/[smecontribs]/rpms/smeserver-ezmlm-web/contribs9/smeserver-ezmlm-web-1.1.3-bz10241-security.patch
ViewVC logotype

Contents of /rpms/smeserver-ezmlm-web/contribs9/smeserver-ezmlm-web-1.1.3-bz10241-security.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon Apr 17 20:42:47 2017 UTC (7 years, 7 months ago) by unnilennium
Branch: MAIN
CVS Tags: smeserver-ezmlm-web-1_1_3-5_el6_sme
* Mon Apr 17 2017 Jean-Philipe Pialasse <tests@pialasse.com> 1.1.3-5.sme
- improve security [SME: 10241]
- added userpanel-mailinglist
- added per user and per list delegation.

1 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess
2 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess 1969-12-31 19:00:00.000000000 -0500
3 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/admin-conf/httpd.conf/85EzmlmWebAccess 2017-04-17 16:25:00.239000000 -0400
4 @@ -0,0 +1,15 @@
5 +Alias /ezmlm-web /usr/local/share/ezmlm-web/www-data
6 +
7 +<Directory /usr/local/share/ezmlm-web/www-data >
8 + Options +ExecCGI
9 + order deny,allow
10 + deny from all
11 + allow from { "$localAccess"; }
12 + AuthName "SME User manager"
13 + AuthType Basic
14 + TKTAuthLoginURL /server-common/cgi-bin/login
15 + require valid-user
16 + Satisfy all
17 +
18 +</Directory>
19 +
20 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess
21 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess 2017-04-17 16:17:40.685000000 -0400
22 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/85EzmlmWebAccess 1969-12-31 19:00:00.000000000 -0500
23 @@ -1,8 +0,0 @@
24 -Alias /ezmlm-web /usr/local/share/ezmlm-web/www-data
25 -
26 -<Directory /usr/local/share/ezmlm-web/www-data >
27 - Options +ExecCGI
28 - order deny,allow
29 - deny from all
30 - allow from { "$localAccess $externalSSLAccess"; }
31 -</Directory>
32 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web
33 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web 1969-12-31 19:00:00.000000000 -0500
34 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28ezmlm-web 2017-04-17 16:26:39.897000000 -0400
35 @@ -0,0 +1,31 @@
36 +{
37 + # vim: ft=perl:
38 +
39 + $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no';
40 + $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no';
41 + $UserAlias = ${UserPanelAlias} || 'user';
42 +
43 +
44 + $OUT = '';
45 + foreach $place ('ezmlm-web')
46 + {
47 + if (($port eq "80") && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
48 + {
49 + $OUT .= " RewriteRule ^/$place(/.*|\$) https://%{HTTP_HOST}/$place\$1 [L,R]\n";
50 + } else {
51 + $OUT .= " ProxyPass /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
52 + $OUT .= " ProxyPassReverse /$place http://127.0.0.1:${'httpd-admin'}{TCPPort}/$place\n";
53 + }
54 +
55 + $OUT .= " <Location /$place>\n";
56 + $OUT .= " order deny,allow\n";
57 + $OUT .= " deny from all\n";
58 + if (($haveSSL eq 'yes') && (($port eq "443") || ($plainTextAccess ne 'yes')))
59 + {
60 + $OUT .= " allow from $localAccess $externalSSLAccess\n";
61 + } else {
62 + $OUT .= " allow from $localAccess\n";
63 + }
64 + $OUT .= " </Location>\n";
65 + }
66 +}
67 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers
68 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers 1969-12-31 19:00:00.000000000 -0500
69 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates/home/e-smith/files/ezmlm/lists/webusers/10webusers 2017-04-17 16:23:43.385000000 -0400
70 @@ -0,0 +1,22 @@
71 +{
72 +# set users with privileges on all lists on ALL
73 +my $ALLusers = $ezmlm{'ALL'} || "";
74 +$ALLusers =~ s/[,:]/ /g;
75 +$OUT = "ALL: admin $ALLusers\n";
76 +
77 +# set allowed users on ALLOW_CREATE
78 +# currently unecessary as we have disabled the ezmlm-web feature to create lists
79 +# and we use our own process, thus only admin can create lists
80 +my $ALLOWusers = $ezmlm{'ALLOW_CREATE'} || "";
81 +$ALLOWusers =~ s/[,:]/ /g;
82 +$OUT .= "ALLOW_CREATE: admin $ALLOWusers\n";
83 +
84 +# set privileges on individual lists
85 +my $accounts = esmith::ConfigDB->open_ro('accounts');
86 +foreach my $mllist ( $accounts->get_all_by_prop(type=>('mailinglist')) ) {
87 + my $listname = $mllist->key;
88 + my $users = $mllist->prop('webusers') || '';
89 + $users =~ s/[,:]/ /g;
90 + $OUT .= "$listname: $users \n" unless $users eq '';
91 + }
92 +}
93 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers
94 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers 1969-12-31 19:00:00.000000000 -0500
95 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/templates.metadata/home/e-smith/files/ezmlm/lists/webusers 2017-04-17 16:34:22.788000000 -0400
96 @@ -0,0 +1,3 @@
97 +PERMS=0640
98 +UID="ezmlm"
99 +GID="admin"
100 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/mailinglists smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/mailinglists
101 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/mailinglists 2017-04-17 16:17:40.685000000 -0400
102 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/mailinglists 2017-04-17 16:32:11.732000000 -0400
103 @@ -47,6 +47,8 @@
104 sub performModifyList ($);
105 sub deleteList ($);
106 sub performDeleteList ($);
107 +sub performWebusersList ($);
108 +sub webusersList ($);
109
110 BEGIN
111 {
112 @@ -109,6 +111,18 @@
113 {
114 performDeleteList ($q);
115 }
116 +
117 +elsif ($q->param ('state') eq "webusers")
118 +{
119 + webusersList ($q);
120 +}
121 +
122 +
123 +elsif ($q->param ('state') eq "performWebusers")
124 +{
125 + performWebusersList ($q);
126 +}
127 +
128 else
129 {
130 esmith::cgi::genStateError ($q, undef);
131 @@ -171,6 +185,7 @@
132 esmith::cgi::genSmallCell ($q, $q->b ('Domain')),
133 esmith::cgi::genSmallCell ($q, $q->b ('Description')),
134 $q->td ('&nbsp;'),
135 + $q->td ('&nbsp;'),
136 $q->td ('&nbsp;')
137 );
138
139 @@ -189,12 +204,48 @@
140 'Modify...')),
141
142 esmith::cgi::genSmallCell ($q,
143 + $q->a ( { href => $q->url (-absolute => 1) .
144 + "?state=webusers&list=" .
145 + $list->key },
146 + 'Webusers...')),
147 +
148 + esmith::cgi::genSmallCell ($q,
149 $q->a ({href => $q->url (-absolute => 1)
150 . "?state=delete&list="
151 . $list->key}, 'Remove...'))
152 );
153 }
154
155 + print $q->Tr ( esmith::cgi::genSmallCell ($q, 'ALL:'),
156 + esmith::cgi::genSmallCell ($q, ''),
157 + esmith::cgi::genSmallCell ($q, 'Generik webmanagement rights'),
158 + esmith::cgi::genSmallCell ($q,''),
159 +
160 + esmith::cgi::genSmallCell ($q,
161 + $q->a ( { href => $q->url (-absolute => 1) .
162 + "?state=webusers&list=" .
163 + 'ALL' },
164 + 'Webusers...')),
165 +
166 + esmith::cgi::genSmallCell ($q,'')
167 + );
168 +
169 +#/* future use
170 +# print $q->Tr ( esmith::cgi::genSmallCell ($q, 'ALLOW_CREATE'),
171 +# esmith::cgi::genSmallCell ($q, ''),
172 +# esmith::cgi::genSmallCell ($q, 'future use'),
173 +# esmith::cgi::genSmallCell ($q,''),
174 +#
175 +# esmith::cgi::genSmallCell ($q,
176 +# $q->a ( { href => $q->url (-absolute => 1) .
177 +# "?state=webusers&list=" .
178 +# 'ALLOW_CREATE' },
179 +# 'Webusers...')),
180 +#
181 +# esmith::cgi::genSmallCell ($q,'')
182 +# );
183 +#*/
184 +
185 print '</table>';
186 }
187
188 @@ -202,6 +253,116 @@
189 }
190
191 #------------------------------------------------------------
192 +#
193 +#------------------------------------------------------------
194 +sub webusersList ($)
195 +{
196 + my ($q) = @_;
197 + my $members = "";
198 + my $listName = $q->param ('list');
199 + esmith::cgi::genHeaderNonCacheable
200 + ($q, undef, 'Manage webusers for the following mailinglist: '. $listName );
201 +
202 + print $q->startform (-method => 'POST',
203 + -action => $q->url (-absolute => 1));
204 +
205 +
206 + if ($listName eq "ALL") {
207 + $members = $conf->get('ezmlm')->prop('ALL') || '';
208 + }
209 + elsif ($listName eq "ALLOW_CREATE") {
210 + $members = $conf->get('ezmlm')->prop('ALLOW_CREATE') || '';
211 + }
212 + elsif ($accounts->get($listName)) {
213 + $members = $accounts->get($listName)->prop('webusers') || '';
214 + }
215 + my %members;
216 + foreach my $member ( split ( /,/, $members ) ) {
217 + $members{$member} = 1;
218 + }
219 + my @users = sort { $a->key() cmp $b->key() } $accounts->users();
220 +
221 +
222 + my $out = "<tr>\n <td class=\"sme-noborders-label\">"
223 + . 'Webusers :' #$fm->localise('GROUP_MEMBERS')
224 + . "</td>\n <td>\n"
225 + . " <table border='0' cellspacing='0' cellpadding='0'>\n"
226 + . " <tr>\n";
227 + foreach my $user (@users) {
228 + my $checked = "";
229 + if ( $members{ $user->key() } ) {
230 + $checked = "checked";
231 + }
232 + my $name;
233 + $name = $user->prop('FirstName') . " " . $user->prop('LastName');
234 +
235 + $out .=" <tr>\n"
236 + . " <td><input type=\"checkbox\" name=\"groupMembers\" $checked value=\""
237 + . $user->key
238 + . "\"></td>\n <td>$name (".$user->key.")</td>\n </tr>\n";
239 +
240 + }
241 +
242 + $out .= " </table>\n </td>\n </tr>\n";
243 +
244 + print $q->table ({border => 0, cellspacing => 0, cellpadding => 4},
245 + esmith::cgi::genTextRow ($q,
246 +
247 + $q->p ('Please select the users who need to be able to manage the list ',
248 + 'using the web panel. Any user present in the generic list "ALL"',
249 + 'will be able to administer all existing and future lists.',
250 + 'The admin is always member of the list ALL.') . ' ' ),
251 +
252 + esmith::cgi::genTextRow ($q,$out),
253 + esmith::cgi::genButtonRow ($q,
254 + $q->submit (-name => 'action',
255 + -value => 'Update')));
256 +
257 + print '</table>';
258 +
259 +
260 + print $q->hidden (-name => 'state',
261 + -override => 1,
262 + -default => 'performWebusers');
263 + print $q->hidden (-name => 'list',
264 + -override => 1,
265 + -default => $listName);
266 +
267 +
268 + print $q->endform;
269 +
270 + esmith::cgi::genFooter ($q);
271 + return;
272 +}
273 +
274 +#------------------------------------------------------------
275 +#
276 +#------------------------------------------------------------
277 +sub performWebusersList ($)
278 +{
279 + my $q = shift;
280 +
281 + my @members = $q->param('groupMembers');
282 + my $listName = $q->param('list');
283 + # Untaint groupName before use in system()
284 + ($listName) = ($listName =~ /^([a-zA-Z][\-\_\.a-zA-Z0-9]*)$/);
285 +
286 + if ($listName eq "ALL") {
287 + $conf->get('ezmlm')->prop('ALL');
288 + $conf->get('ezmlm')->set_prop( 'ALL', join ( ',', @members ) );
289 + }
290 + elsif ($listName eq "ALLOW_CREATE") {
291 + $conf->get('ezmlm')->set_prop( 'ALLOW_CREATE', join ( ',', @members ) );
292 + }
293 + else {
294 + $accounts->get($listName)->set_prop( 'webusers', join ( ',', @members ) );
295 + }
296 + return system("/sbin/e-smith/expand-template", "/home/e-smith/files/ezmlm/lists/webusers") ?
297 + showInitial ($q, "Error: updating webusers for $listName") : showInitial ($q, "Successfully updated webusers for $listName.");
298 + return;
299 +}
300 +
301 +#------------------------------------------------------------
302 #
303 #------------------------------------------------------------
304 sub createList ($)
305 diff -Nur smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/userpanel-mailinglists smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/userpanel-mailinglists
306 --- smeserver-ezmlm-web-1.1.3.old/root/etc/e-smith/web/functions/userpanel-mailinglists 1969-12-31 19:00:00.000000000 -0500
307 +++ smeserver-ezmlm-web-1.1.3/root/etc/e-smith/web/functions/userpanel-mailinglists 2017-04-17 16:28:35.769000000 -0400
308 @@ -0,0 +1,48 @@
309 +#!/usr/bin/perl -wT
310 +
311 +#----------------------------------------------------------------------
312 +# heading : Collaboration
313 +# description : Mailing lists
314 +# navigation : 3000 3600
315 +#
316 +# copyright (C) 2000-2006 Gormand Pty Ltd
317 +# copyright (C) 2001,2006 Mitel Networks Corporation
318 +#
319 +# This program is free software; you can redistribute it and/or modify
320 +# it under the terms of the GNU General Public License as published by
321 +# the Free Software Foundation; either version 2 of the License, or
322 +# (at your option) any later version.
323 +#
324 +# This program is distributed in the hope that it will be useful,
325 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
326 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
327 +# GNU General Public License for more details.
328 +#
329 +# You should have received a copy of the GNU General Public License
330 +# along with this program; if not, write to the Free Software
331 +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
332 +#
333 +# Technical support for this program is available from Gorman Pty Ltd
334 +# Please visit our web site www.gormand.com.au for contact details.
335 +#----------------------------------------------------------------------
336 +use strict;
337 +use CGI':all';
338 +use CGI::Carp qw(fatalsToBrowser);
339 +
340 +
341 +BEGIN
342 +{
343 + $ENV {'PATH'} = '/bin:/usr/bin:/sbin';
344 + $ENV {'SHELL'} = '/bin/bash';
345 + delete $ENV {'ENV'};
346 +}
347 +
348 +
349 +my $q = new CGI;
350 +my $content="0; url=https://".$ENV {'HTTP_X_FORWARDED_HOST'}."/ezmlm-web";
351 +$q->default_dtd('-//W3C//DTD XHTML 1.0 Transitional//EN');
352 +
353 +print $q->header ('text/html');
354 +print $q->start_html (-head=>meta({-http_equiv=>'refresh', -content=>$content}));
355 +
356 +print $q->end_html;

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed