Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 May 2022 10:14:45 GMT
From:      Yasuhiro Kimura <yasu@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: f9f524f160cb - main - mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability
Message-ID:  <202205031014.243AEjBK066798@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by yasu:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f9f524f160cb67555ffab240926b693d090ebd20

commit f9f524f160cb67555ffab240926b693d090ebd20
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-05-03 10:06:33 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-05-03 10:12:56 +0000

    mail/rainloop: Add patch to fix cross-site-scripting (XSS) vulnerability
    
    PR:             263749
    Reported by:    Lapo Luchini
    Obtained from:  https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
    MFH:            2022Q2
    Security:       a8118db0-cac2-11ec-9288-0800270512f4
---
 mail/rainloop/Makefile                              |  2 +-
 ...v_1.16.0_app_libraries_MailSo_Base_HtmlUtils.php | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/mail/rainloop/Makefile b/mail/rainloop/Makefile
index 37b9010a9499..1f2dfc496013 100644
--- a/mail/rainloop/Makefile
+++ b/mail/rainloop/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	rainloop
 DISTVERSION=	1.16.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	mail www
 MASTER_SITES=	https://github.com/RainLoop/rainloop-webmail/releases/download/v${PORTVERSION}/
 PKGNAMESUFFIX?=	${PHP_PKGNAMESUFFIX}
diff --git a/mail/rainloop/files/patch-rainloop_v_1.16.0_app_libraries_MailSo_Base_HtmlUtils.php b/mail/rainloop/files/patch-rainloop_v_1.16.0_app_libraries_MailSo_Base_HtmlUtils.php
new file mode 100644
index 000000000000..210cee2adc56
--- /dev/null
+++ b/mail/rainloop/files/patch-rainloop_v_1.16.0_app_libraries_MailSo_Base_HtmlUtils.php
@@ -0,0 +1,21 @@
+--- rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php.orig	2021-05-06 11:04:36 UTC
++++ rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
+@@ -239,7 +239,8 @@ class HtmlUtils
+ 				$oWrapHtml->setAttribute($sKey, $sValue);
+ 			}
+ 
+-			$oWrapDom = $oDom->createElement('div', '___xxx___');
++			$rand_str = base64_encode(random_bytes(32));
++			$oWrapDom = $oDom->createElement('div', $rand_str);
+ 			$oWrapDom->setAttribute('data-x-div-type', 'body');
+ 			foreach ($aBodylAttrs as $sKey => $sValue)
+ 			{
+@@ -250,7 +251,7 @@ class HtmlUtils
+ 
+ 			$sWrp = $oDom->saveHTML($oWrapHtml);
+ 
+-			$sResult = \str_replace('___xxx___', $sResult, $sWrp);
++			$sResult = \str_replace($rand_str, $sResult, $sWrp);
+ 		}
+ 
+ 		$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205031014.243AEjBK066798>