commit postfixadmin for openSUSE:Factory

h_root Mon, 12 Oct 2015 01:02:25 -0700

Hello community,

here is the log from the commit of package postfixadmin for openSUSE:Factory 
checked in at 2015-10-12 10:01:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postfixadmin (Old)
 and      /work/SRC/openSUSE:Factory/.postfixadmin.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "postfixadmin"

Changes:
--------
--- /work/SRC/openSUSE:Factory/postfixadmin/postfixadmin.changes        
2015-09-27 08:39:55.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.postfixadmin.new/postfixadmin.changes   
2015-10-12 10:01:58.000000000 +0200
@@ -1,0 +2,17 @@
+Wed Oct  7 18:41:07 UTC 2015 - [email protected]
+
+- add postfixadmin-upstream-fixes-r1802-1817.diff:
+  fix escaping in gen_show_status() and double escaping in list.php
+  (http://sourceforge.net/p/postfixadmin/bugs/356/)
+
+-------------------------------------------------------------------
+Wed Sep 30 17:17:32 UTC 2015 - [email protected]
+
+- several fixes for the Fedora and CentOS build:
+  - don't scan scripts in the ADDITIONS directory to avoid adding excessive
+    dependencies
+  - use centos_ver instead of centos_version (which isn't available in CentOS 
7)
+  - change docroot to /var/www/html
+  - change apache group to "apache"
+
+-------------------------------------------------------------------

New:
----
  postfixadmin-upstream-fixes-r1802-1817.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ postfixadmin.spec ++++++
--- /var/tmp/diff_new_pack.J3wALe/_old  2015-10-12 10:01:59.000000000 +0200
+++ /var/tmp/diff_new_pack.J3wALe/_new  2015-10-12 10:01:59.000000000 +0200
@@ -23,12 +23,12 @@
 Source0:        
http://sourceforge.net/projects/postfixadmin/files/postfixadmin/%{name}-%{version}/%{name}-%{version}.tar.gz
 
 # changes from SVN since the release
-#Patch1:         postfixadmin-svn.diff
+Patch:          postfixadmin-upstream-fixes-r1802-1817.diff
 
 BuildArch:      noarch
 
 # Web interface
-%if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_version}
+%if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_ver}
   # Requires:   mod_php_any # no idea in which fedora package mod_php5 is...
 Requires:       php_database
 %else
@@ -71,21 +71,28 @@
 Requires:       perl(LockFile::Simple)
 Requires:       perl(Sys::Syslog)
 
-%if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_version}
+%if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_ver}
 # create vacation user/group
 PreReq:         shadow-utils
 BuildRequires:  httpd-devel
 #define serverroot %(/usr/sbin/apxs -q datadir 2>/dev/null || /usr/sbin/apxs 
-q PREFIX)/htdocs/
-%define serverroot /var/www/htdocs/
+%define serverroot /var/www/html/
+%define apache_group apache
 %else
 # create vacation user/group
 PreReq:         pwdutils
 BuildRequires:  apache2-devel
 %define serverroot %(/usr/sbin/apxs2 -q datadir 2>/dev/null || /usr/sbin/apxs2 
-q PREFIX)/htdocs/
+%define apache_group www
 Recommends:     postfix
 Suggests:       php-pgsql
 %endif
 
+%if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_ver}
+# Do not check any files in ADDITIONS for Requires, see 
https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering
+%global __requires_exclude_from ^%{_prefix}/lib/%{name}/ADDITIONS/.*$
+%endif
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 Summary:        Web-based management tool for Postfix virtual domains, 
mailboxes and aliases
@@ -106,7 +113,7 @@
 
 %prep
 %setup -q
-#patch1 -p1
+%patch
 
 %build
 echo "*** serverroot: %{serverroot} ***"
@@ -173,7 +180,7 @@
 #%config(noreplace) %{_sysconfdir}/apache2/conf.d/*.conf
 %doc DOCUMENTS/* *.TXT VIRTUAL_VACATION
 %{serverroot}/%{name}/
-%attr(770,root,www) %dir %{serverroot}/%{name}/templates_c/
+%attr(770,root,%{apache_group}) %dir %{serverroot}/%{name}/templates_c/
 %dir %{_prefix}/lib/%{name}/
 %{_prefix}/lib/%{name}/ADDITIONS/
 %attr( 750,root,vacation)       %{_prefix}/lib/%{name}/vacation.pl

++++++ postfixadmin-upstream-fixes-r1802-1817.diff ++++++
------------------------------------------------------------------------
r1809 | christian_boltz | 2015-10-02 19:45:16 +0200 (Fr, 02. Okt 2015) | 8 
Zeilen

functions.inc.php:
- gen_show_status(): escape mail addresses in query.
  Fixes https://sourceforge.net/p/postfixadmin/bugs/356/
  (mostly - the edit/delete/... links in list-virtual are double-escaped)
  In theory this could allow SQL injection, in practise the mail address
  regex limits this issue to a DOS (creating a mail address with ' caused
  an invalid query that broke list-virtual)

------------------------------------------------------------------------
r1811 | christian_boltz | 2015-10-02 20:52:17 +0200 (Fr, 02. Okt 2015) | 4 
Zeilen

list-virtual_alias_domain:
- also assign RAW_items (from $RAW_tAliasDomains)

------------------------------------------------------------------------
r1812 | christian_boltz | 2015-10-03 10:58:21 +0200 (Sa, 03. Okt 2015) | 10 
Zeilen

list.tpl:
- base edit, editactive and delete links on $RAW_item to avoid double
  escaping ($items is already html-escaped, and we url-escape it for
  links). This fixes the remaining part of
  http://sourceforge.net/p/postfixadmin/bugs/356/
- simplify displaying "html" fields by using $RAW_item. This also fixes
  problems with funny[tm] item names that differ when html-encoded (like
  the ' char)


------------------------------------------------------------------------
Index: functions.inc.php
===================================================================
--- functions.inc.php   (Revision 1802)
+++ functions.inc.php   (Revision 1817)
@@ -1755,9 +1755,9 @@
             list(/*NULL*/,$stat_domain) = explode('@',$g);
             $stat_delimiter = "";
                        if (!empty($CONF['recipient_delimiter'])) {
-                               $stat_delimiter = "OR address = '" . 
preg_replace($delimiter_regex, "@", $g) . "'";
+                               $stat_delimiter = "OR address = '" . 
escape_string(preg_replace($delimiter_regex, "@", $g)) . "'";
                        }
-                       $stat_result = db_query ("SELECT address FROM 
$table_alias WHERE address = '$g' OR address = '@$stat_domain' 
$stat_delimiter");
+                       $stat_result = db_query ("SELECT address FROM 
$table_alias WHERE address = '" . escape_string($g) . "' OR address = '@" . 
escape_string($stat_domain) . "' $stat_delimiter");
             if ($stat_result['rows'] == 0) {
                 $stat_ok = 0;
             }
Index: templates/list-virtual_alias_domain.tpl
===================================================================
--- templates/list-virtual_alias_domain.tpl     (Revision 1802)
+++ templates/list-virtual_alias_domain.tpl     (Revision 1817)
@@ -6,4 +6,6 @@
 {assign var="id_field" value=$msg.id_field}
 {assign var="formconf" value=$aliasdomain_data.formconf}
 {assign var="items" value=$tAliasDomains}
+{assign var="RAW_items" value=$RAW_tAliasDomains}
+
 {include 'list.tpl'}
Index: templates/list.tpl
===================================================================
--- templates/list.tpl  (Revision 1802)
+++ templates/list.tpl  (Revision 1817)
@@ -51,7 +51,8 @@
     <td>&nbsp;</td>
 </tr>
 
-{foreach from=$items item=item}
+{foreach from=$RAW_items item=RAW_item}
+    {assign "item" $items.{$RAW_item.$id_field|escape:"html"}} {* array keys 
in $items are html-escaped *}
     {#tr_hilightoff#}
 
     {foreach key=key item=field from=$struct}
@@ -77,7 +78,7 @@
 *}
                     {elseif $key == 'active'}
                         {if $item._can_edit}
-                            <a 
href="{#url_editactive#}{$table}&amp;id={$item.$id_field|escape:"url"}&amp;active={if
 
($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
+                            <a 
href="{#url_editactive#}{$table}&amp;id={$RAW_item.$id_field|escape:"url"}&amp;active={if
 
($item.active==0)}1{else}0{/if}&amp;token={$smarty.session.PFA_token|escape:"url"}">{$item._active}</a>
                         {else}
                             {$item._active}
                         {/if}
@@ -109,7 +110,7 @@
                     {elseif $field.type == 'txtl'}
                         {foreach key=key2 item=field2 
from=$item.$key}{$field2}<br> {/foreach}
                     {elseif $field.type == 'html'}
-                                               
{$RAW_items.{$item.{$msg.id_field}}.$key}
+                        {$RAW_item.$key}
                     {else}
                         {$linktext}
                     {/if}
@@ -118,8 +119,8 @@
         {/if}
     {/foreach}
 
-    <td>{if $item._can_edit}<a 
href="edit.php?table={$table|escape:"url"}&amp;edit={$item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else}&nbsp;{/if}</td>
-    <td>{if $item._can_delete}<a 
href="{#url_delete#}?table={$table}&amp;delete={$item.$id_field|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
 
+    <td>{if $item._can_edit}<a 
href="edit.php?table={$table|escape:"url"}&amp;edit={$RAW_item.$id_field|escape:"url"}">{$PALANG.edit}</a>{else}&nbsp;{/if}</td>
+    <td>{if $item._can_delete}<a 
href="{#url_delete#}?table={$table}&amp;delete={$RAW_item.$id_field|escape:"url"}&amp;token={$smarty.session.PFA_token|escape:"url"}"
         onclick="return confirm 
('{$PALANG.{$msg.confirm_delete}|replace:'%s':$item.$id_field}')">{$PALANG.del}</a>{else}&nbsp;{/if}</td>
     </tr>
 {/foreach}

commit postfixadmin for openSUSE:Factory

Reply via email to