Always apply patch in upgrade and add warnings

conf/email

@@ -0,0 +1,12 @@
+The current version of Rainloop contains a code vulnerability that can expose users emails to attackers.
+
+For more information, please refer to:
+
+- https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
+- https://forum.yunohost.org/t/security-rainloop-suffers-a-security-bug/19579
+
+We have implemented a patch in this YunoHost package to fix it.
+
+However, since Rainloop's development has been halted for a year now, and since its developers
+have yet to react to solve this critical flaw, we strongly encourage you to seek alternative
+applications to replace Rainloop.

manifest.json

@@ -30,6 +30,14 @@
 	],
 	"arguments": {
 		"install" : [
+			{
+			"name": "warning",
+			"type": "display_text",
+				"ask": {
+					"en": "Rainloop is effectively unmaintained and its source code contains a security flaw (patched here). Installation is discouraged.",
+					"fr": "Rainloop n'est de facto plus maintenue, et son code source contient une faille de sécuritée (corrigée ici). Son installation est déconseillée."
+				}
+			},
 			{
 				"name": "domain",
 				"type": "domain"

scripts/_common.sh

@@ -12,6 +12,135 @@ pkg_dependencies="php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-curl php${YNH
 # EXPERIMENTAL HELPERS
 #=================================================
 
+#!/bin/bash
+
+# Send an email to inform the administrator
+#
+# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
+# | arg: -m --app_message= - The file with the content to send to the administrator.
+# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
+#	example: "root admin@domain"
+#	If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
+#	example: "root admin@domain user1 user2"
+# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade', 'warning'
+#
+# Requires YunoHost version 4.1.0 or higher.
+ynh_send_readme_to_admin() {
+	# Declare an array to define the options of this helper.
+	declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
+	local app_message
+	local recipients
+	local type
+	# Manage arguments with getopts
+
+	ynh_handle_getopts_args "$@"
+	app_message="${app_message:-}"
+	recipients="${recipients:-root}"
+	type="${type:-install}"
+
+	# Get the value of admin_mail_html
+	admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
+	admin_mail_html="${admin_mail_html:-0}"
+
+	# Retrieve the email of users
+	find_mails () {
+		local list_mails="$1"
+		local mail
+		local recipients=" "
+		# Read each mail in argument
+		for mail in $list_mails
+		do
+			# Keep root or a real email address as it is
+			if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
+			then
+				recipients="$recipients $mail"
+			else
+				# But replace an user name without a domain after by its email
+				if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
+				then
+					recipients="$recipients $mail"
+				fi
+			fi
+		done
+		echo "$recipients"
+	}
+	recipients=$(find_mails "$recipients")
+
+	# Subject base
+	local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
+
+	# Adapt the subject according to the type of mail required.
+	if [ "$type" = "backup" ]; then
+		mail_subject="$mail_subject has just been backup."
+	elif [ "$type" = "change_url" ]; then
+		mail_subject="$mail_subject has just been moved to a new URL!"
+	elif [ "$type" = "remove" ]; then
+		mail_subject="$mail_subject has just been removed!"
+	elif [ "$type" = "restore" ]; then
+		mail_subject="$mail_subject has just been restored!"
+	elif [ "$type" = "upgrade" ]; then
+		mail_subject="$mail_subject has just been upgraded!"
+	elif [ "$type" = "warning" ]; then
+		mail_subject="$mail_subject has an important message! ⚠️"
+	else	# install
+		mail_subject="$mail_subject has just been installed!"
+	fi
+
+	ynh_add_config --template="$app_message" --destination="../conf/msg_to_send"
+
+	ynh_delete_file_checksum --file="../conf/msg_to_send"
+	local mail_message="This is an automated message from your beloved YunoHost server.
+Specific information for the application $app.
+$(cat "../conf/msg_to_send")"
+
+	# Store the message into a file for further modifications.
+	echo "$mail_message" > mail_to_send
+
+	# If a html email is required. Apply html tags to the message.
+ 	if [ "$admin_mail_html" -eq 1 ]
+ 	then
+		# Insert 'br' tags at each ending of lines.
+		ynh_replace_string "$" "<br>" mail_to_send
+
+		# Insert starting HTML tags
+		sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
+
+		# Keep tabulations
+		ynh_replace_string "  " "\&#160;\&#160;" mail_to_send
+		ynh_replace_string "\t" "\&#160;\&#160;" mail_to_send
+
+		# Insert url links tags
+		ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
+
+		# Insert finishing HTML tags
+		echo -e "\n</body>\n</html>" >> mail_to_send
+
+	# Otherwise, remove tags to keep a plain text.
+	else
+		# Remove URL tags
+		ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
+		ynh_replace_string "__URL_TAG2__" ": " mail_to_send
+	fi
+
+	# Define binary to use for mail command
+	if [ -e /usr/bin/bsd-mailx ]
+	then
+		local mail_bin=/usr/bin/bsd-mailx
+	else
+		local mail_bin=/usr/bin/mail.mailutils
+	fi
+
+	if [ "$admin_mail_html" -eq 1 ]
+	then
+		content_type="text/html"
+	else
+		content_type="text/plain"
+	fi
+
+	# Send the email to the recipients
+	cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
+}
+
 #=================================================
 # FUTURE OFFICIAL HELPERS
 #=================================================

scripts/install

@@ -87,6 +87,7 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source --dest_dir="$final_path/app"
 
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
 # Deploy CVE-2022-29360 patch
 version=$(ynh_app_upstream_version)
 # FIXME because we need to apply the patch manually with --binary flag

scripts/upgrade

@@ -110,14 +110,16 @@ then
 
 	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$final_path/app"
+fi
 
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
+ynh_print_warn --message="You should stop using Rainloop, its upstream code is not maintained anymore"
 # Deploy CVE-2022-29360 patch
 version=$(ynh_app_upstream_version)
 # FIXME because we need to apply the patch manually with --binary flag
 # while we should be able to simply use the patching feature of ynh_setup_source
 ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
 patched="$(patch --silent --binary --forward $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php <../sources/patches/FIXMEapp-CVE-2022-29360.patch)" || echo "${patched}" | grep "Reversed (or previously applied) patch detected!  Skipping patch." -q || (echo "$patched" && false);
-fi
 
 #=================================================
 # NGINX CONFIGURATION
@@ -199,6 +201,13 @@ ynh_script_progression --message="Reloading NGINX web server..."
 
 ynh_systemd_action --service_name=nginx --action=reload
 
+#=================================================
+# SEND README TO ADMIN
+#=================================================
+ynh_script_progression --message="Sending ReadMe to admin..."
+
+ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
+
 #=================================================
 # END OF SCRIPT
 #=================================================