used with RoundCube:" +msgstr "RoundCuben kanssa käytettävät IMAP-palvelimet:" + +#. Type: string +#. Description +#: ../templates:4001 +msgid "Please select the IMAP server that should be used with RoundCube." +msgstr "Valitse IMAP-palvelimet, joita käytetään RoundCuben kanssa." + +#. Type: string +#. Description +#: ../templates:4001 +msgid "If this is left blank, a text box will be displayed at login. Entering a space-separated list of hosts will display a pull-down menu. Entering a single host will enforce using this host." +msgstr "Jos tämä kenttä jätetään tyhjäksi, kirjautumisvaiheessa näytetään tekstikenttä. Jos kentässä on välilyönnein eroteltu lista palvelimista, kirjauduttaessa näytetään alasvetovalikko. Yhden palvelimen syöttäminen pakottaa kyseisen palvelimen käyttöön." + +#. Type: string +#. Description +#: ../templates:4001 +msgid "To use SSL connections, please enter host names as 'ssl://hostname:993'." +msgstr "SSL-yhteydet saat käyttöön syöttämällä palvelimien verkkonimet muodossa ”ssl://verkkonimi:993”." + +#. Type: select +#. Description +#: ../templates:5001 +msgid "Default language:" +msgstr "Oletuskieli:" + +#. Type: select +#. Description +#: ../templates:5001 +msgid "Please choose the default language for RoundCube." +msgstr "Valitse RoundCuben oletuskieli." + +#. Type: select +#. Description +#: ../templates:5001 +msgid "This choice can be overridden by individual users in their preferences." +msgstr "Yksittäiset käyttäjät voivat muuttaa tätä valintaa asetuksissaan." + +#. Type: select +#. Description +#: ../templates:5001 +msgid "However, the default language will be used for the login screen and the first connection of users." +msgstr "Oletuskieltä käytetään kuitenkin kirjautumisruudussa ja käyttäjien ensimmäisen yhteyden yhteydessä." +