rainloop-{community,standard}: patch CVE-2022-29360

pyrox.dev / nixpkgs

fork atom

lol

fork atom

Peder Bergebakken Sundt 3 years ago d23282a2 3556174c

+38 -3

2 changed files

expand all

pkgs

servers

rainloop

default.nix

fix-cve-2022-29360.patch

+15 -3

pkgs/servers/rainloop/default.nix

··· 1 - { lib, stdenv, fetchurl, unzip, pkgs, dataPath ? "/var/lib/rainloop" }: let 1 + { lib, stdenv, fetchurl, unzip, writeText, dos2unix, dataPath ? "/var/lib/rainloop" }: let 2 2 common = { edition, sha256 }: 3 3 stdenv.mkDerivation (rec { 4 4 pname = "rainloop${lib.optionalString (edition != "") "-${edition}"}"; 5 5 version = "1.16.0"; 6 6 7 - nativeBuildInputs = [ unzip ]; 7 + nativeBuildInputs = [ unzip dos2unix ]; 8 8 9 9 unpackPhase = '' 10 10 mkdir rainloop ··· 16 16 sha256 = sha256; 17 17 }; 18 18 19 - includeScript = pkgs.writeText "include.php" '' 19 + prePatch = '' 20 + dos2unix ./rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php 21 + ''; 22 + 23 + patches = [ 24 + ./fix-cve-2022-29360.patch 25 + ]; 26 + 27 + postPatch = '' 28 + unix2dos ./rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php 29 + ''; 30 + 31 + includeScript = writeText "include.php" '' 20 32 <?php 21 33 22 34 /**

+23

pkgs/servers/rainloop/fix-cve-2022-29360.patch

··· 1 + Fetched from https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/ 2 + 3 + --- a/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php 4 + +++ b/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php 5 + @@ -239,7 +239,8 @@ class HtmlUtils 6 + $oWrapHtml->setAttribute($sKey, $sValue); 7 + } 8 + 9 + - $oWrapDom = $oDom->createElement('div', '___xxx___'); 10 + + $rand_str = base64_encode(random_bytes(32)); 11 + + $oWrapDom = $oDom->createElement('div', $rand_str); 12 + $oWrapDom->setAttribute('data-x-div-type', 'body'); 13 + foreach ($aBodylAttrs as $sKey => $sValue) 14 + { 15 + @@ -250,7 +251,7 @@ class HtmlUtils 16 + 17 + $sWrp = $oDom->saveHTML($oWrapHtml); 18 + 19 + - $sResult = \str_replace('___xxx___', $sResult, $sWrp); 20 + + $sResult = \str_replace($rand_str, $sResult, $sWrp); 21 + } 22 + 23 + $sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);