[commits] Horde branch master updated. 4035ab12e5f6496df7df23fc6250b404f0e8592e

Jan Schneider jan at horde.org
Tue Sep 6 14:21:19 UTC 2016


The branch "master" has been updated.
The following is a summary of the commits.

from: 9c69187f6f796e5effaeb233ee0af251e7627c9e

feb0cb3 Update backends.php
239c5ab Update Vfs.php
ba5c4a8 docs
cf1dd12 [jan] Catch errors when checking one-time form tokens.
2c4fa7e [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).
a55bf75 [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).
30d5506 Fix XSS with data:html links and form actions.
4d8176d [jan] SECURITY: Fix XSS via data:text/html content of form action and xlink attributes (Reported by Liuzhu <fantasy7082 at hotmail.com>).
4035ab1 [jan] SECURITY: Add CSRF protection tokens to portal layout forms (Reported by Florian Köllich <florian.koellich at tirol.gv.at>).

Summary: http://github.com/horde/horde/compare/9c69187f6f796e5effaeb233ee0af251e7627c9e...4035ab12e5f6496df7df23fc6250b404f0e8592e

-----------------------------------------------------------------------

commit feb0cb3a4e39bf8d00f1c45d2d75c99c1783002b
Author: Rob Lensen <rob at bsdfreaks.nl>
Date:   Mon Sep 5 08:52:41 2016 +0200

    Update backends.php
    
    Add option to request Ingo::getUser(true)

 ingo/config/backends.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

http://github.com/horde/horde/commit/feb0cb3a4e39bf8d00f1c45d2d75c99c1783002b

-----------------------------------------------------------------------

commit 239c5abf03843c464d0543f67b19e7aee5a4e8ac
Author: Rob Lensen <rob at bsdfreaks.nl>
Date:   Mon Sep 5 08:54:16 2016 +0200

    Update Vfs.php
    
    Add option to request full username

 ingo/lib/Transport/Vfs.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

http://github.com/horde/horde/commit/239c5abf03843c464d0543f67b19e7aee5a4e8ac

-----------------------------------------------------------------------

commit ba5c4a85b2e479b26c030e3fb1ab9eb602f90f1f
Author: Jan Schneider <jan at horde.org>
Date:   Mon Sep 5 16:20:40 2016 +0200

    docs

 ingo/config/hooks.php.dist | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

http://github.com/horde/horde/commit/ba5c4a85b2e479b26c030e3fb1ab9eb602f90f1f

-----------------------------------------------------------------------

commit cf1dd12254a129fc196526b9adc79f8a146d202e
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 6 15:57:10 2016 +0200

    [jan] Catch errors when checking one-time form tokens.

 framework/Form/lib/Horde/Form.php | 12 ++++++++----
 framework/Form/package.xml        |  4 ++--
 2 files changed, 10 insertions(+), 6 deletions(-)

http://github.com/horde/horde/commit/cf1dd12254a129fc196526b9adc79f8a146d202e

-----------------------------------------------------------------------

commit 2c4fa7e913afadc68f4d78f57994f0ce9a67787b
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 6 16:04:43 2016 +0200

    [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).

 framework/Core/lib/Horde/Config/Form.php | 9 ---------
 framework/Core/package.xml               | 4 +++-
 2 files changed, 3 insertions(+), 10 deletions(-)

http://github.com/horde/horde/commit/2c4fa7e913afadc68f4d78f57994f0ce9a67787b

-----------------------------------------------------------------------

commit a55bf759d3d8fd07dd5fda2ead075f5998e96364
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 6 16:08:16 2016 +0200

    [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).

 framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php | 3 +++
 framework/Mime_Viewer/package.xml                      | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

http://github.com/horde/horde/commit/a55bf759d3d8fd07dd5fda2ead075f5998e96364

-----------------------------------------------------------------------

commit 30d5506c20d26efbb9942fbdc6f981a0bd333b97
Author: Jan Schneider <jan at horde.org>
Date:   Tue Aug 16 14:46:21 2016 +0200

    Fix XSS with data:html links and form actions.
    
    The academically correct way to filter out xlink hrefs should have been to use hasAttributeNS/getAttributeNS with the XLink namespace. But from my testing browsers don't care about that namespace at all, and only use the xlink: prefix. This means that even if you correctly specify a different prefix for the XLink NS, the links won't be detected by the browser. xlink: prefixes OTOH even work without specifying the XLink namespace in the XML document.
    
    Reported By: Liuzhu <fantasy7082 at hotmail.com>

 framework/Text_Filter/lib/Horde/Text/Filter/Xss.php      | 16 ++++++++++++----
 framework/Text_Filter/test/Horde/Text/Filter/XssTest.php |  5 ++++-
 2 files changed, 16 insertions(+), 5 deletions(-)

http://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97

-----------------------------------------------------------------------

commit 4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 6 16:15:10 2016 +0200

    [jan] SECURITY: Fix XSS via data:text/html content of form action and xlink attributes (Reported by Liuzhu <fantasy7082 at hotmail.com>).

 framework/Text_Filter/package.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

http://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424

-----------------------------------------------------------------------

commit 4035ab12e5f6496df7df23fc6250b404f0e8592e
Author: Jan Schneider <jan at horde.org>
Date:   Tue Sep 6 16:18:57 2016 +0200

    [jan] SECURITY: Add CSRF protection tokens to portal layout forms (Reported by Florian Köllich <florian.koellich at tirol.gv.at>).

 framework/Core/lib/Horde/Core/Block/Layout/Manager.php | 3 +++
 framework/Core/package.xml                             | 2 ++
 horde/templates/portal/add.inc                         | 1 +
 horde/templates/portal/layout.inc                      | 1 +
 4 files changed, 7 insertions(+)

http://github.com/horde/horde/commit/4035ab12e5f6496df7df23fc6250b404f0e8592e




More information about the commits mailing list