[SCM] messagelib packaging branch, master, updated. debian/16.04.3-2-84-gd3cff88
Maximiliano Curia
maxy at moszumanska.debian.org
Sun Aug 27 20:39:27 UTC 2017
Gitweb-URL: http://git.debian.org/?p=pkg-kde/applications/messagelib.git;a=commitdiff;h=1122d8c
The following commit has been merged in the master branch:
commit 1122d8ccddd7819126de82392b0eb8dc8271c447
Author: Jonathan Riddell <jr at jriddell.org>
Date: Thu Oct 6 23:18:13 2016 +0100
security patches
---
debian/patches/kde_01_CVE-2016-7968.diff | 323 +++++++++++++++++++++++++++++++
debian/patches/kde_02-CVE-2016-7966.diff | 21 ++
debian/patches/series | 2 +
3 files changed, 346 insertions(+)
diff --git a/debian/patches/kde_01_CVE-2016-7968.diff b/debian/patches/kde_01_CVE-2016-7968.diff
new file mode 100644
index 0000000..8d8020e
--- /dev/null
+++ b/debian/patches/kde_01_CVE-2016-7968.diff
@@ -0,0 +1,323 @@
+From: Montel Laurent <montel at kde.org>
+Date: Mon, 03 Oct 2016 09:47:11 +0000
+Subject: Now we can use messageviewer without javascript enabled.
+X-Git-Url: http://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=f601f9ffb706f7d3a5893b04f067a1f75da62c99
+---
+Now we can use messageviewer without javascript enabled.
+---
+
+
+--- a/messageviewer/src/htmlwriter/webengineparthtmlwriter.cpp
++++ b/messageviewer/src/htmlwriter/webengineparthtmlwriter.cpp
+@@ -61,7 +61,9 @@
+ insertExtraHead();
+ mExtraHead.clear();
+ }
++#if QT_VERSION < QT_VERSION_CHECK(5, 7, 0)
+ mHtml = removeJscripts(mHtml);
++#endif
+ mHtmlView->setHtml(mHtml, QUrl(QStringLiteral("file:///")));
+ mHtmlView->show();
+ mHtml.clear();
+
+--- a/messageviewer/src/scamdetection/scamdetectionwebengine.cpp
++++ b/messageviewer/src/scamdetection/scamdetectionwebengine.cpp
+@@ -23,6 +23,7 @@
+ #include "settings/messageviewersettings.h"
+ #include "MessageViewer/ScamCheckShortUrl"
+ #include "webengineviewer/webenginescript.h"
++#include <WebEngineViewer/WebEngineManageScript>
+
+ #include <KLocalizedString>
+
+@@ -84,7 +85,13 @@
+ void ScamDetectionWebEngine::scanPage(QWebEnginePage *page)
+ {
+ if (MessageViewer::MessageViewerSettings::self()->scamDetectionEnabled()) {
++#if QT_VERSION >= 0x050700
++ page->runJavaScript(WebEngineViewer::WebEngineScript::findAllAnchorsAndForms(),
++ WebEngineViewer::WebEngineManageScript::scriptWordId(),
++ invoke(this, &ScamDetectionWebEngine::handleScanPage));
++#else
+ page->runJavaScript(WebEngineViewer::WebEngineScript::findAllAnchorsAndForms(), invoke(this, &ScamDetectionWebEngine::handleScanPage));
++#endif
+ }
+ }
+
+
+--- a/messageviewer/src/viewer/viewer.cpp
++++ b/messageviewer/src/viewer/viewer.cpp
+@@ -31,6 +31,7 @@
+ #include "settings/messageviewersettings.h"
+ #include "viewer/webengine/mailwebengineview.h"
+ #include <WebEngineViewer/WebHitTestResult>
++#include <WebEngineViewer/WebEngineManageScript>
+ #include "viewer/mimeparttree/mimetreemodel.h"
+ #include "viewer/mimeparttree/mimeparttreeview.h"
+ #include "widgets/zoomactionmenu.h"
+@@ -636,9 +637,13 @@
+ void Viewer::runJavaScript(const QString &code)
+ {
+ Q_D(Viewer);
+- d->mViewer->page()->runJavaScript(code);
+-}
+-
+-}
+-
+-
++#if QT_VERSION >= QT_VERSION_CHECK(5, 7, 0)
++ d->mViewer->page()->runJavaScript(code, WebEngineViewer::WebEngineManageScript::scriptWordId());
++#else
++ d->mViewer->page()->runJavaScript(code);
++#endif
++}
++
++}
++
++
+
+--- a/messageviewer/src/viewer/webengine/mailwebenginepage.cpp
++++ b/messageviewer/src/viewer/webengine/mailwebenginepage.cpp
+@@ -43,7 +43,11 @@
+ void MailWebEnginePage::initialize()
+ {
+ profile()->setHttpCacheType(QWebEngineProfile::MemoryHttpCache);
++#if QT_VERSION >= QT_VERSION_CHECK(5, 7, 0)
++ settings()->setAttribute(QWebEngineSettings::JavascriptEnabled, false);
++#else
+ settings()->setAttribute(QWebEngineSettings::JavascriptEnabled, true);
++#endif
+ settings()->setAttribute(QWebEngineSettings::PluginsEnabled, false);
+ settings()->setAttribute(QWebEngineSettings::JavascriptCanOpenWindows, false);
+ settings()->setAttribute(QWebEngineSettings::JavascriptCanAccessClipboard, false);
+
+--- a/messageviewer/src/viewer/webengine/mailwebengineview.cpp
++++ b/messageviewer/src/viewer/webengine/mailwebengineview.cpp
+@@ -25,6 +25,7 @@
+ #include "loadexternalreferencesurlinterceptor/loadexternalreferencesurlinterceptor.h"
+ #include "cidreferencesurlinterceptor/cidreferencesurlinterceptor.h"
+ #include <WebEngineViewer/NetworkAccessManagerWebEngine>
++#include <WebEngineViewer/WebEngineManageScript>
+
+ #include "scamdetection/scamdetectionwebengine.h"
+ #include "scamdetection/scamcheckshorturl.h"
+@@ -110,7 +111,11 @@
+
+ void MailWebEngineView::runJavaScriptInWordId(const QString &script)
+ {
++#if QT_VERSION >= 0x050700
++ page()->runJavaScript(script, WebEngineViewer::WebEngineManageScript::scriptWordId());
++#else
+ page()->runJavaScript(script);
++#endif
+ }
+
+ void MailWebEngineView::initializeScripts()
+@@ -269,8 +274,13 @@
+
+ void MailWebEngineView::scrollToAnchor(const QString &anchor)
+ {
+- //TODO add wordid here too
++#if QT_VERSION >= 0x050700
++ page()->runJavaScript(WebEngineViewer::WebEngineScript::searchElementPosition(anchor),
++ WebEngineViewer::WebEngineManageScript::scriptWordId(),
++ invoke(this, &MailWebEngineView::handleScrollToAnchor));
++#else
+ page()->runJavaScript(WebEngineViewer::WebEngineScript::searchElementPosition(anchor), invoke(this, &MailWebEngineView::handleScrollToAnchor));
++#endif
+ }
+
+ void MailWebEngineView::handleScrollToAnchor(const QVariant &result)
+
+--- a/messageviewer/src/viewer/webengine/tests/testmailwebengine.cpp
++++ b/messageviewer/src/viewer/webengine/tests/testmailwebengine.cpp
+@@ -27,6 +27,7 @@
+ #include <QWebEngineSettings>
+
+ #include <MessageViewer/MailWebEngineView>
++#include <WebEngineViewer/WebEngineManageScript>
+
+ TestMailWebEngine::TestMailWebEngine(QWidget *parent)
+ : QWidget(parent)
+@@ -75,12 +76,20 @@
+
+ void TestMailWebEngine::slotScrollDown()
+ {
++#if QT_VERSION >= 0x050700
++ mTestWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineScript::scrollDown(10), WebEngineViewer::WebEngineManageScript::scriptWordId());
++#else
+ mTestWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineScript::scrollDown(10));
++#endif
+ }
+
+ void TestMailWebEngine::slotScrollUp()
+ {
++#if QT_VERSION >= 0x050700
++ mTestWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineScript::scrollUp(10), WebEngineViewer::WebEngineManageScript::scriptWordId());
++#else
+ mTestWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineScript::scrollUp(10));
++#endif
+ }
+
+ void TestMailWebEngine::slotZoomDown()
+
+--- a/webengineviewer/src/CMakeLists.txt
++++ b/webengineviewer/src/CMakeLists.txt
+@@ -179,6 +179,7 @@
+ WebEngineView
+ WebHitTest
+ WebEngineScript
++ WebEngineManageScript
+ WebEnginePrintMessageBox
+ WebEngineExportHtmlPageJob
+ REQUIRED_HEADERS WebEngineViewer_webengine_misc_HEADERS
+
+--- a/webengineviewer/src/tests/testjquerysupportwebengine.cpp
++++ b/webengineviewer/src/tests/testjquerysupportwebengine.cpp
+@@ -27,6 +27,7 @@
+ #include <QPushButton>
+ #include <QMessageBox>
+ #include <QTextEdit>
++#include <WebEngineViewer/WebEngineManageScript>
+
+ TestJQuerySupportWebEngine::TestJQuerySupportWebEngine(QWidget *parent)
+ : QWidget(parent)
+@@ -57,7 +58,11 @@
+ {
+ const QString code = mEditor->toPlainText();
+ if (!code.isEmpty()) {
++#if QT_VERSION >= 0x050700
++ pageView->page()->runJavaScript(code, WebEngineViewer::WebEngineManageScript::scriptWordId());
++#else
+ pageView->page()->runJavaScript(code);
++#endif
+ }
+ }
+
+
+--- a/webengineviewer/src/webengineaccesskey/webengineaccesskey.cpp
++++ b/webengineviewer/src/webengineaccesskey/webengineaccesskey.cpp
+@@ -20,6 +20,7 @@
+ #include "webengineaccesskey.h"
+ #include "webengineaccesskeyanchor.h"
+ #include "webengineaccesskeyutils.h"
++#include "webenginemanagescript.h"
+
+ #include <KActionCollection>
+ #include <QKeyEvent>
+@@ -385,7 +386,13 @@
+ void WebEngineAccessKey::showAccessKeys()
+ {
+ d->mAccessKeyActivated = WebEngineAccessKeyPrivate::Activated;
++#if QT_VERSION >= QT_VERSION_CHECK(5, 7, 0)
++ d->mWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineAccessKeyUtils::script(),
++ WebEngineManageScript::scriptWordId(),
++ invoke(this, &WebEngineAccessKey::handleSearchAccessKey));
++#else
+ d->mWebEngine->page()->runJavaScript(WebEngineViewer::WebEngineAccessKeyUtils::script(), invoke(this, &WebEngineAccessKey::handleSearchAccessKey));
+-}
+-
+-
++#endif
++}
++
++
+
+--- a/webengineviewer/src/webenginemanagescript.cpp
++++ b/webengineviewer/src/webenginemanagescript.cpp
+@@ -54,7 +54,7 @@
+ script.setName(scriptName);
+ script.setInjectionPoint(injectionPoint);
+ script.setRunsOnSubFrames(true);
+- script.setWorldId(QWebEngineScript::MainWorld);
++ script.setWorldId(scriptWordId());
+ }
+ script.setSourceCode(source);
+ profile->scripts()->insert(script);
+
+--- a/webengineviewer/src/webenginemanagescript.h
++++ b/webengineviewer/src/webenginemanagescript.h
+@@ -22,17 +22,20 @@
+
+ #include <QObject>
+ #include <QWebEngineScript>
++#include "webengineviewer_export.h"
+
+ class QWebEngineProfile;
+ namespace WebEngineViewer
+ {
+-class WebEngineManageScript : public QObject
++class WEBENGINEVIEWER_EXPORT WebEngineManageScript : public QObject
+ {
+ Q_OBJECT
+ public:
+ explicit WebEngineManageScript(QObject *parent = Q_NULLPTR);
+ ~WebEngineManageScript();
+ void addScript(QWebEngineProfile *profile, const QString &source, const QString &scriptName, QWebEngineScript::InjectionPoint injectionPoint);
++
++ static qint32 scriptWordId() { return (QWebEngineScript::UserWorld + 1); }
+ };
+ }
+ #endif // WEBENGINEMANAGESCRIPT_H
+
+--- a/webengineviewer/src/webengineview.cpp
++++ b/webengineviewer/src/webengineview.cpp
+@@ -57,6 +57,11 @@
+ WebEngineView::~WebEngineView()
+ {
+ delete d;
++}
++
++WebEngineManageScript *WebEngineView::webEngineManagerScript() const
++{
++ return d->mManagerScript;
+ }
+
+ void WebEngineView::initializeJQueryScript()
+
+--- a/webengineviewer/src/webengineview.h
++++ b/webengineviewer/src/webengineview.h
+@@ -26,6 +26,7 @@
+ namespace WebEngineViewer
+ {
+ class WebEngineViewPrivate;
++class WebEngineManageScript;
+ class WEBENGINEVIEWER_EXPORT WebEngineView : public QWebEngineView
+ {
+ Q_OBJECT
+@@ -41,6 +42,9 @@
+
+ void addScript(const QString &source, const QString &scriptName, QWebEngineScript::InjectionPoint injectionPoint);
+ void initializeJQueryScript();
++
++ WebEngineManageScript *webEngineManagerScript() const;
++
+ protected:
+ bool eventFilter(QObject *obj, QEvent *event) Q_DECL_OVERRIDE;
+ QWebEngineView *createWindow(QWebEnginePage::WebWindowType type) Q_DECL_OVERRIDE;
+
+--- a/webengineviewer/src/webhittest.cpp
++++ b/webengineviewer/src/webhittest.cpp
+@@ -20,6 +20,7 @@
+ #include "webhittest.h"
+ #include "webhittestresult.h"
+ #include <QWebEnginePage>
++#include "webenginemanagescript.h"
+
+ using namespace WebEngineViewer;
+ template<typename Arg, typename R, typename C>
+@@ -113,7 +114,13 @@
+
+ const QString &js = source.arg(pos.x()).arg(pos.y());
+ d->m_pageUrl = page->url();
++#if QT_VERSION >= 0x050700
++ page->runJavaScript(js,
++ WebEngineViewer::WebEngineManageScript::scriptWordId(),
++ invoke(this, &WebHitTest::handleHitTest));
++#else
+ page->runJavaScript(js, invoke(this, &WebHitTest::handleHitTest));
++#endif
+ }
+
+ WebHitTest::~WebHitTest()
+
diff --git a/debian/patches/kde_02-CVE-2016-7966.diff b/debian/patches/kde_02-CVE-2016-7966.diff
new file mode 100644
index 0000000..99e3af5
--- /dev/null
+++ b/debian/patches/kde_02-CVE-2016-7966.diff
@@ -0,0 +1,21 @@
+From: Montel Laurent <montel at kde.org>
+Date: Thu, 29 Sep 2016 14:03:09 +0000
+Subject: Disable some js feature
+X-Git-Url: http://quickgit.kde.org/?p=messagelib.git&a=commitdiff&h=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1
+---
+Disable some js feature
+---
+
+
+--- a/messageviewer/src/viewer/webengine/mailwebenginepage.cpp
++++ b/messageviewer/src/viewer/webengine/mailwebenginepage.cpp
+@@ -50,6 +50,8 @@
+ settings()->setAttribute(QWebEngineSettings::LocalStorageEnabled, false);
+ settings()->setAttribute(QWebEngineSettings::XSSAuditingEnabled, false);
+ settings()->setAttribute(QWebEngineSettings::ErrorPageEnabled, false);
++ settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessRemoteUrls, false);
++ settings()->setAttribute(QWebEngineSettings::LocalContentCanAccessFileUrls, false);
+ #if QT_VERSION >= QT_VERSION_CHECK(5, 7, 0)
+ settings()->setAttribute(QWebEngineSettings::WebGLEnabled, false);
+ settings()->setAttribute(QWebEngineSettings::AutoLoadIconsForPage, false);
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..f6f2d69
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+kde_01_CVE-2016-7968.diff
+kde_02-CVE-2016-7966.diff
--
messagelib packaging
More information about the pkg-kde-commits
mailing list