Merge pull request #89 from YunoHost-Apps/sec-patch

Fix CVE-2022-29360

.gitattributes

@@ -15,3 +15,6 @@
 *.PDF	 diff=astextplain
 *.rtf	 diff=astextplain
 *.RTF	 diff=astextplain
+
+# CRLF for patch file
+sources/patches/app-CVE-2022-29360.patch.template eol=crlf

README.md

@@ -35,7 +35,7 @@ Lightweight multi-account webmail
 - Autocompletion of e-mail addresses.
 
 
-**Shipped version:** 1.16.0~ynh3
+**Shipped version:** 1.16.0~ynh4
 
 **Demo:** https://mail.rainloop.net/
 

README_fr.md

@@ -31,7 +31,7 @@ Lightweight multi-account webmail
 - Autocompletion of e-mail addresses.
 
 
-**Version incluse :** 1.16.0~ynh3
+**Version incluse :** 1.16.0~ynh4
 
 **Démo :** https://mail.rainloop.net/
 

check_process

@@ -23,5 +23,5 @@ Email=
 Notification=none
 ;;; Upgrade options
 	; commit=7a48f5b9b35ff22529190f282bfcf5f56944741a
-		name=Upgrade to v.1.14.0
+		name=v1.14.0
 		manifest_arg=domain=DOMAIN&path=PATH&is_public=Yes&password=password&ldap=Yes&language=en&

conf/email

@@ -0,0 +1,17 @@
+
+The current version of Rainloop contains a code vulnerability that can expose users emails to attackers.
+
+For more information, please refer to:
+
+- https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
+- https://forum.yunohost.org/t/security-rainloop-suffers-a-security-bug/19579
+
+We have implemented a patch in this YunoHost package to fix it.
+
+However, since Rainloop's development has been halted for a year now, 
+and since its developers have yet to react to solve this critical flaw, 
+we strongly encourage you to seek alternative applications to replace Rainloop.
+
+Stay safe and enjoy self-hosting!
+
+The YunoHost app packagers

manifest.json

@@ -6,7 +6,7 @@
 		"en": "Lightweight multi-account webmail",
 		"fr": "Webmail léger multi-comptes"
 	},
-	"version": "1.16.0~ynh3",
+	"version": "1.16.0~ynh4",
 	"url": "https://www.rainloop.net/",
 	"upstream": {
         "license": "AGPL-3.0-or-later",
@@ -30,6 +30,14 @@
 	],
 	"arguments": {
 		"install" : [
+			{
+			"name": "warning",
+			"type": "display_text",
+				"ask": {
+					"en": "Rainloop is effectively unmaintained and its source code contains a security flaw (patched here). Installation is discouraged.",
+					"fr": "Rainloop n'est de facto plus maintenue, et son code source contient une faille de sécuritée (corrigée ici). Son installation est déconseillée."
+				}
+			},
 			{
 				"name": "domain",
 				"type": "domain"

scripts/_common.sh

@@ -12,6 +12,135 @@ pkg_dependencies="php${YNH_PHP_VERSION}-json php${YNH_PHP_VERSION}-curl php${YNH
 # EXPERIMENTAL HELPERS
 #=================================================
 
+#!/bin/bash
+
+# Send an email to inform the administrator
+#
+# usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type]
+# | arg: -m --app_message= - The file with the content to send to the administrator.
+# | arg: -r, --recipients= - The recipients of this email. Use spaces to separate multiples recipients. - default: root
+#	example: "root admin@domain"
+#	If you give the name of a YunoHost user, ynh_send_readme_to_admin will find its email adress for you
+#	example: "root admin@domain user1 user2"
+# | arg: -t, --type= - Type of mail, could be 'backup', 'change_url', 'install', 'remove', 'restore', 'upgrade', 'warning'
+#
+# Requires YunoHost version 4.1.0 or higher.
+ynh_send_readme_to_admin() {
+	# Declare an array to define the options of this helper.
+	declare -Ar args_array=( [m]=app_message= [r]=recipients= [t]=type= )
+	local app_message
+	local recipients
+	local type
+	# Manage arguments with getopts
+
+	ynh_handle_getopts_args "$@"
+	app_message="${app_message:-}"
+	recipients="${recipients:-root}"
+	type="${type:-install}"
+
+	# Get the value of admin_mail_html
+	admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
+	admin_mail_html="${admin_mail_html:-0}"
+
+	# Retrieve the email of users
+	find_mails () {
+		local list_mails="$1"
+		local mail
+		local recipients=" "
+		# Read each mail in argument
+		for mail in $list_mails
+		do
+			# Keep root or a real email address as it is
+			if [ "$mail" = "root" ] || echo "$mail" | grep --quiet "@"
+			then
+				recipients="$recipients $mail"
+			else
+				# But replace an user name without a domain after by its email
+				if mail=$(ynh_user_get_info "$mail" "mail" 2> /dev/null)
+				then
+					recipients="$recipients $mail"
+				fi
+			fi
+		done
+		echo "$recipients"
+	}
+	recipients=$(find_mails "$recipients")
+
+	# Subject base
+	local mail_subject="☁️🆈🅽🅷☁️: \`$app\`"
+
+	# Adapt the subject according to the type of mail required.
+	if [ "$type" = "backup" ]; then
+		mail_subject="$mail_subject has just been backup."
+	elif [ "$type" = "change_url" ]; then
+		mail_subject="$mail_subject has just been moved to a new URL!"
+	elif [ "$type" = "remove" ]; then
+		mail_subject="$mail_subject has just been removed!"
+	elif [ "$type" = "restore" ]; then
+		mail_subject="$mail_subject has just been restored!"
+	elif [ "$type" = "upgrade" ]; then
+		mail_subject="$mail_subject has just been upgraded!"
+	elif [ "$type" = "warning" ]; then
+		mail_subject="$mail_subject has an important message! ⚠️"
+	else	# install
+		mail_subject="$mail_subject has just been installed!"
+	fi
+
+	ynh_add_config --template="$app_message" --destination="../conf/msg_to_send"
+
+	ynh_delete_file_checksum --file="../conf/msg_to_send"
+	local mail_message="This is an automated message from your beloved YunoHost server.
+Specific information for the application $app.
+$(cat "../conf/msg_to_send")"
+
+	# Store the message into a file for further modifications.
+	echo "$mail_message" > mail_to_send
+
+	# If a html email is required. Apply html tags to the message.
+ 	if [ "$admin_mail_html" -eq 1 ]
+ 	then
+		# Insert 'br' tags at each ending of lines.
+		ynh_replace_string "$" "<br>" mail_to_send
+
+		# Insert starting HTML tags
+		sed --in-place '1s@^@<!DOCTYPE html>\n<html>\n<head></head>\n<body>\n@' mail_to_send
+
+		# Keep tabulations
+		ynh_replace_string "  " "\&#160;\&#160;" mail_to_send
+		ynh_replace_string "\t" "\&#160;\&#160;" mail_to_send
+
+		# Insert url links tags
+		ynh_replace_string "__URL_TAG1__\(.*\)__URL_TAG2__\(.*\)__URL_TAG3__" "<a href=\"\2\">\1</a>" mail_to_send
+
+		# Insert finishing HTML tags
+		echo -e "\n</body>\n</html>" >> mail_to_send
+
+	# Otherwise, remove tags to keep a plain text.
+	else
+		# Remove URL tags
+		ynh_replace_string "__URL_TAG[1,3]__" "" mail_to_send
+		ynh_replace_string "__URL_TAG2__" ": " mail_to_send
+	fi
+
+	# Define binary to use for mail command
+	if [ -e /usr/bin/bsd-mailx ]
+	then
+		local mail_bin=/usr/bin/bsd-mailx
+	else
+		local mail_bin=/usr/bin/mail.mailutils
+	fi
+
+	if [ "$admin_mail_html" -eq 1 ]
+	then
+		content_type="text/html"
+	else
+		content_type="text/plain"
+	fi
+
+	# Send the email to the recipients
+	cat mail_to_send | $mail_bin -a "Content-Type: $content_type; charset=UTF-8" -s "$mail_subject" "$recipients"
+}
+
 #=================================================
 # FUTURE OFFICIAL HELPERS
 #=================================================

scripts/install

@@ -87,6 +87,14 @@ ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source --dest_dir="$final_path/app"
 
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
+# Deploy CVE-2022-29360 patch
+version=$(ynh_app_upstream_version)
+# FIXME because we need to apply the patch manually with --binary flag
+# while we should be able to simply use the patching feature of ynh_setup_source
+ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
+patch --silent --binary $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php < ../sources/patches/FIXMEapp-CVE-2022-29360.patch
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -203,6 +211,13 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1
 
 ynh_systemd_action --service_name=nginx --action=reload
 
+#=================================================
+# SEND README TO ADMIN
+#=================================================
+ynh_script_progression --message="Sending ReadMe to admin..."
+
+ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

scripts/upgrade

@@ -63,7 +63,6 @@ fi
 if [ -z "$language" ]; then
 	language="en"
 	ynh_app_setting_set --app=$app --key=language --value=$language
-	ynh_app_setting_delete --app=$app --key=$lang
 fi
 
 case "$language" in
@@ -79,6 +78,11 @@ case "$language" in
 		;;
 esac
 
+# Delete legacy lang setting
+if [ -n "$(ynh_app_setting_get --app=$app --key=lang)" ]; then
+	ynh_app_setting_delete --app=$app --key=lang
+fi
+
 # Cleaning legacy permissions
 if ynh_legacy_permissions_exists; then
 	ynh_legacy_permissions_delete_all
@@ -108,6 +112,15 @@ then
 	ynh_setup_source --dest_dir="$final_path/app"
 fi
 
+ynh_script_progression --message="Patching CVE-2022-29360 code vulnerability..." --weight=1
+ynh_print_warn --message="You should stop using Rainloop, its upstream code is not maintained anymore"
+# Deploy CVE-2022-29360 patch
+version=$(ynh_app_upstream_version)
+# FIXME because we need to apply the patch manually with --binary flag
+# while we should be able to simply use the patching feature of ynh_setup_source
+ynh_add_config --template="../sources/patches/app-CVE-2022-29360.patch.template" --destination="../sources/patches/FIXMEapp-CVE-2022-29360.patch"
+patched="$(patch --silent --binary --forward $final_path/app/rainloop/v/$version/app/libraries/MailSo/Base/HtmlUtils.php <../sources/patches/FIXMEapp-CVE-2022-29360.patch)" || echo "${patched}" | grep "Reversed (or previously applied) patch detected!  Skipping patch." -q || (echo "$patched" && false);
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@@ -188,6 +201,13 @@ ynh_script_progression --message="Reloading NGINX web server..."
 
 ynh_systemd_action --service_name=nginx --action=reload
 
+#=================================================
+# SEND README TO ADMIN
+#=================================================
+ynh_script_progression --message="Sending ReadMe to admin..."
+
+ynh_send_readme_to_admin --app_message="../conf/email" --recipients="root" --type="warning"
+
 #=================================================
 # END OF SCRIPT
 #=================================================

sources/patches/app-CVE-2022-29360.patch.template

@@ -0,0 +1,23 @@
+diff --git a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
+index 2177627..f1e014e 100644
+--- a/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.php
++++ b/rainloop/v/__VERSION__/app/libraries/MailSo/Base/HtmlUtils.new
+@@ -239,7 +239,8 @@ class HtmlUtils
+ 				$oWrapHtml->setAttribute($sKey, $sValue);
+ 			}
+ 
+-			$oWrapDom = $oDom->createElement('div', '___xxx___');
++			$rand_str = base64_encode(random_bytes(32));
++			$oWrapDom = $oDom->createElement('div', $rand_str);
+ 			$oWrapDom->setAttribute('data-x-div-type', 'body');
+ 			foreach ($aBodylAttrs as $sKey => $sValue)
+ 			{
+@@ -250,7 +251,7 @@ class HtmlUtils
+ 
+ 			$sWrp = $oDom->saveHTML($oWrapHtml);
+ 
+-			$sResult = \str_replace('___xxx___', $sResult, $sWrp);
++			$sResult = \str_replace($rand_str, $sResult, $sWrp);
+ 		}
+ 
+ 		$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);