[Frugalware-git] frugalware-0.7: horde-webmail-1.0.1-4sayshell1-i686

voroskoi Sun, 20 Jan 2008 07:02:52 -0800

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.7.git;a=commitdiff;h=e6ba19592cda6d912d8f6b75f03d6c8b899886e8


commit e6ba19592cda6d912d8f6b75f03d6c8b899886e8
Author: voroskoi <[EMAIL PROTECTED]>
Date:   Sun Jan 20 16:00:22 2008 +0100

horde-webmail-1.0.1-4sayshell1-i686
added xss.php.diff, closes #2693

diff --git a/source/network-extra/horde-webmail/FrugalBuild 
b/source/network-extra/horde-webmail/FrugalBuild
index a2cb7c6..1bae0a7 100644
--- a/source/network-extra/horde-webmail/FrugalBuild
+++ b/source/network-extra/horde-webmail/FrugalBuild
@@ -3,14 +3,15 @@

pkgname=horde-webmail
pkgver=1.0.1
-pkgrel=3
+pkgrel=4sayshell1
pkgdesc="a free, enterprise ready, browser based communication suite"
url="http://horde.org/webmail/";
rodepends=('php>=4.3.0')
+depends=()
groups=('network-extra')
archs=('i686')
up2date="lynx -dump http://www.horde.org/download/app/?app=webmail | grep 
\.tar\.gz | sed 's/.*-\(.*\)\.t.*/\1/'"
-source=(ftp://ftp.horde.org/pub/$pkgname/$pkgname-$pkgver.tar.gz 
README.Frugalware)
+source=(ftp://ftp.horde.org/pub/$pkgname/$pkgname-$pkgver.tar.gz 
README.Frugalware xss.php.diff)
backup=(var/www/$pkgname/config/{conf,hooks,mime_drivers,motd,nls,prefs,registry}.php
 \
var/www/$pkgname/imp/config/{{conf,header,menu,mime_drivers,motd,prefs,servers,}.php,trailer.txt}
 \
var/www/$pkgname/ingo/config/{backends,conf,fields,prefs}.php \
@@ -22,11 +23,13 @@ options=('stick')

build()
{
+       Fpatchall
Fmkdir /{var/www,usr/share/doc}
Fmv ../src/$pkgname-$pkgver/docs /usr/share/doc/$pkgname-$pkgver
Fmv ../src/$pkgname-$pkgver /var/www/$pkgname
Fdoc README.Frugalware
}
# optimization OK - noarch
-sha1sums=('501b939d4ac17a062244d78be0acaa2919e239db'\
-         'b539999b809904f06b3783af8ae93b7b656420da')
+sha1sums=('501b939d4ac17a062244d78be0acaa2919e239db' \
+          'b539999b809904f06b3783af8ae93b7b656420da' \
+          '3e40044f49fd0913764df44f04af5e6911d67f60')
diff --git a/source/network-extra/horde-webmail/xss.php.diff 
b/source/network-extra/horde-webmail/xss.php.diff
new file mode 100644
index 0000000..9309d9a
--- /dev/null
+++ b/source/network-extra/horde-webmail/xss.php.diff
@@ -0,0 +1,137 @@
+--- orig/lib/Horde/Text/Filter/xss.php
++++ mod/lib/Horde/Text/Filter/xss.php
+@@ -37,6 +37,10 @@
+     {
+         $patterns = array();
+
++        // backport security patch from Horde 3.1.4 for etch
++        /* Remove all control characters. */
++        $patterns['/[\x00-\x08\x0e-\x1f]/'] = '';
++
+         /* Removes HTML comments (including some scripts & styles). */
+         if ($this->_params['strip_styles']) {
+             $patterns['/<!--.*?-->/s'] = '';
+@@ -72,34 +76,54 @@
+
+         /* Remove everything outside of and including the <body> tag. */
+         if ($this->_params['body_only']) {
+-            $patterns['/.*<body[^>]*>/si'] = '';
+-            $patterns['/<\/body>.*/si'] = '';
++            // backport security patch from Horde 3.1.6 for etch
++            //$patterns['/.*<body[^>]*>/si'] = '';
++            //$patterns['/<\/body>.*/si'] = '';
++            $patterns['/.*<(body|html)[^>]*>/si'] = '';
++            $patterns['/<\/(body|html)>.*/si'] = '';
+         }
+
+         /* Get all attribute="javascript:foo()" tags. This is essentially the
+          * regex /(=|url\()("?)[^>]*script:/ but expanded to catch camouflage
+          * with spaces and entities. */
+-        $preg = '/((&#0*61;?|&#x0*3D;?|=)|' .
+-                '((u|&#0*85;?|&#x0*55;?|&#0*117;?|&#x0*75;?)\s*' .
+-                '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
+-                '(l|&#0*76;?|&#x0*4c;?|&#0*108;?|&#x0*6c;?)\s*' .
+-                '(\()))\s*' .
+-                '(&#0*34;?|&#x0*22;?|"|&#0*39;?|&#x0*27;?|\')?' .
++        // backport security patch from Horde 3.1.6 for etch
++        //$preg = '/((&#0*61;?|&#x0*3D;?|=)|' .
++        //        '((u|&#0*85;?|&#x0*55;?|&#0*117;?|&#x0*75;?)\s*' .
++        //        '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
++        //        '(l|&#0*76;?|&#x0*4c;?|&#0*108;?|&#x0*6c;?)\s*' .
++        //        '(\()))\s*' .
++        //        '(&#0*34;?|&#x0*22;?|"|&#0*39;?|&#x0*27;?|\')?' .
++        //        '[^>]*\s*' .
++        //        '(s|&#0*83;?|&#x0*53;?|&#0*115;?|&#x0*73;?)\s*' .
++        //        '(c|&#0*67;?|&#x0*43;?|&#0*99;?|&#x0*63;?)\s*' .
++        //        '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
++        //        '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)\s*' .
++        //        '(p|&#0*80;?|&#x0*50;?|&#0*112;?|&#x0*70;?)\s*' .
++        //        '(t|&#0*84;?|&#x0*54;?|&#0*116;?|&#x0*74;?)\s*' .
++        //        '(:|&#0*58;?|&#x0*3a;?)/i';
++        $preg = '/((=|&#0*61;?|&#x0*3D;?)|' .
++                '((u|&#0*85;?|&#x0*55;?|&#0*117;?|&#x0*75;?|\\\\0*75)\s*' .
++                '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?|\\\\0*72)\s*' .
++                '(l|&#0*76;?|&#x0*4c;?|&#0*108;?|&#x0*6c;?|\\\\0*6c)\s*' .
++                '(\(|\\\\0*28)))\s*' .
++                '(\'|&#0*34;?|&#x0*22;?|"|&#0*39;?|&#x0*27;?)?' .
+                 '[^>]*\s*' .
+-                '(s|&#0*83;?|&#x0*53;?|&#0*115;?|&#x0*73;?)\s*' .
+-                '(c|&#0*67;?|&#x0*43;?|&#0*99;?|&#x0*63;?)\s*' .
+-                '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
+-                '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)\s*' .
+-                '(p|&#0*80;?|&#x0*50;?|&#0*112;?|&#x0*70;?)\s*' .
+-                '(t|&#0*84;?|&#x0*54;?|&#0*116;?|&#x0*74;?)\s*' .
+-                '(:|&#0*58;?|&#x0*3a;?)/i';
++                '(s|&#0*83;?|&#x0*53;?|&#0*115;?|&#x0*73;?|\\\\0*73)\s*' .
++                '(c|&#0*67;?|&#x0*43;?|&#0*99;?|&#x0*63;?|\\\\0*63)\s*' .
++                '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?|\\\\0*72)\s*' .
++                '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?|\\\\0*69)\s*' .
++                '(p|&#0*80;?|&#x0*50;?|&#0*112;?|&#x0*70;?|\\\\0*70)\s*' .
++                '(t|&#0*84;?|&#x0*54;?|&#0*116;?|&#x0*74;?|\\\\0*74)\s*' .
++                '(:|&#0*58;?|&#x0*3a;?|\\\\0*3a)/i';
+         $patterns[$preg] = '\1\8' . $this->_params['replace'];
+
+         /* Get all on<foo>="bar()". NEVER allow these. */
+         $patterns['/([\s"\']+' .
+                   '(o|&#0*79;?|&#0*4f;?|&#0*111;?|&#0*6f;?)' .
+                   '(n|&#0*78;?|&#0*4e;?|&#0*110;?|&#0*6e;?)' .
+-                  '\w+)\s*=/i'] = '\1' . $this->_params['replace'] . '=';
++                  // backport security patch from Horde 3.1.6 for etch
++                  //'\w+)\s*=/i'] = '\1' . $this->_params['replace'] . '=';
++                  '\w+)[^=a-z0-9"\'>]*=/i'] = '\1' . 
$this->_params['replace'] . '=';
+
+         /* Remove all scripts since they might introduce garbage if they are
+          * not quoted properly. */
+@@ -128,6 +152,15 @@
+             '(m|&#0*77;?|&#0*4d;?|&#0*109;?|&#0*6d;?)\s*' .
+             '(l|&#0*76;?|&#x0*4c;?|&#0*108;?|&#x0*6c;?)\s*/i',
+
++            // backport security patch from Horde 3.1.6 for etch
++            '/<([^>a-z]*)\?([^>a-z]*)' .
++            '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)\s*' .
++            '(m|&#0*77;?|&#0*4d;?|&#0*109;?|&#0*6d;?)\s*' .
++            '(p|&#0*80;?|&#x0*50;?|&#0*112;?|&#x0*70;?)\s*' .
++            '(o|&#0*79;?|&#0*4f;?|&#0*111;?|&#0*6f;?)\s*' .
++            '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
++            '(t|&#0*84;?|&#x0*54;?|&#0*116;?|&#x0*74;?)\s*/i',
++
+             '/<([^>a-z]*)' .
+             '(b|&#0*66;?|&#0*42;?|&#0*98;?|&#0*62;?)\s*' .
+             '(a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\s*' .
+@@ -155,8 +188,19 @@
+             '(c|&#0*67;?|&#x0*43;?|&#0*99;?|&#x0*63;?)\s*' .
+             '(t|&#0*84;?|&#x0*54;?|&#0*116;?|&#x0*74;?)\s*/i',
+
++
++            // backport security patch from Horde 3.1.6 for etch
+             '/<([^>a-z]*)' .
+-            '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)\s*' .
++            '(l|&#0*76;?|&#x0*4c;?|&#0*108;?|&#x0*6c;?)\s*' .
++            '(a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\s*' .
++            '(y|&#0*89;?|&#0*59;?|&#0*121;?|&#0*79;?)\s*' .
++            '(e|&#0*69;?|&#0*45;?|&#0*101;?|&#0*65;?)\s*' .
++            '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*/i',
++
++            '/<([^>a-z]*)' .
++            // backport security patch from Horde 3.1.6 for etch
++            //'(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)\s*' .
++            '(i|&#0*73;?|&#x0*49;?|&#0*105;?|&#x0*69;?)?\s*' .
+             '(f|&#0*70;?|&#0*46;?|&#0*102;?|&#0*66;?)\s*' .
+             '(r|&#0*82;?|&#x0*52;?|&#0*114;?|&#x0*72;?)\s*' .
+             '(a|&#0*65;?|&#0*41;?|&#0*97;?|&#0*61;?)\s*' .
+@@ -176,9 +220,13 @@
+         }
+
+         /* A few other matches. */
+-        $patterns['|<([^>]*)&{.*}([^>]*)>|'] = '<&{;}\3>';
++        // backport security patch from Horde 3.1.6 for etch
++        //$patterns['|<([^>]*)&{.*}([^>]*)>|'] = '<&{;}\3>';
++        $patterns['|<([^>]*)&{.*}([^>]*)>|'] = '<\1&{;}\2>';
+         $patterns['|<([^>]*)mocha:([^>]*)>|i'] = '<\1' . 
$this->_params['replace'] . ':\2>';
+-        $patterns['|<([^>]*)binding:([^>]*)>|i'] = '<\1' . 
$this->_params['replace'] . ':\2>';
++        // backport security patch from Horde 3.1.6 for etch
++        //$patterns['|<([^>]*)binding:([^>]*)>|i'] = '<\1' . 
$this->_params['replace'] . ':\2>';
++        
$patterns['/<(([^>]*)|(style[^>]*>[^<]*))binding:((?(3)[^<]*<\/style)[^>]*)>/i']
 = '<\1' . $this->_params['replace'] . ':\4>';
+
+         return array('regexp' => $patterns);
+     }
_______________________________________________
Frugalware-git mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-git

[Frugalware-git] frugalware-0.7: horde-webmail-1.0.1-4sayshell1-i686

Reply via email to