aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/roundcubemail/APKBUILD8
-rw-r--r--main/roundcubemail/save_prefs_vulnerability_fix_0.6.patch24
2 files changed, 29 insertions, 3 deletions
diff --git a/main/roundcubemail/APKBUILD b/main/roundcubemail/APKBUILD
index 401f87b45e..da66668431 100644
--- a/main/roundcubemail/APKBUILD
+++ b/main/roundcubemail/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=roundcubemail
pkgver=0.5.4
-pkgrel=0
+pkgrel=1
pkgdesc="A PHP web-based mail client"
url="http://www.roundcube.net"
arch="noarch"
@@ -11,7 +11,8 @@ depends="php php-imap php-xml php-json php-dom"
makedepends=""
subpackages="$pkgname-installer"
source="http://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.gz
- fix-dirs.patch"
+ fix-dirs.patch
+ save_prefs_vulnerability_fix_0.6.patch"
_src="$srcdir"/roundcubemail-$pkgver
@@ -64,4 +65,5 @@ installer() {
}
md5sums="a4a401b87a89eabd5e113d9e2fe2ea84 roundcubemail-0.5.4.tar.gz
-db71db7b5489ac2d0e8d80a0a8b993e0 fix-dirs.patch"
+db71db7b5489ac2d0e8d80a0a8b993e0 fix-dirs.patch
+b6f8b5dc55d6f1b50b5d201296379e53 save_prefs_vulnerability_fix_0.6.patch"
diff --git a/main/roundcubemail/save_prefs_vulnerability_fix_0.6.patch b/main/roundcubemail/save_prefs_vulnerability_fix_0.6.patch
new file mode 100644
index 0000000000..ef8c14b9e2
--- /dev/null
+++ b/main/roundcubemail/save_prefs_vulnerability_fix_0.6.patch
@@ -0,0 +1,24 @@
+--- a/program/steps/utils/save_pref.inc 2013-03-27 17:16:36.000000000 +0100
++++ b/program/steps/utils/save_pref.inc 2013-03-27 17:17:33.000000000 +0100
+@@ -21,6 +21,21 @@
+
+ $name = get_input_value('_name', RCUBE_INPUT_POST);
+ $value = get_input_value('_value', RCUBE_INPUT_POST);
++$whitelist = array(
++ 'preview_pane',
++ 'list_cols',
++ 'collapsed_folders',
++);
++
++if (!in_array($name, $whitelist)) {
++ raise_error(array('code' => 500, 'type' => 'php',
++ 'file' => __FILE__, 'line' => __LINE__,
++ 'message' => sprintf("Hack attempt detected (user: %s)", $RCMAIL->get_user_name())),
++ true, false);
++
++ $OUTPUT->reset();
++ $OUTPUT->send();
++}
+
+ // save preference value
+ $RCMAIL->user->save_prefs(array($name => $value));