The branch "master" has been updated. The following is a summary of the commits.
from: 9c69187f6f796e5effaeb233ee0af251e7627c9e feb0cb3 Update backends.php 239c5ab Update Vfs.php ba5c4a8 docs cf1dd12 [jan] Catch errors when checking one-time form tokens. 2c4fa7e [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program). a55bf75 [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program). 30d5506 Fix XSS with data:html links and form actions. 4d8176d [jan] SECURITY: Fix XSS via data:text/html content of form action and xlink attributes (Reported by Liuzhu <[email protected]>). 4035ab1 [jan] SECURITY: Add CSRF protection tokens to portal layout forms (Reported by Florian Köllich <[email protected]>). Summary: http://github.com/horde/horde/compare/9c69187f6f796e5effaeb233ee0af251e7627c9e...4035ab12e5f6496df7df23fc6250b404f0e8592e ----------------------------------------------------------------------- commit feb0cb3a4e39bf8d00f1c45d2d75c99c1783002b Author: Rob Lensen <[email protected]> Date: Mon Sep 5 08:52:41 2016 +0200 Update backends.php Add option to request Ingo::getUser(true) ingo/config/backends.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) http://github.com/horde/horde/commit/feb0cb3a4e39bf8d00f1c45d2d75c99c1783002b ----------------------------------------------------------------------- commit 239c5abf03843c464d0543f67b19e7aee5a4e8ac Author: Rob Lensen <[email protected]> Date: Mon Sep 5 08:54:16 2016 +0200 Update Vfs.php Add option to request full username ingo/lib/Transport/Vfs.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) http://github.com/horde/horde/commit/239c5abf03843c464d0543f67b19e7aee5a4e8ac ----------------------------------------------------------------------- commit ba5c4a85b2e479b26c030e3fb1ab9eb602f90f1f Author: Jan Schneider <[email protected]> Date: Mon Sep 5 16:20:40 2016 +0200 docs ingo/config/hooks.php.dist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) http://github.com/horde/horde/commit/ba5c4a85b2e479b26c030e3fb1ab9eb602f90f1f ----------------------------------------------------------------------- commit cf1dd12254a129fc196526b9adc79f8a146d202e Author: Jan Schneider <[email protected]> Date: Tue Sep 6 15:57:10 2016 +0200 [jan] Catch errors when checking one-time form tokens. framework/Form/lib/Horde/Form.php | 12 ++++++++---- framework/Form/package.xml | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) http://github.com/horde/horde/commit/cf1dd12254a129fc196526b9adc79f8a146d202e ----------------------------------------------------------------------- commit 2c4fa7e913afadc68f4d78f57994f0ce9a67787b Author: Jan Schneider <[email protected]> Date: Tue Sep 6 16:04:43 2016 +0200 [jan] SECURITY: enable CSRF token for configuration form again (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program). framework/Core/lib/Horde/Config/Form.php | 9 --------- framework/Core/package.xml | 4 +++- 2 files changed, 3 insertions(+), 10 deletions(-) http://github.com/horde/horde/commit/2c4fa7e913afadc68f4d78f57994f0ce9a67787b ----------------------------------------------------------------------- commit a55bf759d3d8fd07dd5fda2ead075f5998e96364 Author: Jan Schneider <[email protected]> Date: Tue Sep 6 16:08:16 2016 +0200 [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program). framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php | 3 +++ framework/Mime_Viewer/package.xml | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) http://github.com/horde/horde/commit/a55bf759d3d8fd07dd5fda2ead075f5998e96364 ----------------------------------------------------------------------- commit 30d5506c20d26efbb9942fbdc6f981a0bd333b97 Author: Jan Schneider <[email protected]> Date: Tue Aug 16 14:46:21 2016 +0200 Fix XSS with data:html links and form actions. The academically correct way to filter out xlink hrefs should have been to use hasAttributeNS/getAttributeNS with the XLink namespace. But from my testing browsers don't care about that namespace at all, and only use the xlink: prefix. This means that even if you correctly specify a different prefix for the XLink NS, the links won't be detected by the browser. xlink: prefixes OTOH even work without specifying the XLink namespace in the XML document. Reported By: Liuzhu <[email protected]> framework/Text_Filter/lib/Horde/Text/Filter/Xss.php | 16 ++++++++++++---- framework/Text_Filter/test/Horde/Text/Filter/XssTest.php | 5 ++++- 2 files changed, 16 insertions(+), 5 deletions(-) http://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97 ----------------------------------------------------------------------- commit 4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424 Author: Jan Schneider <[email protected]> Date: Tue Sep 6 16:15:10 2016 +0200 [jan] SECURITY: Fix XSS via data:text/html content of form action and xlink attributes (Reported by Liuzhu <[email protected]>). framework/Text_Filter/package.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) http://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424 ----------------------------------------------------------------------- commit 4035ab12e5f6496df7df23fc6250b404f0e8592e Author: Jan Schneider <[email protected]> Date: Tue Sep 6 16:18:57 2016 +0200 [jan] SECURITY: Add CSRF protection tokens to portal layout forms (Reported by Florian Köllich <[email protected]>). framework/Core/lib/Horde/Core/Block/Layout/Manager.php | 3 +++ framework/Core/package.xml | 2 ++ horde/templates/portal/add.inc | 1 + horde/templates/portal/layout.inc | 1 + 4 files changed, 7 insertions(+) http://github.com/horde/horde/commit/4035ab12e5f6496df7df23fc6250b404f0e8592e
-- commits mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: [email protected]
