YunoHost-Apps/rainloop_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/rainloop_ynh.git synced 2024-09-03 20:16:18 +02:00
Code Issues Activity Actions

Add patch for CVE-2022-29360

Browse source
This commit is contained in:
tituspijean 2022-04-24 22:44:36 +02:00
parent 568e2185ba
commit 47ad0af21e
No known key found for this signature in database
GPG key ID: EF3B0D7CC0A94720
3 changed files with 37 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
scripts/install
View file

@ -87,6 +87,13 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src # Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path/app" ynh_setup_source --dest_dir="$final_path/app"
# Deploy CVE-2022-29360 patch
version=$(ynh_app_upstream_version)
# FIXME because we need to apply the patch manually with --binary flag
# while we should be able to simply use the patching feature of ynh_setup_source
ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
patch --binary $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php < ../sources/patches/FIXMEapp-CVE-2022-29360.patch
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================

7
scripts/upgrade
View file

@ -106,6 +106,13 @@ then
# Download, check integrity, uncompress and patch the source from app.src # Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path/app" ynh_setup_source --dest_dir="$final_path/app"
# Deploy CVE-2022-29360 patch
version=$(ynh_app_upstream_version)
# FIXME because we need to apply the patch manually with --binary flag
# while we should be able to simply use the patching feature of ynh_setup_source
ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
patch --binary $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php <../sources/patches/FIXMEapp-CVE-2022-29360.patch
fi fi
#================================================= #=================================================

23
sources/patches/app-CVE-2022-29360.patch.template Normal file
View file

@ -0,0 +1,23 @@
diff --git a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
index 2177627..f1e014e 100644
--- a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php
+++ b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
@@ -239,7 +239,8 @@ class HtmlUtils
$oWrapHtml->setAttribute($sKey, $sValue);
}
- $oWrapDom = $oDom->createElement('div', '___xxx___');
+ $rand_str = base64_encode(random_bytes(32));
+ $oWrapDom = $oDom->createElement('div', $rand_str);
$oWrapDom->setAttribute('data-x-div-type', 'body');
foreach ($aBodylAttrs as $sKey => $sValue)
{
@@ -250,7 +251,7 @@ class HtmlUtils
$sWrp = $oDom->saveHTML($oWrapHtml);
- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
}
$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);