Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package arianna for openSUSE:Factory checked in at 2026-05-11 16:52:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/arianna (Old) and /work/SRC/openSUSE:Factory/.arianna.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arianna" Mon May 11 16:52:23 2026 rev:39 rq:1351562 version:26.04.1 Changes: -------- --- /work/SRC/openSUSE:Factory/arianna/arianna.changes 2026-04-29 19:22:02.723405500 +0200 +++ /work/SRC/openSUSE:Factory/.arianna.new.1966/arianna.changes 2026-05-11 16:59:03.789069455 +0200 @@ -1,0 +2,14 @@ +Thu May 7 08:02:09 UTC 2026 - Christophe Marin <[email protected]> + +- Update to 26.04.1 + * New bugfix release + * For more details please see: + * https://kde.org/announcements/gear/26.04.1/ +- Changes since 26.04.0: + * bookserver: Add authentication token + * bookserver: Use qrc: as access control protocol +- Drop patches: + * 0001-bookserver-Use-qrc-as-access-control-protocol.patch + * 0002-bookserver-Add-authentication-token.patch + +------------------------------------------------------------------- Old: ---- 0001-bookserver-Use-qrc-as-access-control-protocol.patch 0002-bookserver-Add-authentication-token.patch arianna-26.04.0.tar.xz arianna-26.04.0.tar.xz.sig New: ---- arianna-26.04.1.tar.xz arianna-26.04.1.tar.xz.sig ----------(Old B)---------- Old:- Drop patches: * 0001-bookserver-Use-qrc-as-access-control-protocol.patch * 0002-bookserver-Add-authentication-token.patch Old: * 0001-bookserver-Use-qrc-as-access-control-protocol.patch * 0002-bookserver-Add-authentication-token.patch ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arianna.spec ++++++ --- /var/tmp/diff_new_pack.fxBAaz/_old 2026-05-11 16:59:04.329091739 +0200 +++ /var/tmp/diff_new_pack.fxBAaz/_new 2026-05-11 16:59:04.329091739 +0200 @@ -21,7 +21,7 @@ %bcond_without released Name: arianna -Version: 26.04.0 +Version: 26.04.1 Release: 0 Summary: Ebook reader and library management app License: GPL-3.0-only @@ -31,9 +31,6 @@ Source1: https://download.kde.org/stable/release-service/%{version}/src/%{name}-%{version}.tar.xz.sig Source2: applications.keyring %endif -# PATCH-FIX-UPSTREAM -- CVE-2026-42095 -Patch0: 0001-bookserver-Use-qrc-as-access-control-protocol.patch -Patch1: 0002-bookserver-Add-authentication-token.patch BuildRequires: cmake(KF6Archive) >= %{kf6_version} BuildRequires: cmake(KF6Baloo) >= %{kf6_version} BuildRequires: cmake(KF6ColorScheme) >= %{kf6_version} ++++++ arianna-26.04.0.tar.xz -> arianna-26.04.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/CMakeLists.txt new/arianna-26.04.1/CMakeLists.txt --- old/arianna-26.04.0/CMakeLists.txt 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/CMakeLists.txt 2026-05-04 16:08:59.000000000 +0200 @@ -6,7 +6,7 @@ # KDE Applications version, managed by release script. set(RELEASE_SERVICE_VERSION_MAJOR "26") set(RELEASE_SERVICE_VERSION_MINOR "04") -set(RELEASE_SERVICE_VERSION_MICRO "0") +set(RELEASE_SERVICE_VERSION_MICRO "1") set(RELEASE_SERVICE_VERSION "${RELEASE_SERVICE_VERSION_MAJOR}.${RELEASE_SERVICE_VERSION_MINOR}.${RELEASE_SERVICE_VERSION_MICRO}") project(arianna VERSION ${RELEASE_SERVICE_VERSION}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/org.kde.arianna.appdata.xml new/arianna-26.04.1/org.kde.arianna.appdata.xml --- old/arianna-26.04.0/org.kde.arianna.appdata.xml 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/org.kde.arianna.appdata.xml 2026-05-04 16:08:59.000000000 +0200 @@ -155,6 +155,7 @@ </screenshot> </screenshots> <releases> + <release version="26.04.1" date="2026-05-07"/> <release version="26.04.0" date="2026-04-16"/> <release version="25.12.3" date="2026-03-05"/> <release version="25.12.2" date="2026-02-05"/> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/bookserver.cpp new/arianna-26.04.1/src/bookserver.cpp --- old/arianna-26.04.0/src/bookserver.cpp 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/bookserver.cpp 2026-05-04 16:08:59.000000000 +0200 @@ -8,9 +8,12 @@ #include <QFileInfo> #include <QTcpServer> -BookServer::BookServer() +BookServer::BookServer(const QString &token) { - server.route(u"/book"_s, [](const QHttpServerRequest &request) { + server.route(u"/book"_s, [token](const QHttpServerRequest &request) { + if (request.query().queryItemValue(u"token"_s) != token) { + return QHttpServerResponse{QHttpServerResponder::StatusCode::Unauthorized}; + } // + is an standing for %20 // fromPercentEncoded doesn't handle it but it needs to come first // otherwise we end up with %2B -> + -> ' ' which won't be the correct path @@ -23,21 +26,23 @@ }); #if QT_VERSION >= QT_VERSION_CHECK(6, 8, 0) - server.addAfterRequestHandler(&server, [](const QHttpServerRequest &, QHttpServerResponse &resp) { - auto headers = resp.headers(); - headers.append("Access-Control-Allow-Origin", "*"); - resp.setHeaders(headers); + server.addAfterRequestHandler(&server, [](const QHttpServerRequest &request, QHttpServerResponse &resp) { + if (request.value("Origin") == "qrc:") { + auto headers = resp.headers(); + headers.append("Access-Control-Allow-Origin", "qrc:"); + resp.setHeaders(headers); + } }); #else server.afterRequest([](QHttpServerResponse &&resp) { - resp.setHeader("Access-Control-Allow-Origin", "*"); + resp.setHeader("Access-Control-Allow-Origin", "qrc:"); return std::move(resp); }); #endif #if QT_VERSION >= QT_VERSION_CHECK(6, 8, 0) auto tcpserver = std::make_unique<QTcpServer>(); - if (!tcpserver->listen(QHostAddress::Any, 45961) || !server.bind(tcpserver.get())) { + if (!tcpserver->listen(QHostAddress::LocalHost, 45961) || !server.bind(tcpserver.get())) { qWarning() << "Server failed to listen on a port."; return; } @@ -45,7 +50,7 @@ auto s = tcpserver.release(); Q_UNUSED(s); #else - const auto port = server.listen(QHostAddress::Any, 45961); + const auto port = server.listen(QHostAddress::LocalHost, 45961); if (!port) { qWarning() << "Server failed to listen on a port."; return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/bookserver.h new/arianna-26.04.1/src/bookserver.h --- old/arianna-26.04.0/src/bookserver.h 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/bookserver.h 2026-05-04 16:08:59.000000000 +0200 @@ -5,11 +5,12 @@ #include <QHttpServer> #include <QHttpServerResponse> +#include <QString> class BookServer { public: - BookServer(); + explicit BookServer(const QString &token); private: QHttpServer server; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/main.cpp new/arianna-26.04.1/src/main.cpp --- old/arianna-26.04.0/src/main.cpp 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/main.cpp 2026-05-04 16:08:59.000000000 +0200 @@ -83,8 +83,6 @@ parser.process(app); about.processCommandLine(&parser); - BookServer bookServer; - engine.loadFromModule("org.kde.arianna", "Main"); if (engine.rootObjects().isEmpty()) { return -1; @@ -92,6 +90,8 @@ auto navigation = engine.singletonInstance<Navigation *>("org.kde.arianna", "Navigation"); + BookServer bookServer(navigation->bookServerToken()); + QObject::connect(&service, &KDBusService::activateRequested, &engine, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/navigation.cpp new/arianna-26.04.1/src/navigation.cpp --- old/arianna-26.04.0/src/navigation.cpp 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/navigation.cpp 2026-05-04 16:08:59.000000000 +0200 @@ -3,9 +3,17 @@ #include "navigation.h" +#include <QUuid> + Navigation::Navigation(QObject *parent) : QObject(parent) + , m_bookServerToken(QUuid::createUuid().toString(QUuid::WithoutBraces)) +{ +} + +QString Navigation::bookServerToken() const { + return m_bookServerToken; } #include "moc_navigation.cpp" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/navigation.h new/arianna-26.04.1/src/navigation.h --- old/arianna-26.04.0/src/navigation.h 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/navigation.h 2026-05-04 16:08:59.000000000 +0200 @@ -4,6 +4,7 @@ #pragma once #include <QObject> +#include <QString> #include <qqmlintegration.h> #include "categoryentriesmodel.h" @@ -14,13 +15,20 @@ QML_SINGLETON QML_ELEMENT + Q_PROPERTY(QString bookServerToken READ bookServerToken CONSTANT) + public: explicit Navigation(QObject *parent = nullptr); + QString bookServerToken() const; + Q_SIGNALS: void openBook(const QString &fileName, const QString &locations, const QString ¤tLocation, const BookEntry &entry); void openLibrary(const QString &title, CategoryEntriesModel *model, bool replace); void openSettings(); + +private: + QString m_bookServerToken; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/arianna-26.04.0/src/qml/EpubViewerPage.qml new/arianna-26.04.1/src/qml/EpubViewerPage.qml --- old/arianna-26.04.0/src/qml/EpubViewerPage.qml 2026-04-09 22:17:20.000000000 +0200 +++ new/arianna-26.04.1/src/qml/EpubViewerPage.qml 2026-05-04 16:08:59.000000000 +0200 @@ -53,7 +53,7 @@ // HACK: renderTo and options are the value of layouts.auto, but referencing layouts.auto here crashes const renderTo = "'viewer'"; const options = JSON.stringify({ width: '100%', flow: 'paginated', maxSpreadColumns: 2 }); - const urlNormalized = JSON.stringify('http://127.0.0.1:45961/book?url=' + encodeURIComponent(root.url)); + const urlNormalized = JSON.stringify('http://127.0.0.1:45961/book?token=' + Navigation.bookServerToken + '&url=' + encodeURIComponent(root.url)); const initCfi = currentLocation ? JSON.stringify(currentLocation) : "null"; console.info("opening book", root.url, " to ", initCfi); view.runJavaScript(`openSync(${urlNormalized}, ${initCfi})`);
