diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-12-06 19:57:55 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2023-02-08 13:48:30 +0000 |
| commit | bf3aadfdd39aa197e18bade671fab6726349ffa4 (patch) | |
| tree | 698567af766ed441d757b57a7b21e68d4a342a2b /nixpkgs/pkgs/servers/rainloop | |
| parent | f4afc5a01d9539ce09e47494e679c51f80723d07 (diff) | |
| parent | 99665eb45f58d959d2cb9e49ddb960c79d596f33 (diff) | |
| download | nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.gz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.bz2 nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.lz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.xz nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.tar.zst nixlib-bf3aadfdd39aa197e18bade671fab6726349ffa4.zip | |
Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'
Diffstat (limited to 'nixpkgs/pkgs/servers/rainloop')
| -rw-r--r-- | nixpkgs/pkgs/servers/rainloop/default.nix | 18 | ||||
| -rw-r--r-- | nixpkgs/pkgs/servers/rainloop/fix-cve-2022-29360.patch | 23 |
2 files changed, 38 insertions, 3 deletions
diff --git a/nixpkgs/pkgs/servers/rainloop/default.nix b/nixpkgs/pkgs/servers/rainloop/default.nix index bc1f0905c6b8..1c7c76b2bd43 100644 --- a/nixpkgs/pkgs/servers/rainloop/default.nix +++ b/nixpkgs/pkgs/servers/rainloop/default.nix @@ -1,10 +1,10 @@ -{ lib, stdenv, fetchurl, unzip, pkgs, dataPath ? "/var/lib/rainloop" }: let +{ lib, stdenv, fetchurl, unzip, writeText, dos2unix, dataPath ? "/var/lib/rainloop" }: let common = { edition, sha256 }: stdenv.mkDerivation (rec { pname = "rainloop${lib.optionalString (edition != "") "-${edition}"}"; version = "1.16.0"; - nativeBuildInputs = [ unzip ]; + nativeBuildInputs = [ unzip dos2unix ]; unpackPhase = '' mkdir rainloop @@ -16,7 +16,19 @@ sha256 = sha256; }; - includeScript = pkgs.writeText "include.php" '' + prePatch = '' + dos2unix ./rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php + ''; + + patches = [ + ./fix-cve-2022-29360.patch + ]; + + postPatch = '' + unix2dos ./rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php + ''; + + includeScript = writeText "include.php" '' <?php /** diff --git a/nixpkgs/pkgs/servers/rainloop/fix-cve-2022-29360.patch b/nixpkgs/pkgs/servers/rainloop/fix-cve-2022-29360.patch new file mode 100644 index 000000000000..5ee7ad1103d6 --- /dev/null +++ b/nixpkgs/pkgs/servers/rainloop/fix-cve-2022-29360.patch @@ -0,0 +1,23 @@ +Fetched from https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/ + +--- a/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php ++++ b/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php +@@ -239,7 +239,8 @@ class HtmlUtils + $oWrapHtml->setAttribute($sKey, $sValue); + } + +- $oWrapDom = $oDom->createElement('div', '___xxx___'); ++ $rand_str = base64_encode(random_bytes(32)); ++ $oWrapDom = $oDom->createElement('div', $rand_str); + $oWrapDom->setAttribute('data-x-div-type', 'body'); + foreach ($aBodylAttrs as $sKey => $sValue) + { +@@ -250,7 +251,7 @@ class HtmlUtils + + $sWrp = $oDom->saveHTML($oWrapHtml); + +- $sResult = \str_replace('___xxx___', $sResult, $sWrp); ++ $sResult = \str_replace($rand_str, $sResult, $sWrp); + } + + $sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult); |