[pkg-horde] [COMMIT lionel nag--sid--2--patch-2] Merge with
upstream branch
Lionel Elie Mamane
lmamane at costa.debian.org
Sat Dec 24 17:30:04 UTC 2005
A {arch}/nag/nag--sid/nag--sid--2/pkg-horde-hackers at lists.alioth.debian.org--2006/patch-log/patch-2
A {arch}/nag/nag--upstream/nag--upstream--2/pkg-horde-hackers at lists.alioth.debian.org--2006/patch-log/patch-1
M lib/Driver/sql.php
M lib/version.php
M lib/Block/summary.php
M templates/menu.inc
M templates/prefs/tasklistselect.inc
M templates/list/task_summaries.inc
M templates/list/header.inc
M docs/CHANGES
M docs/RELEASE_NOTES
M templates/tasklists/tasklists.inc
M templates/data/import.inc
M templates/task/task.inc
--- /dev/null
+++ {arch}/nag/nag--sid/nag--sid--2/pkg-horde-hackers at lists.alioth.debian.org--2006/patch-log/patch-2
@@ -0,0 +1,24 @@
+Revision: nag--sid--2--patch-2
+Archive: pkg-horde-hackers at lists.alioth.debian.org--2006
+Creator: Lionel Elie Mamane <lionel at mamane.lu>
+Date: Sat Dec 24 18:28:46 CET 2005
+Standard-date: 2005-12-24 17:28:46 GMT
+Modified-files: docs/CHANGES docs/RELEASE_NOTES
+ lib/Block/summary.php lib/Driver/sql.php lib/version.php
+ templates/data/import.inc templates/list/header.inc
+ templates/list/task_summaries.inc templates/menu.inc
+ templates/prefs/tasklistselect.inc
+ templates/task/task.inc
+ templates/tasklists/tasklists.inc
+New-patches: pkg-horde-hackers at lists.alioth.debian.org--2006/nag--sid--2--patch-2
+ pkg-horde-hackers at lists.alioth.debian.org--2006/nag--upstream--2--patch-1
+Summary: Merge with upstream branch
+Keywords:
+
+
+
+Patches applied:
+
+ * pkg-horde-hackers at lists.alioth.debian.org--2006/nag--upstream--2--patch-1
+ Import upstream nag 2.0.4
+
--- /dev/null
+++ {arch}/nag/nag--upstream/nag--upstream--2/pkg-horde-hackers at lists.alioth.debian.org--2006/patch-log/patch-1
@@ -0,0 +1,20 @@
+Revision: nag--upstream--2--patch-1
+Archive: pkg-horde-hackers at lists.alioth.debian.org--2006
+Creator: Lionel Elie Mamane <lionel at mamane.lu>
+Date: Sat Dec 24 18:27:49 CET 2005
+Standard-date: 2005-12-24 17:27:49 GMT
+Modified-files: docs/CHANGES docs/RELEASE_NOTES
+ lib/Block/summary.php lib/Driver/sql.php lib/version.php
+ templates/data/import.inc templates/list/header.inc
+ templates/list/task_summaries.inc templates/menu.inc
+ templates/prefs/tasklistselect.inc
+ templates/task/task.inc
+ templates/tasklists/tasklists.inc
+New-patches: pkg-horde-hackers at lists.alioth.debian.org--2006/nag--upstream--2--patch-1
+Summary: Import upstream nag 2.0.4
+Keywords:
+
+Imported nag-h3-2.0.4
+into pkg-horde-hackers at lists.alioth.debian.org--2006/nag--upstream--2
+
+
--- orig/lib/Driver/sql.php
+++ mod/lib/Driver/sql.php
@@ -22,7 +22,7 @@
*
* The table structure can be created by the scripts/sql/nag.sql script.
*
- * $Horde: nag/lib/Driver/sql.php,v 1.60.2.6 2005/06/23 03:08:53 selsky Exp $
+ * $Horde: nag/lib/Driver/sql.php,v 1.60.2.6.2.1 2005/12/10 22:08:33 chuck Exp $
*
* @author Jon Parise <jon at horde.org>
* @since Nag 0.1
@@ -166,11 +166,11 @@
String::convertCharset($name, NLS::getCharset(), $this->_params['charset']),
String::convertCharset($uid, NLS::getCharset(), $this->_params['charset']),
String::convertCharset($desc, NLS::getCharset(), $this->_params['charset']),
- $due,
- $priority,
- $completed,
+ (int)$due,
+ (int)$priority,
+ (int)$completed,
String::convertCharset($category, NLS::getCharset(), $this->_params['charset']),
- $alarm);
+ (int)$alarm);
/* Log the query at a DEBUG log level. */
Horde::logMessage(sprintf('Nag_Driver_sql::add(): %s', $query),
--- orig/lib/version.php
+++ mod/lib/version.php
@@ -1 +1 @@
-<?php define('NAG_VERSION', 'H3 (2.0.3)') ?>
+<?php define('NAG_VERSION', 'H3 (2.0.4)') ?>
--- orig/lib/Block/summary.php
+++ mod/lib/Block/summary.php
@@ -3,7 +3,7 @@
$block_name = _("Tasks Summary");
/**
- * $Horde: nag/lib/Block/summary.php,v 1.51.8.4 2005/05/18 10:52:03 jan Exp $
+ * $Horde: nag/lib/Block/summary.php,v 1.51.8.4.2.1 2005/12/10 22:08:33 chuck Exp $
*
* @package Horde_Block
*/
@@ -162,7 +162,7 @@
if (!is_a($share, 'PEAR_Error')) {
$owner = $share->get('name');
}
- $html .= '<td width="1%" class="' . $tstyle . '"> ' . $owner . ' </td>';
+ $html .= '<td width="1%" class="' . $tstyle . '"> ' . htmlspecialchars($owner) . ' </td>';
}
$html .= '<td>';
--- orig/templates/menu.inc
+++ mod/templates/menu.inc
@@ -3,22 +3,22 @@
<?php $_menu_tasklists = Nag::listTasklists() ?>
<div id="menu">
<?php if (!$prefs->isLocked('default_tasklist') && (count($_menu_tasklists) > 1 || !count($GLOBALS['display_tasklists']))): ?>
- <span style="float:right">
+ <div style="float:right">
<select name="display_tasklist" onchange="tasklistSubmit();">
<option value=""><?php echo _("Show Tasklists:") ?></option>
<?php foreach ($_menu_tasklists as $id => $tasklist): ?>
- <option value="<?php echo $id ?>"><?php echo (in_array($id, $GLOBALS['display_tasklists']) ? '* ' : '') . $tasklist->get('name') ?></option>
+ <option value="<?php echo htmlspecialchars($id) ?>"><?php echo (in_array($id, $GLOBALS['display_tasklists']) ? '* ' : '') . htmlspecialchars($tasklist->get('name')) ?></option>
<?php endforeach; ?>
</select>
- </span>
- <span style="float:right">
+ </div>
+ <div style="float:right">
<?php
require_once 'Horde/Menu.php';
$cmenu = &new Menu(HORDE_MENU_MASK_NONE);
$cmenu->add('#', _("Show"), 'tasklists.png', null, null, 'return tasklistSubmit()', '__noselection');
echo $cmenu->render();
?>
- </span>
+ </div>
<?php endif; ?>
<?php echo Nag::getMenu('string') ?>
--- orig/templates/prefs/tasklistselect.inc
+++ mod/templates/prefs/tasklistselect.inc
@@ -10,7 +10,7 @@
<?php echo _("Your default task list:") ?><br />
<select name="default_tasklist" class="fixed">
<?php foreach ($tasklists as $id => $tasklist): ?>
- <option value="<?php echo $id ?>"<?php if ($id == $default_tasklist) echo ' selected="selected"' ?>><?php echo $tasklist->get('name') ?></option>
+ <option value="<?php echo htmlspecialchars($id) ?>"<?php if ($id == $default_tasklist) echo ' selected="selected"' ?>><?php echo htmlspecialchars($tasklist->get('name')) ?></option>
<?php endforeach; ?>
</select><br /><br />
<?php endif; ?>
--- orig/templates/list/task_summaries.inc
+++ mod/templates/list/task_summaries.inc
@@ -28,5 +28,5 @@
<td nowrap="nowrap" class="<?php echo $style ?>">
<?php echo !empty($task['due']) ? strftime($dateFormat, $task['due']) : ' ' ?>
</td>
- <td class="<?php echo $style ?>" style="background-color: <?php echo $color ?>; color: <?php echo $fgcolor ?>;"><?php echo htmlspecialchars($task['category'] ? $task['category'] : _("Unfiled")) ?></td>
+ <td class="<?php echo $style ?>" style="background:<?php echo htmlspecialchars($color) ?>; color:<?php echo $fgcolor ?>;"><?php echo strlen($task['category']) ? htmlspecialchars($task['category']) : _("Unfiled") ?></td>
</tr>
--- orig/templates/list/header.inc
+++ mod/templates/list/header.inc
@@ -1,12 +1,12 @@
<table border="0" width="100%" cellpadding="0" cellspacing="0">
<tr>
<td align="left" width="30%" class="header">
- <b><?php echo $title ?></b>
+ <strong><?php echo htmlspecialchars($title) ?></strong>
<?php echo Horde::link(Horde::selfUrl(true), _("Refresh List")) .
Horde::img('reload.png', _("Refresh List"), 'hspace="2"', $registry->getImageDir('horde')) ?></a>
</td>
<td align="right" width="70%" class="header">
- <b><?php echo count($tasks) == 1 ? _("1 task") : sprintf(_("%d tasks"), count($tasks)) ?></b>
+ <strong><?php echo count($tasks) == 1 ? _("1 task") : sprintf(_("%d tasks"), count($tasks)) ?></strong>
</td>
</tr>
</table>
--- orig/docs/CHANGES
+++ mod/docs/CHANGES
@@ -1,4 +1,11 @@
------
+v2.0.4
+------
+
+[cjh] Close several XSS vulnerabilities with task and tasklist data.
+
+
+------
v2.0.3
------
--- orig/docs/RELEASE_NOTES
+++ mod/docs/RELEASE_NOTES
@@ -12,29 +12,36 @@
* 8 - Minor security fixes
* 9 - Major security fixes
*/
-$this->notes['fm']['focus'] = 4;
+$this->notes['fm']['focus'] = 8;
/* Mailing list release notes. */
$this->notes['ml']['changes'] = <<<ML
The Horde Team is pleased to announce the final release of the Nag Task List
-Manager version H3 (2.0.3).
+Manager version H3 (2.0.4).
+
+This is a security release that fixes cross site scripting
+vulnerabilities in several of the tasklist name and task data
+fields. None of the vulnerabilities can be exploited by
+unauthenticated users; however, we strongly recommend that all users
+of Nag 2.0.3 upgrade to 2.0.4 as soon as possible.
+
+Many thanks to Johannes Greil of SEC Consult
+(http://www.sec-consult.com/) for reporting these problems and working
+with us to test the fixes.
Nag is a web-based application built upon the Horde Application Framework which
provides a simple, clean interface for managing online task lists (i.e., TODO
lists). It also includes strong integration with the other Horde applications
and offers shared task lists.
-The major changes compared to the Nag H3 (2.0.2) version are:
- * Allow to import more than one task from vTodo data at once.
- * Minor bug fixes and improvements.
- * Updated Finnish and Traditional Chinese translations.
+The major changes compared to the Nag H3 (2.0.3) version are:
+ * Close several XSS vulnerabilities with task and tasklist data.
ML;
/* Freshmeat release notes, not more than 600 characters. */
$this->notes['fm']['changes'] = <<<FM
-More than one task can be imported from vTodo data at once now.
-Minor bugs have been fixed and improvements have been made.
-Finnish and Traditional Chinese translations have been updated.
+Several XSS vulnerabilities with task and tasklist data have been
+closed. The holes closed were only exploitable by authenticated users.
FM;
$this->notes['name'] = 'Nag';
--- orig/templates/tasklists/tasklists.inc
+++ mod/templates/tasklists/tasklists.inc
@@ -1,13 +1,13 @@
<script language="JavaScript" type="text/javascript">
<!--
-var editURL = '<?php echo str_replace('&', '&', Util::addParameter(Horde::url($registry->get('webroot', 'horde') . '/services/shares/edit.php?app=nag'), 'share', '@ID@')) ?>';
+var editURL = decodeURIComponent('<?php echo rawurlencode(Util::addParameter(Horde::url($registry->get('webroot', 'horde') . '/services/shares/edit.php?app=nag', true), 'share', '@ID@', false)) ?>');
var cancelSubmit = false;
var fields = new Array();
<?php foreach ($personal_tasklists as $id => $tasklist): ?>
-fields['<?php echo addslashes($id) ?>'] = new Array(
- "<?php echo addslashes($tasklist->get('name')) ?>",
- "<?php echo preg_replace('(\r\n|\n|\r)', '\n', addslashes($tasklist->get('desc'))) ?>");
+fields['<?php echo rawurlencode($id) ?>'] = new Array(
+ "<?php echo rawurlencode($tasklist->get('name')) ?>",
+ "<?php echo rawurlencode($tasklist->get('desc')) ?>");
<?php endforeach; ?>
function newChoice()
@@ -28,8 +28,8 @@
function updateForm(share)
{
document.shares.edit_share.value = share;
- document.shares.id.value = fields[share][0];
- document.shares.description.value = fields[share][1];
+ document.shares.id.value = decodeURIComponent(fields[share][0]);
+ document.shares.description.value = decodeURIComponent(fields[share][1]);
}
function clearForm()
@@ -71,7 +71,7 @@
<select name="share" onchange="javascript:newChoice()">
<option value="-1"><?php echo _("Select a task list") ?></option>
<?php foreach ($personal_tasklists as $id => $tasklist): ?>
- <option value="<?php echo $id ?>"><?php echo $tasklist->get('name') ?></option>
+ <option value="<?php echo htmlspecialchars($id) ?>"><?php echo htmlspecialchars($tasklist->get('name')) ?></option>
<?php endforeach; ?>
</select>
</td></tr>
@@ -80,7 +80,7 @@
<tr valign="top"><td class="item">
-<input type="hidden" name="edit_share" value="<?php echo isset($to_edit) ? $to_edit : '' ?>" />
+<input type="hidden" name="edit_share" value="<?php echo isset($to_edit) ? htmlspecialchars($to_edit) : '' ?>" />
<?php echo _("Task List's name:") ?><br />
<input name="id" size="30" maxlength="60" /><br />
@@ -88,7 +88,7 @@
<br />
<?php echo _("Description:") ?><br />
-<textarea wrap="hard" name="description" rows="6" cols="80"></textarea><br />
+<textarea name="description" rows="6" cols="80"></textarea><br />
</td></tr></table></td></tr>
<tr>
--- orig/templates/data/import.inc
+++ mod/templates/data/import.inc
@@ -1,12 +1,12 @@
<form method="post" name="import_form" enctype="multipart/form-data" action="data.php">
<?php Util::pformInput() ?>
-<input type="hidden" name="actionID" value="<?php echo $next_step ?>" />
-<input type="hidden" name="import_step" value="<?php echo $import_step ?>" />
+<input type="hidden" name="actionID" value="<?php echo htmlspecialchars($next_step) ?>" />
+<input type="hidden" name="import_step" value="<?php echo (int)$import_step ?>" />
<table cellspacing="0" cellpadding="0" border="0" width="100%">
<tr>
<td>
<table cellpadding="3" cellspacing="0" border="0" width="100%">
- <tr><td class="header"><?php echo sprintf(_("Import Tasks, Step %d"), $import_step) ?></td>
+ <tr><td class="header"><?php echo sprintf(_("Import Tasks, Step %d"), (int)$import_step) ?></td>
</tr></table>
</td>
</tr>
@@ -29,7 +29,7 @@
foreach ($tasklists as $id => $tasklist) {
$sel = ($id == $default) ? ' selected="selected"' : '';
printf('<option value="%s"%s>%s</option>',
- $id, $sel, $tasklist->get('name')) . "\n";
+ htmlspecialchars($id), $sel, htmlspecialchars($tasklist->get('name'))) . "\n";
} ?>
</select><br/>
<?php else: ?>
--- orig/templates/task/task.inc
+++ mod/templates/task/task.inc
@@ -2,8 +2,8 @@
<form method="post" name="task" action="task.php">
<?php Util::pformInput() ?>
<input type="hidden" name="actionID" value="save_task" />
-<input type="hidden" name="task" value="<?php echo $task_id ?>" />
-<input type="hidden" name="tasklist_original" value="<?php echo $tasklist_id ?>" />
+<input type="hidden" name="task" value="<?php echo htmlspecialchars($task_id) ?>" />
+<input type="hidden" name="tasklist_original" value="<?php echo htmlspecialchars($tasklist_id) ?>" />
<input type="hidden" name="new_category" value="" />
<div class="header"><?php echo htmlspecialchars($title) ?></div>
@@ -25,7 +25,7 @@
foreach ($tasklists as $id => $tasklist) {
$sel = ($id == $tasklist_id) ? ' selected="selected"' : '';
printf('<option value="%s"%s>%s</option>',
- $id, $sel, $tasklist->get('name')) . "\n";
+ htmlspecialchars($id), $sel, htmlspecialchars($tasklist->get('name'))) . "\n";
} ?>
</select>
More information about the pkg-horde-hackers
mailing list