diff --git a/.gitattributes b/.gitattributes
index bdb0cab..e9c2973 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -15,3 +15,6 @@
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain
+
+# CRLF for patch file
+sources/patches/app-CVE-2022-29360.patch.template eol=crlf
diff --git a/README.md b/README.md
index 301842b..da7cea6 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ Lightweight multi-account webmail
- Autocompletion of e-mail addresses.
-**Shipped version:** 1.16.0~ynh3
+**Shipped version:** 1.16.0~ynh4
**Demo:** https://mail.rainloop.net/
diff --git a/README_fr.md b/README_fr.md
index b9d7204..78589f1 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -31,7 +31,7 @@ Lightweight multi-account webmail
- Autocompletion of e-mail addresses.
-**Version incluse :** 1.16.0~ynh3
+**Version incluse :** 1.16.0~ynh4
**Démo :** https://mail.rainloop.net/
diff --git a/check_process b/check_process
index d5d6577..b2db5a7 100644
--- a/check_process
+++ b/check_process
@@ -23,5 +23,5 @@ Email=
Notification=none
;;; Upgrade options
; commit=7a48f5b9b35ff22529190f282bfcf5f56944741a
- name=Upgrade to v.1.14.0
+ name=v1.14.0
manifest_arg=domain=DOMAIN&path=PATH&is_public=Yes&password=password&ldap=Yes&language=en&
diff --git a/conf/email b/conf/email
new file mode 100644
index 0000000..ea27f2c
--- /dev/null
+++ b/conf/email
@@ -0,0 +1,17 @@
+
+The current version of Rainloop contains a code vulnerability that can expose users emails to attackers.
+
+For more information, please refer to:
+
+- https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
+- https://forum.yunohost.org/t/security-rainloop-suffers-a-security-bug/19579
+
+We have implemented a patch in this YunoHost package to fix it.
+
+However, since Rainloop's development has been halted for a year now,
+and since its developers have yet to react to solve this critical flaw,
+we strongly encourage you to seek alternative applications to replace Rainloop.
+
+Stay safe and enjoy self-hosting!
+
+The YunoHost app packagers
diff --git a/manifest.json b/manifest.json
index 42a92cc..19651f5 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
"en": "Lightweight multi-account webmail",
"fr": "Webmail léger multi-comptes"
},
- "version": "1.16.0~ynh3",
+ "version": "1.16.0~ynh4",
"url": "https://www.rainloop.net/",
"upstream": {
"license": "AGPL-3.0-or-later",
@@ -30,6 +30,14 @@
],
"arguments": {
"install" : [
+ {
+ "name": "warning",
+ "type": "display_text",
+ "ask": {
+ "en": "Rainloop is effectively unmaintained and its source code contains a security flaw (patched here). Installation is discouraged.",
+ "fr": "Rainloop n'est de facto plus maintenue, et son code source contient une faille de sécuritée (corrigée ici). Son installation est déconseillée."
+ }
+ },
{
"name": "domain",
"type": "domain"
diff --git a/scripts/_common.sh b/scripts/_common.sh
index 617666f..1066592 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -12,6 +12,135 @@ pkg_dependencies="php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-curl php${YNH
# EXPERIMENTAL HELPERS
#=================================================
+#!/bin/bash
+
+# Send an email to inform the administrator
+#
+# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
+# | arg: -m --app_message= - The file with the content to send to the administrator.
+# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
+# example: "root admin@domain"
+# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
+# example: "root admin@domain user1 user2"
+# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade', 'warning'
+#
+# Requires YunoHost version 4.1.0 or higher.
+ynh_send_readme_to_admin() {
+ # Declare an array to define the options of this helper.
+ declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
+ local app_message
+ local recipients
+ local type
+ # Manage arguments with getopts
+
+ ynh_handle_getopts_args "$@"
+ app_message="${app_message:-}"
+ recipients="${recipients:-root}"
+ type="${type:-install}"
+
+ # Get the value of admin_mail_html
+ admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
+ admin_mail_html="${admin_mail_html:-0}"
+
+ # Retrieve the email of users
+ find_mails () {
+ local list_mails="$1"
+ local mail
+ local recipients=" "
+ # Read each mail in argument
+ for mail in $list_mails
+ do
+ # Keep root or a real email address as it is
+ if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
+ then
+ recipients="$recipients $mail"
+ else
+ # But replace an user name without a domain after by its email
+ if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
+ then
+ recipients="$recipients $mail"
+ fi
+ fi
+ done
+ echo "$recipients"
+ }
+ recipients=$(find_mails "$recipients")
+
+ # Subject base
+ local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
+
+ # Adapt the subject according to the type of mail required.
+ if [ "$type" = "backup" ]; then
+ mail_subject="$mail_subject has just been backup."
+ elif [ "$type" = "change_url" ]; then
+ mail_subject="$mail_subject has just been moved to a new URL!"
+ elif [ "$type" = "remove" ]; then
+ mail_subject="$mail_subject has just been removed!"
+ elif [ "$type" = "restore" ]; then
+ mail_subject="$mail_subject has just been restored!"
+ elif [ "$type" = "upgrade" ]; then
+ mail_subject="$mail_subject has just been upgraded!"
+ elif [ "$type" = "warning" ]; then
+ mail_subject="$mail_subject has an important message! ⚠️"
+ else # install
+ mail_subject="$mail_subject has just been installed!"
+ fi
+
+ ynh_add_config --template="$app_message" --destination="../conf/msg_to_send"
+
+ ynh_delete_file_checksum --file="../conf/msg_to_send"
+ local mail_message="This is an automated message from your beloved YunoHost server.
+Specific information for the application $app.
+$(cat "../conf/msg_to_send")"
+
+ # Store the message into a file for further modifications.
+ echo "$mail_message" > mail_to_send
+
+ # If a html email is required. Apply html tags to the message.
+ if [ "$admin_mail_html" -eq 1 ]
+ then
+ # Insert 'br' tags at each ending of lines.
+ ynh_replace_string "$" "
" mail_to_send
+
+ # Insert starting HTML tags
+ sed --in-place '1s@^@\n\n\n\n@' mail_to_send
+
+ # Keep tabulations
+ ynh_replace_string " " "\ \ " mail_to_send
+ ynh_replace_string "\t" "\ \ " mail_to_send
+
+ # Insert url links tags
+ ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "\1" mail_to_send
+
+ # Insert finishing HTML tags
+ echo -e "\n\n" >> mail_to_send
+
+ # Otherwise, remove tags to keep a plain text.
+ else
+ # Remove URL tags
+ ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
+ ynh_replace_string "__URL_TAG2__" ": " mail_to_send
+ fi
+
+ # Define binary to use for mail command
+ if [ -e /usr/bin/bsd-mailx ]
+ then
+ local mail_bin=/usr/bin/bsd-mailx
+ else
+ local mail_bin=/usr/bin/mail.mailutils
+ fi
+
+ if [ "$admin_mail_html" -eq 1 ]
+ then
+ content_type="text/html"
+ else
+ content_type="text/plain"
+ fi
+
+ # Send the email to the recipients
+ cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
+}
+
#=================================================
# FUTURE OFFICIAL HELPERS
#=================================================
diff --git a/scripts/install b/scripts/install
index b5059fc..4bba9f4 100644
--- a/scripts/install
+++ b/scripts/install
@@ -87,6 +87,14 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path/app"
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
+# Deploy CVE-2022-29360 patch
+version=$(ynh_app_upstream_version)
+# FIXME because we need to apply the patch manually with --binary flag
+# while we should be able to simply use the patching feature of ynh_setup_source
+ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
+patch --silent --binary $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php < ../sources/patches/FIXMEapp-CVE-2022-29360.patch
+
#=================================================
# NGINX CONFIGURATION
#=================================================
@@ -203,6 +211,13 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
+#=================================================
+# SEND README TO ADMIN
+#=================================================
+ynh_script_progression --message="Sending ReadMe to admin..."
+
+ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
+
#=================================================
# END OF SCRIPT
#=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 25c9a8e..4db3a40 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -63,7 +63,6 @@ fi
if [ -z "$language" ]; then
language="en"
ynh_app_setting_set --app=$app --key=language --value=$language
- ynh_app_setting_delete --app=$app --key=$lang
fi
case "$language" in
@@ -79,6 +78,11 @@ case "$language" in
;;
esac
+# Delete legacy lang setting
+if [ -n "$(ynh_app_setting_get --app=$app --key=lang)" ]; then
+ ynh_app_setting_delete --app=$app --key=lang
+fi
+
# Cleaning legacy permissions
if ynh_legacy_permissions_exists; then
ynh_legacy_permissions_delete_all
@@ -108,6 +112,15 @@ then
ynh_setup_source --dest_dir="$final_path/app"
fi
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
+ynh_print_warn --message="You should stop using Rainloop, its upstream code is not maintained anymore"
+# Deploy CVE-2022-29360 patch
+version=$(ynh_app_upstream_version)
+# FIXME because we need to apply the patch manually with --binary flag
+# while we should be able to simply use the patching feature of ynh_setup_source
+ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
+patched="$(patch --silent --binary --forward $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php <../sources/patches/FIXMEapp-CVE-2022-29360.patch)" || echo "${patched}" | grep "Reversed (or previously applied) patch detected! Skipping patch." -q || (echo "$patched" && false);
+
#=================================================
# NGINX CONFIGURATION
#=================================================
@@ -188,6 +201,13 @@ ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
+#=================================================
+# SEND README TO ADMIN
+#=================================================
+ynh_script_progression --message="Sending ReadMe to admin..."
+
+ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
+
#=================================================
# END OF SCRIPT
#=================================================
diff --git a/sources/patches/app-CVE-2022-29360.patch.template b/sources/patches/app-CVE-2022-29360.patch.template
new file mode 100644
index 0000000..79fceee
--- /dev/null
+++ b/sources/patches/app-CVE-2022-29360.patch.template
@@ -0,0 +1,23 @@
+diff --git a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
+index 2177627..f1e014e 100644
+--- a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php
++++ b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
+@@ -239,7 +239,8 @@ class HtmlUtils
+ $oWrapHtml->setAttribute($sKey, $sValue);
+ }
+
+- $oWrapDom = $oDom->createElement('div', '___xxx___');
++ $rand_str = base64_encode(random_bytes(32));
++ $oWrapDom = $oDom->createElement('div', $rand_str);
+ $oWrapDom->setAttribute('data-x-div-type', 'body');
+ foreach ($aBodylAttrs as $sKey => $sValue)
+ {
+@@ -250,7 +251,7 @@ class HtmlUtils
+
+ $sWrp = $oDom->saveHTML($oWrapHtml);
+
+- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
++ $sResult = \str_replace($rand_str, $sResult, $sWrp);
+ }
+
+ $sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);