mirror of
https://github.com/YunoHost-Apps/rainloop_ynh.git
synced 2024-09-03 20:16:18 +02:00
commit
7991301f82
10 changed files with 220 additions and 5 deletions
3
.gitattributes
vendored
3
.gitattributes
vendored
|
@ -15,3 +15,6 @@
|
|||
*.PDF diff=astextplain
|
||||
*.rtf diff=astextplain
|
||||
*.RTF diff=astextplain
|
||||
|
||||
# CRLF for patch file
|
||||
sources/patches/app-CVE-2022-29360.patch.template eol=crlf
|
||||
|
|
|
@ -35,7 +35,7 @@ Lightweight multi-account webmail
|
|||
- Autocompletion of e-mail addresses.
|
||||
|
||||
|
||||
**Shipped version:** 1.16.0~ynh3
|
||||
**Shipped version:** 1.16.0~ynh4
|
||||
|
||||
**Demo:** https://mail.rainloop.net/
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ Lightweight multi-account webmail
|
|||
- Autocompletion of e-mail addresses.
|
||||
|
||||
|
||||
**Version incluse :** 1.16.0~ynh3
|
||||
**Version incluse :** 1.16.0~ynh4
|
||||
|
||||
**Démo :** https://mail.rainloop.net/
|
||||
|
||||
|
|
|
@ -23,5 +23,5 @@ Email=
|
|||
Notification=none
|
||||
;;; Upgrade options
|
||||
; commit=7a48f5b9b35ff22529190f282bfcf5f56944741a
|
||||
name=Upgrade to v.1.14.0
|
||||
name=v1.14.0
|
||||
manifest_arg=domain=DOMAIN&path=PATH&is_public=Yes&password=password&ldap=Yes&language=en&
|
||||
|
|
17
conf/email
Normal file
17
conf/email
Normal file
|
@ -0,0 +1,17 @@
|
|||
|
||||
The current version of Rainloop contains a code vulnerability that can expose users emails to attackers.
|
||||
|
||||
For more information, please refer to:
|
||||
|
||||
- https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
|
||||
- https://forum.yunohost.org/t/security-rainloop-suffers-a-security-bug/19579
|
||||
|
||||
We have implemented a patch in this YunoHost package to fix it.
|
||||
|
||||
However, since Rainloop's development has been halted for a year now,
|
||||
and since its developers have yet to react to solve this critical flaw,
|
||||
we strongly encourage you to seek alternative applications to replace Rainloop.
|
||||
|
||||
Stay safe and enjoy self-hosting!
|
||||
|
||||
The YunoHost app packagers
|
|
@ -6,7 +6,7 @@
|
|||
"en": "Lightweight multi-account webmail",
|
||||
"fr": "Webmail léger multi-comptes"
|
||||
},
|
||||
"version": "1.16.0~ynh3",
|
||||
"version": "1.16.0~ynh4",
|
||||
"url": "https://www.rainloop.net/",
|
||||
"upstream": {
|
||||
"license": "AGPL-3.0-or-later",
|
||||
|
@ -30,6 +30,14 @@
|
|||
],
|
||||
"arguments": {
|
||||
"install" : [
|
||||
{
|
||||
"name": "warning",
|
||||
"type": "display_text",
|
||||
"ask": {
|
||||
"en": "Rainloop is effectively unmaintained and its source code contains a security flaw (patched here). Installation is discouraged.",
|
||||
"fr": "Rainloop n'est de facto plus maintenue, et son code source contient une faille de sécuritée (corrigée ici). Son installation est déconseillée."
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "domain",
|
||||
"type": "domain"
|
||||
|
|
|
@ -12,6 +12,135 @@ pkg_dependencies="php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-curl php${YNH
|
|||
# EXPERIMENTAL HELPERS
|
||||
#=================================================
|
||||
|
||||
#!/bin/bash
|
||||
|
||||
# Send an email to inform the administrator
|
||||
#
|
||||
# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
|
||||
# | arg: -m --app_message= - The file with the content to send to the administrator.
|
||||
# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
|
||||
# example: "root admin@domain"
|
||||
# If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
|
||||
# example: "root admin@domain user1 user2"
|
||||
# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade', 'warning'
|
||||
#
|
||||
# Requires YunoHost version 4.1.0 or higher.
|
||||
ynh_send_readme_to_admin() {
|
||||
# Declare an array to define the options of this helper.
|
||||
declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
|
||||
local app_message
|
||||
local recipients
|
||||
local type
|
||||
# Manage arguments with getopts
|
||||
|
||||
ynh_handle_getopts_args "$@"
|
||||
app_message="${app_message:-}"
|
||||
recipients="${recipients:-root}"
|
||||
type="${type:-install}"
|
||||
|
||||
# Get the value of admin_mail_html
|
||||
admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
|
||||
admin_mail_html="${admin_mail_html:-0}"
|
||||
|
||||
# Retrieve the email of users
|
||||
find_mails () {
|
||||
local list_mails="$1"
|
||||
local mail
|
||||
local recipients=" "
|
||||
# Read each mail in argument
|
||||
for mail in $list_mails
|
||||
do
|
||||
# Keep root or a real email address as it is
|
||||
if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
|
||||
then
|
||||
recipients="$recipients $mail"
|
||||
else
|
||||
# But replace an user name without a domain after by its email
|
||||
if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
|
||||
then
|
||||
recipients="$recipients $mail"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo "$recipients"
|
||||
}
|
||||
recipients=$(find_mails "$recipients")
|
||||
|
||||
# Subject base
|
||||
local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
|
||||
|
||||
# Adapt the subject according to the type of mail required.
|
||||
if [ "$type" = "backup" ]; then
|
||||
mail_subject="$mail_subject has just been backup."
|
||||
elif [ "$type" = "change_url" ]; then
|
||||
mail_subject="$mail_subject has just been moved to a new URL!"
|
||||
elif [ "$type" = "remove" ]; then
|
||||
mail_subject="$mail_subject has just been removed!"
|
||||
elif [ "$type" = "restore" ]; then
|
||||
mail_subject="$mail_subject has just been restored!"
|
||||
elif [ "$type" = "upgrade" ]; then
|
||||
mail_subject="$mail_subject has just been upgraded!"
|
||||
elif [ "$type" = "warning" ]; then
|
||||
mail_subject="$mail_subject has an important message! ⚠️"
|
||||
else # install
|
||||
mail_subject="$mail_subject has just been installed!"
|
||||
fi
|
||||
|
||||
ynh_add_config --template="$app_message" --destination="../conf/msg_to_send"
|
||||
|
||||
ynh_delete_file_checksum --file="../conf/msg_to_send"
|
||||
local mail_message="This is an automated message from your beloved YunoHost server.
|
||||
Specific information for the application $app.
|
||||
$(cat "../conf/msg_to_send")"
|
||||
|
||||
# Store the message into a file for further modifications.
|
||||
echo "$mail_message" > mail_to_send
|
||||
|
||||
# If a html email is required. Apply html tags to the message.
|
||||
if [ "$admin_mail_html" -eq 1 ]
|
||||
then
|
||||
# Insert 'br' tags at each ending of lines.
|
||||
ynh_replace_string "$" "<br>" mail_to_send
|
||||
|
||||
# Insert starting HTML tags
|
||||
sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
|
||||
|
||||
# Keep tabulations
|
||||
ynh_replace_string " " "\ \ " mail_to_send
|
||||
ynh_replace_string "\t" "\ \ " mail_to_send
|
||||
|
||||
# Insert url links tags
|
||||
ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
|
||||
|
||||
# Insert finishing HTML tags
|
||||
echo -e "\n</body>\n</html>" >> mail_to_send
|
||||
|
||||
# Otherwise, remove tags to keep a plain text.
|
||||
else
|
||||
# Remove URL tags
|
||||
ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
|
||||
ynh_replace_string "__URL_TAG2__" ": " mail_to_send
|
||||
fi
|
||||
|
||||
# Define binary to use for mail command
|
||||
if [ -e /usr/bin/bsd-mailx ]
|
||||
then
|
||||
local mail_bin=/usr/bin/bsd-mailx
|
||||
else
|
||||
local mail_bin=/usr/bin/mail.mailutils
|
||||
fi
|
||||
|
||||
if [ "$admin_mail_html" -eq 1 ]
|
||||
then
|
||||
content_type="text/html"
|
||||
else
|
||||
content_type="text/plain"
|
||||
fi
|
||||
|
||||
# Send the email to the recipients
|
||||
cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
|
||||
}
|
||||
|
||||
#=================================================
|
||||
# FUTURE OFFICIAL HELPERS
|
||||
#=================================================
|
||||
|
|
|
@ -87,6 +87,14 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
|
|||
# Download, check integrity, uncompress and patch the source from app.src
|
||||
ynh_setup_source --dest_dir="$final_path/app"
|
||||
|
||||
ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
|
||||
# Deploy CVE-2022-29360 patch
|
||||
version=$(ynh_app_upstream_version)
|
||||
# FIXME because we need to apply the patch manually with --binary flag
|
||||
# while we should be able to simply use the patching feature of ynh_setup_source
|
||||
ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
|
||||
patch --silent --binary $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php < ../sources/patches/FIXMEapp-CVE-2022-29360.patch
|
||||
|
||||
#=================================================
|
||||
# NGINX CONFIGURATION
|
||||
#=================================================
|
||||
|
@ -203,6 +211,13 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1
|
|||
|
||||
ynh_systemd_action --service_name=nginx --action=reload
|
||||
|
||||
#=================================================
|
||||
# SEND README TO ADMIN
|
||||
#=================================================
|
||||
ynh_script_progression --message="Sending ReadMe to admin..."
|
||||
|
||||
ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
|
||||
|
||||
#=================================================
|
||||
# END OF SCRIPT
|
||||
#=================================================
|
||||
|
|
|
@ -63,7 +63,6 @@ fi
|
|||
if [ -z "$language" ]; then
|
||||
language="en"
|
||||
ynh_app_setting_set --app=$app --key=language --value=$language
|
||||
ynh_app_setting_delete --app=$app --key=$lang
|
||||
fi
|
||||
|
||||
case "$language" in
|
||||
|
@ -79,6 +78,11 @@ case "$language" in
|
|||
;;
|
||||
esac
|
||||
|
||||
# Delete legacy lang setting
|
||||
if [ -n "$(ynh_app_setting_get --app=$app --key=lang)" ]; then
|
||||
ynh_app_setting_delete --app=$app --key=lang
|
||||
fi
|
||||
|
||||
# Cleaning legacy permissions
|
||||
if ynh_legacy_permissions_exists; then
|
||||
ynh_legacy_permissions_delete_all
|
||||
|
@ -108,6 +112,15 @@ then
|
|||
ynh_setup_source --dest_dir="$final_path/app"
|
||||
fi
|
||||
|
||||
ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
|
||||
ynh_print_warn --message="You should stop using Rainloop, its upstream code is not maintained anymore"
|
||||
# Deploy CVE-2022-29360 patch
|
||||
version=$(ynh_app_upstream_version)
|
||||
# FIXME because we need to apply the patch manually with --binary flag
|
||||
# while we should be able to simply use the patching feature of ynh_setup_source
|
||||
ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
|
||||
patched="$(patch --silent --binary --forward $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php <../sources/patches/FIXMEapp-CVE-2022-29360.patch)" || echo "${patched}" | grep "Reversed (or previously applied) patch detected! Skipping patch." -q || (echo "$patched" && false);
|
||||
|
||||
#=================================================
|
||||
# NGINX CONFIGURATION
|
||||
#=================================================
|
||||
|
@ -188,6 +201,13 @@ ynh_script_progression --message="Reloading NGINX web server..."
|
|||
|
||||
ynh_systemd_action --service_name=nginx --action=reload
|
||||
|
||||
#=================================================
|
||||
# SEND README TO ADMIN
|
||||
#=================================================
|
||||
ynh_script_progression --message="Sending ReadMe to admin..."
|
||||
|
||||
ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
|
||||
|
||||
#=================================================
|
||||
# END OF SCRIPT
|
||||
#=================================================
|
||||
|
|
23
sources/patches/app-CVE-2022-29360.patch.template
Normal file
23
sources/patches/app-CVE-2022-29360.patch.template
Normal file
|
@ -0,0 +1,23 @@
|
|||
diff --git a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
|
||||
index 2177627..f1e014e 100644
|
||||
--- a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php
|
||||
+++ b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
|
||||
@@ -239,7 +239,8 @@ class HtmlUtils
|
||||
$oWrapHtml->setAttribute($sKey, $sValue);
|
||||
}
|
||||
|
||||
- $oWrapDom = $oDom->createElement('div', '___xxx___');
|
||||
+ $rand_str = base64_encode(random_bytes(32));
|
||||
+ $oWrapDom = $oDom->createElement('div', $rand_str);
|
||||
$oWrapDom->setAttribute('data-x-div-type', 'body');
|
||||
foreach ($aBodylAttrs as $sKey => $sValue)
|
||||
{
|
||||
@@ -250,7 +251,7 @@ class HtmlUtils
|
||||
|
||||
$sWrp = $oDom->saveHTML($oWrapHtml);
|
||||
|
||||
- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
|
||||
+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
|
||||
}
|
||||
|
||||
$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);
|
Loading…
Reference in a new issue