/[smecontribs]/rpms/smeserver-ezmlm-web/contribs9/smeserver-ezmlm-web-1.1.3-bz10241-security.patch
ViewVC logotype

Annotation of /rpms/smeserver-ezmlm-web/contribs9/smeserver-ezmlm-web-1.1.3-bz10241-security.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Mon Apr 17 20:42:47 2017 UTC (7 years, 6 months ago) by unnilennium
Branch: MAIN
CVS Tags: smeserver-ezmlm-web-1_1_3-5_el6_sme
* Mon Apr 17 2017 Jean-Philipe Pialasse <tests@pialasse.com> 1.1.3-5.sme
- improve security [SME: 10241]
- added userpanel-mailinglist
- added per user and per list delegation.

1 unnilennium 1.1 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess
2     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess 1969-12-31 19:00:00.000000000 -0500
3     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess 2017-04-17 16:25:00.239000000 -0400
4     @@ -0,0 +1,15 @@
5     +Alias /ezmlm-web /usr/local/share/ezmlm-web/www-data
6     +
7     +<Directory /usr/local/share/ezmlm-web/www-data >
8     + Options +ExecCGI
9     + order deny,allow
10     + deny from all
11     + allow from { "$localAccess"; }
12     + AuthName "SME User manager"
13     + AuthType Basic
14     + TKTAuthLoginURL /server-common/cgi-bin/login
15     + require valid-user
16     + Satisfy all
17     +
18     +</Directory>
19     +
20     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess
21     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess 2017-04-17 16:17:40.685000000 -0400
22     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess 1969-12-31 19:00:00.000000000 -0500
23     @@ -1,8 +0,0 @@
24     -Alias /ezmlm-web /usr/local/share/ezmlm-web/www-data
25     -
26     -<Directory /usr/local/share/ezmlm-web/www-data >
27     - Options +ExecCGI
28     - order deny,allow
29     - deny from all
30     - allow from { "$localAccess $externalSSLAccess"; }
31     -</Directory>
32     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web
33     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web 1969-12-31 19:00:00.000000000 -0500
34     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web 2017-04-17 16:26:39.897000000 -0400
35     @@ -0,0 +1,31 @@
36     +{
37     + # vim: ft=perl:
38     +
39     + $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
40     + $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
41     + $UserAlias = ${UserPanelAlias} || 'user';
42     +
43     +
44     + $OUT = '';
45     + foreach $place ('ezmlm-web')
46     + {
47     + if (($port eq "80") && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
48     + {
49     + $OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n";
50     + } else {
51     + $OUT .= " ProxyPass /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
52     + $OUT .= " ProxyPassReverse /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
53     + }
54     +
55     + $OUT .= " <Location /$place>\n";
56     + $OUT .= " order deny,allow\n";
57     + $OUT .= " deny from all\n";
58     + if (($haveSSL eq 'yes') && (($port eq "443") || ($plainTextAccess ne 'yes')))
59     + {
60     + $OUT .= " allow from $localAccess $externalSSLAccess\n";
61     + } else {
62     + $OUT .= " allow from $localAccess\n";
63     + }
64     + $OUT .= " </Location>\n";
65     + }
66     +}
67     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers
68     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers 1969-12-31 19:00:00.000000000 -0500
69     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers 2017-04-17 16:23:43.385000000 -0400
70     @@ -0,0 +1,22 @@
71     +{
72     +# set users with privileges on all lists on ALL
73     +my $ALLusers = $ezmlm{'ALL'} || "";
74     +$ALLusers =~ s/[,:]/ /g;
75     +$OUT = "ALL: admin $ALLusers\n";
76     +
77     +# set allowed users on ALLOW_CREATE
78     +# currently unecessary as we have disabled the ezmlm-web feature to create lists
79     +# and we use our own process, thus only admin can create lists
80     +my $ALLOWusers = $ezmlm{'ALLOW_CREATE'} || "";
81     +$ALLOWusers =~ s/[,:]/ /g;
82     +$OUT .= "ALLOW_CREATE: admin $ALLOWusers\n";
83     +
84     +# set privileges on individual lists
85     +my $accounts = esmith::ConfigDB->open_ro('accounts');
86     +foreach my $mllist ( $accounts->get_all_by_prop(type=>('mailinglist')) ) {
87     + my $listname = $mllist->key;
88     + my $users = $mllist->prop('webusers') || '';
89     + $users =~ s/[,:]/ /g;
90     + $OUT .= "$listname: $users \n" unless $users eq '';
91     + }
92     +}
93     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers
94     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers 1969-12-31 19:00:00.000000000 -0500
95     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers 2017-04-17 16:34:22.788000000 -0400
96     @@ -0,0 +1,3 @@
97     +PERMS=0640
98     +UID="ezmlm"
99     +GID="admin"
100     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/mailinglists smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/mailinglists
101     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/mailinglists 2017-04-17 16:17:40.685000000 -0400
102     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/mailinglists 2017-04-17 16:32:11.732000000 -0400
103     @@ -47,6 +47,8 @@
104     sub performModifyList ($);
105     sub deleteList ($);
106     sub performDeleteList ($);
107     +sub performWebusersList ($);
108     +sub webusersList ($);
109    
110     BEGIN
111     {
112     @@ -109,6 +111,18 @@
113     {
114     performDeleteList ($q);
115     }
116     +
117     +elsif ($q->param ('state') eq "webusers")
118     +{
119     + webusersList ($q);
120     +}
121     +
122     +
123     +elsif ($q->param ('state') eq "performWebusers")
124     +{
125     + performWebusersList ($q);
126     +}
127     +
128     else
129     {
130     esmith::cgi::genStateError ($q, undef);
131     @@ -171,6 +185,7 @@
132     esmith::cgi::genSmallCell ($q, $q->b ('Domain')),
133     esmith::cgi::genSmallCell ($q, $q->b ('Description')),
134     $q->td ('&nbsp;'),
135     + $q->td ('&nbsp;'),
136     $q->td ('&nbsp;')
137     );
138    
139     @@ -189,12 +204,48 @@
140     'Modify...')),
141    
142     esmith::cgi::genSmallCell ($q,
143     + $q->a ( { href => $q->url (-absolute => 1) .
144     + "?state=webusers&list=" .
145     + $list->key },
146     + 'Webusers...')),
147     +
148     + esmith::cgi::genSmallCell ($q,
149     $q->a ({href => $q->url (-absolute => 1)
150     . "?state=delete&list="
151     . $list->key}, 'Remove...'))
152     );
153     }
154    
155     + print $q->Tr ( esmith::cgi::genSmallCell ($q, 'ALL:'),
156     + esmith::cgi::genSmallCell ($q, ''),
157     + esmith::cgi::genSmallCell ($q, 'Generik webmanagement rights'),
158     + esmith::cgi::genSmallCell ($q,''),
159     +
160     + esmith::cgi::genSmallCell ($q,
161     + $q->a ( { href => $q->url (-absolute => 1) .
162     + "?state=webusers&list=" .
163     + 'ALL' },
164     + 'Webusers...')),
165     +
166     + esmith::cgi::genSmallCell ($q,'')
167     + );
168     +
169     +#/* future use
170     +# print $q->Tr ( esmith::cgi::genSmallCell ($q, 'ALLOW_CREATE'),
171     +# esmith::cgi::genSmallCell ($q, ''),
172     +# esmith::cgi::genSmallCell ($q, 'future use'),
173     +# esmith::cgi::genSmallCell ($q,''),
174     +#
175     +# esmith::cgi::genSmallCell ($q,
176     +# $q->a ( { href => $q->url (-absolute => 1) .
177     +# "?state=webusers&list=" .
178     +# 'ALLOW_CREATE' },
179     +# 'Webusers...')),
180     +#
181     +# esmith::cgi::genSmallCell ($q,'')
182     +# );
183     +#*/
184     +
185     print '</table>';
186     }
187    
188     @@ -202,6 +253,116 @@
189     }
190    
191     #------------------------------------------------------------
192     +#
193     +#------------------------------------------------------------
194     +sub webusersList ($)
195     +{
196     + my ($q) = @_;
197     + my $members = "";
198     + my $listName = $q->param ('list');
199     + esmith::cgi::genHeaderNonCacheable
200     + ($q, undef, 'Manage webusers for the following mailinglist: '. $listName );
201     +
202     + print $q->startform (-method => 'POST',
203     + -action => $q->url (-absolute => 1));
204     +
205     +
206     + if ($listName eq "ALL") {
207     + $members = $conf->get('ezmlm')->prop('ALL') || '';
208     + }
209     + elsif ($listName eq "ALLOW_CREATE") {
210     + $members = $conf->get('ezmlm')->prop('ALLOW_CREATE') || '';
211     + }
212     + elsif ($accounts->get($listName)) {
213     + $members = $accounts->get($listName)->prop('webusers') || '';
214     + }
215     + my %members;
216     + foreach my $member ( split ( /,/, $members ) ) {
217     + $members{$member} = 1;
218     + }
219     + my @users = sort { $a->key() cmp $b->key() } $accounts->users();
220     +
221     +
222     + my $out = "<tr>\n <td class=\"sme-noborders-label\">"
223     + . 'Webusers :' #$fm->localise('GROUP_MEMBERS')
224     + . "</td>\n <td>\n"
225     + . " <table border='0' cellspacing='0' cellpadding='0'>\n"
226     + . " <tr>\n";
227     + foreach my $user (@users) {
228     + my $checked = "";
229     + if ( $members{ $user->key() } ) {
230     + $checked = "checked";
231     + }
232     + my $name;
233     + $name = $user->prop('FirstName') . " " . $user->prop('LastName');
234     +
235     + $out .=" <tr>\n"
236     + . " <td><input type=\"checkbox\" name=\"groupMembers\" $checked value=\""
237     + . $user->key
238     + . "\"></td>\n <td>$name (".$user->key.")</td>\n </tr>\n";
239     +
240     + }
241     +
242     + $out .= " </table>\n </td>\n </tr>\n";
243     +
244     + print $q->table ({border => 0, cellspacing => 0, cellpadding => 4},
245     + esmith::cgi::genTextRow ($q,
246     +
247     + $q->p ('Please select the users who need to be able to manage the list ',
248     + 'using the web panel. Any user present in the generic list "ALL"',
249     + 'will be able to administer all existing and future lists.',
250     + 'The admin is always member of the list ALL.') . ' ' ),
251     +
252     + esmith::cgi::genTextRow ($q,$out),
253     + esmith::cgi::genButtonRow ($q,
254     + $q->submit (-name => 'action',
255     + -value => 'Update')));
256     +
257     + print '</table>';
258     +
259     +
260     + print $q->hidden (-name => 'state',
261     + -override => 1,
262     + -default => 'performWebusers');
263     + print $q->hidden (-name => 'list',
264     + -override => 1,
265     + -default => $listName);
266     +
267     +
268     + print $q->endform;
269     +
270     + esmith::cgi::genFooter ($q);
271     + return;
272     +}
273     +
274     +#------------------------------------------------------------
275     +#
276     +#------------------------------------------------------------
277     +sub performWebusersList ($)
278     +{
279     + my $q = shift;
280     +
281     + my @members = $q->param('groupMembers');
282     + my $listName = $q->param('list');
283     + # Untaint groupName before use in system()
284     + ($listName) = ($listName =~ /^([a-zA-Z][\-\_\.a-zA-Z0-9]*)$/);
285     +
286     + if ($listName eq "ALL") {
287     + $conf->get('ezmlm')->prop('ALL');
288     + $conf->get('ezmlm')->set_prop( 'ALL', join ( ',', @members ) );
289     + }
290     + elsif ($listName eq "ALLOW_CREATE") {
291     + $conf->get('ezmlm')->set_prop( 'ALLOW_CREATE', join ( ',', @members ) );
292     + }
293     + else {
294     + $accounts->get($listName)->set_prop( 'webusers', join ( ',', @members ) );
295     + }
296     + return system("/sbin/e-smith/expand-template", "/home/e-smith/files/ezmlm/lists/webusers") ?
297     + showInitial ($q, "Error: updating webusers for $listName") : showInitial ($q, "Successfully updated webusers for $listName.");
298     + return;
299     +}
300     +
301     +#------------------------------------------------------------
302     #
303     #------------------------------------------------------------
304     sub createList ($)
305     diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/userpanel-mailinglists smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/userpanel-mailinglists
306     --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/userpanel-mailinglists 1969-12-31 19:00:00.000000000 -0500
307     +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/userpanel-mailinglists 2017-04-17 16:28:35.769000000 -0400
308     @@ -0,0 +1,48 @@
309     +#!/usr/bin/perl -wT
310     +
311     +#----------------------------------------------------------------------
312     +# heading : Collaboration
313     +# description : Mailing lists
314     +# navigation : 3000 3600
315     +#
316     +# copyright (C) 2000-2006 Gormand Pty Ltd
317     +# copyright (C) 2001,2006 Mitel Networks Corporation
318     +#
319     +# This program is free software; you can redistribute it and/or modify
320     +# it under the terms of the GNU General Public License as published by
321     +# the Free Software Foundation; either version 2 of the License, or
322     +# (at your option) any later version.
323     +#
324     +# This program is distributed in the hope that it will be useful,
325     +# but WITHOUT ANY WARRANTY; without even the implied warranty of
326     +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
327     +# GNU General Public License for more details.
328     +#
329     +# You should have received a copy of the GNU General Public License
330     +# along with this program; if not, write to the Free Software
331     +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
332     +#
333     +# Technical support for this program is available from Gorman Pty Ltd
334     +# Please visit our web site www.gormand.com.au for contact details.
335     +#----------------------------------------------------------------------
336     +use strict;
337     +use CGI':all';
338     +use CGI::Carp qw(fatalsToBrowser);
339     +
340     +
341     +BEGIN
342     +{
343     + $ENV {'PATH'} = '/bin:/usr/bin:/sbin';
344     + $ENV {'SHELL'} = '/bin/bash';
345     + delete $ENV {'ENV'};
346     +}
347     +
348     +
349     +my $q = new CGI;
350     +my $content="0; url=https://".$ENV {'HTTP_X_FORWARDED_HOST'}."/ezmlm-web";
351     +$q->default_dtd('-//W3C//DTD XHTML 1.0 Transitional//EN');
352     +
353     +print $q->header ('text/html');
354     +print $q->start_html (-head=>meta({-http_equiv=>'refresh', -content=>$content}));
355     +
356     +print $q->end_html;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed