--- horde3-3.2.2+debian0.orig/lib/Horde/MIME.php +++ horde3-3.2.2+debian0/lib/Horde/MIME.php @@ -770,6 +770,13 @@ */ function parseAddressList($address, $defserver = null, $validate = false) { + + // Backport patch from CVS to close #490125 + if (preg_match('/undisclosed-recipients:\s*;/i', trim($address))) { + return array(); + } + // end of backported patch + /* Use built-in IMAP function only if available and if not parsing * distribution lists because it doesn't parse distribution lists * properly. */ @@ -783,8 +790,15 @@ require_once 'Mail/RFC822.php'; $parser = new Mail_RFC822(); } - return $parser->parseAddressList($address, $defserver, false, + + // Backport patch from CVS to close #490125 + //return $parser->parseAddressList($address, $defserver, false, + // $validate); + $ret = $parser->parseAddressList($address, $defserver, false, $validate); + return is_a($ret, 'PEAR_Error') ? array() : $ret; + // end of backported patch + } } --- horde3-3.2.2+debian0.orig/lib/Horde/Image.php +++ horde3-3.2.2+debian0/lib/Horde/Image.php @@ -551,6 +551,9 @@ list($app, $driver) = $driver; } + // Backport security patch from upstream + $driver = basename($driver); + $class = 'Horde_Image_' . $driver; if (!class_exists($class)) { if (!empty($app)) { --- horde3-3.2.2+debian0.orig/lib/Horde/Text/Filter/xss.php +++ horde3-3.2.2+debian0/lib/Horde/Text/Filter/xss.php @@ -193,7 +193,9 @@ /* Comment out style/link tags. */ if ($this->_params['strip_styles']) { if ($this->_params['strip_style_attributes']) { - $patterns['/\s+style\s*=/i'] = ' ' . $this->_params['replace'] . '='; + // Backport security patch from upstream suggestion + //$patterns['/\s+style\s*=/i'] = ' ' . $this->_params['replace'] . '='; + $patterns['/(\s+|([\'"]))style\s*=/i'] = '$2 ' . $this->_params['replace'] . '='; } $patterns['|]*>(?:\s*<\!--)*|i'] = '\s*)*|i'] = '-->'; --- horde3-3.2.2+debian0.orig/lib/Horde/Auth/pam.php +++ horde3-3.2.2+debian0/lib/Horde/Auth/pam.php @@ -55,7 +55,7 @@ ini_set('pam.servicename', $params['service']); } - Util::loadExtension('pam'); + Util::loadExtension('pam') || Util::loadExtension('pam_auth'); } /** @@ -75,13 +75,13 @@ return false; } - if (!Util::extensionExists('pam')) { + if (!function_exists('pam_auth')) { $this->_setAuthError(AUTH_REASON_MESSAGE, _("PAM authentication is not available.")); return false; } $error = null; - if (!pam_auth($userId, $credentials['password'], $error)) { + if (!pam_auth($userId, $credentials['password'], &$error)) { $this->_setAuthError(AUTH_REASON_MESSAGE, $error); return false; } --- horde3-3.2.2+debian0.orig/scripts/temp-cleanup.cron +++ horde3-3.2.2+debian0/scripts/temp-cleanup.cron @@ -18,9 +18,10 @@ # documentation for your systems job scheduler for more information. # -# The location of PHP's temporary directory -TMP_DIR=/tmp +[ -f /etc/default/horde3 ] && . /etc/default/horde3 +# The location of PHP's temporary directory +echo ${TMP_DIR:=/tmp} > /dev/null # MSWord attachments (generated by the MSword viewer) find $TMP_DIR -type f -name msword\* -ctime +2 -exec rm -f {} \; --- horde3-3.2.2+debian0.orig/debian/compat +++ horde3-3.2.2+debian0/debian/compat @@ -0,0 +1 @@ +5 --- horde3-3.2.2+debian0.orig/debian/horde3.postinst +++ horde3-3.2.2+debian0/debian/horde3.postinst @@ -0,0 +1,45 @@ +#!/bin/sh +# postinst script for horde3 +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + + # Allow only root and www-data to read Horde configuration + chgrp www-data /etc/horde + chmod 750 /etc/horde + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + --- horde3-3.2.2+debian0.orig/debian/dirs +++ horde3-3.2.2+debian0/debian/dirs @@ -0,0 +1,4 @@ +usr/share/horde3 +etc/horde/horde3 +var/log/horde +etc/default --- horde3-3.2.2+debian0.orig/debian/cron.d +++ horde3-3.2.2+debian0/debian/cron.d @@ -0,0 +1,5 @@ +# +# Regular cron jobs for the horde3 package +# +0 23 * * * www-data test -x /usr/share/horde3/scripts/temp-cleanup.cron && /usr/share/horde3/scripts/temp-cleanup.cron 2> /dev/null +*/5 * * * * www-data test -x /usr/bin/php && /usr/bin/php -q /usr/share/horde3/scripts/alarms.php > /dev/null 2>&1 --- horde3-3.2.2+debian0.orig/debian/examples +++ horde3-3.2.2+debian0/debian/examples @@ -0,0 +1,3 @@ +config/ +po/ +scripts/ --- horde3-3.2.2+debian0.orig/debian/docs +++ horde3-3.2.2+debian0/debian/docs @@ -0,0 +1,2 @@ +README +docs/* --- horde3-3.2.2+debian0.orig/debian/control +++ horde3-3.2.2+debian0/debian/control @@ -0,0 +1,29 @@ +Source: horde3 +Section: web +Priority: optional +Maintainer: Horde Maintainers +Uploaders: Ola Lundqvist , Lionel Elie Mamane , Gregory Colpart +Build-Depends: debhelper (>= 5) +Vcs-Arch: http://arch.debian.org/arch/pkg-horde/2006/horde--sid--3 +Vcs-Browser: http://arch.debian.org/cgi-bin/archzoom.cgi/pkg-horde-hackers%40lists.alioth.debian.org--2006/horde?expand +Standards-Version: 3.8.0 +Homepage: http://www.horde.org/ + +Package: horde3 +Architecture: all +Depends: ${shlibs:Depends}, ${misc:Depends}, libapache2-mod-php5 | libapache2-mod-php4 (>= 4:4.3.10) | php5-cgi | php4-cgi (>= 4:4.3.10), libapache2-mod-php5 | php5-cgi | php4-domxml, php5-gd, php5-mcrypt, php-log, php-mail, php-mail-mime, apache2 | httpd, libjs-scriptaculous +Recommends: php5-mysql | php5-pgsql | php5-ldap, php5-cli, logrotate, php-file, php-date, php-services-weather (>= 1.3.1), php-db (>= 1.7.8), locales, fckeditor, tinymce2 | tinymce (<< 3) +Suggests: imp4, turba2, gollem, chora2, kronolith2, mnemo2, webcpp, xlhtml, ppthtml, wv, source-highlight, enscript, rpm, php5-mhash, gettext, php-net-imap, libgeoip1, unrtf, libwpd-tools, php5-auth-pam +Conflicts: horde, turba2 (<< 2.1) +Description: horde web application framework + The Horde Framework is written in PHP, and provides the common + tools a Web application requires: classes for dealing with preferences, + compression, browser detection, connection tracking, MIME, and more. + . + The Horde Framework, by itself, does not provide any significant end user + functionality; it provides a base for other applications and tools for + developers. You will probably want to install some of the available Horde + applications, such as IMP (a webmail client), or Kronolith (a calendar). + . + There is a list of Horde applications and projects at + http://www.horde.org/projects.php. --- horde3-3.2.2+debian0.orig/debian/cleanup.sh +++ horde3-3.2.2+debian0/debian/cleanup.sh @@ -0,0 +1,58 @@ +#!/bin/sh +# Repack upstream source to remove fckeditor, tinymce and scriptaculous +# (size of upstream source is now 7 Mo instead of 8 Mo) + +# HOWTO : +# % wget ftp://ftp.horde.org/pub/horde/horde-3.2.2.tar.gz +# % cleanup.sh horde-3.2.2.tar.gz + +set -e + +# I want an argument +if [ "$1" = "" ]; then + echo "$0: needs a .tar.gz filename argument" + exit 1 +fi + +PKG=$(basename $1) +TMPDIR=$(mktemp -d) +WHERE=$(pwd) + +# copy stuff in temp dir +if ! cp $1 $TMPDIR; then + echo "$1 isn't a valid filename" + exit 1 +fi + +cd $TMPDIR + +# extract files +if ! tar -zxf $1; then + echo "$1 isn't a valid tarball" + exit 1 +fi + +#don't remove xinha as it is not packaged yet +#rm -rf horde-3.2/services/editor/xinha +# Remove fckeditor, tinymce, scriptaculous... +rm -rf horde-3.2.2/services/editor/fckeditor +rm -rf horde-3.2.2/services/editor/tinymce +rm -f horde-3.2.2/js/controls.js +rm -f horde-3.2.2/js/src/controls.js +rm -f horde-3.2.2/js/dragdrop.js +rm -f horde-3.2.2/js/src/dragdrop.js +rm -f horde-3.2.2/js/effects.js +rm -f horde-3.2.2/js/src/effects.js +rm -f horde-3.2.2/js/prototype.js +rm -f horde-3.2.2/js/src/prototype.js +rm -f horde-3.2.2/js/scriptaculous.js +rm -f horde-3.2.2/js/src/scriptaculous.js +rm -f horde-3.2.2/js/slider.js +rm -f horde-3.2.2/js/src/slider.js + +# Create the new source +tar -czf horde3_3.2.2+debian0.orig.tar.gz horde-3.2.2/ + +mv horde3_3.2.2+debian0.orig.tar.gz $WHERE +rm -rf $TMPDIR + --- horde3-3.2.2+debian0.orig/debian/horde3.default +++ horde3-3.2.2+debian0/debian/horde3.default @@ -0,0 +1,3 @@ +# PHP's temporary directory, used by the cleanup script. +# falls back to /tmp +TMP_DIR=/tmp --- horde3-3.2.2+debian0.orig/debian/copyright +++ horde3-3.2.2+debian0/debian/copyright @@ -0,0 +1,656 @@ +This package was debianized by Ola Lundqvist on +Sat, 1 Jan 2005 14:51:04 +0100. + +It was downloaded from: + http://ftp.horde.org/pub/horde/ + +Upstream Authors: Chuck Hagenbuch , Jan Schneider +, Michael Slusarz . See all authors in +/usr/share/doc/horde3/CREDITS. + +Copyright 1999-2008 The Horde Project (http://www.horde.org/) + + + +js/addEvent.php: +Copyright 2005-2007 Chuck Hagenbuch + + +js/src/dhtmlHistory.js: +Original code (c) 2005, Brad Neuberg, bkn3@columbia.edu + (http://codinginparadise.org) + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the "Software"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT +OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR +THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +This file has been altered from the original dhtmlHistory (v0.05) to +remove functionality not needed for DIMP and to provide bug fixes and +enhancements. + +Support from Safari adapted from code (c) 2007, Brian Dillard, + bdillard@pathf.com (http://blogs.pathf.com/agileajax/) + +This file requires the Prototype Javscript Library v1.6.0+ + +Additions Copyright 2005-2008 The Horde Project (http://www.horde.org/) + + +lib/SyncML.php: +Copyright 2003-2007 Karsten Fourmont + + +lib/File/CSV.php: +Copyright 2002-2003 Tomas Von Veschler Cox +Copyright 2005-2008 The Horde Project (http://www.horde.org/) + +This source file is subject to version 2.0 of the PHP license, that is +bundled with this package in the file LICENSE, and is available at through +the world-wide-web at http://www.php.net/license/2_02.txt. If you did not +receive a copy of the PHP license and are unable to obtain it through the +world-wide-web, please send a note to license@php.net so we can mail you a +copy immediately. + + +lib/File/PDF.php: +Copyright 2001-2003 Olivier Plathey +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Feed.php: +Portions Copyright 2005-2007 Zend Technologies USA Inc. (http://www.zend.com) +Copyright 2007-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Form.php: +Copyright 2001-2007 Robert E. Coyle +Copyright 2001-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Release.php: +Copyright 1999 Mike Hardy +Copyright 2004-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Share.php: +Copyright 2002-2008 The Horde Project (http://www.horde.org/) +Copyright 2002-2007 Infoteck Internet + + +lib/Horde/Util.php: +Copyright 1999-2008 The Horde Project (http://www.horde.org/) +_deleteAtShutdown() function contains code from gpg_functions.php (Copyright +(c) 2002-2003 Braverock Ventures) + + +lib/Horde/VC.php: +Copyright Anil Madhavapeddy, + + +lib/Horde/Yaml.php: +This package is heavily inspired by the Spyc PHP YAML +implementation (http://spyc.sourceforge.net/), and portions are +copyright 2005-2006 Chris Wanstrath. + + +lib/Horde/Argv/*.php: +Authors: Chuck Hagenbuch (chuck@horde.org), Mike Naberezny +(mike@maintainable.com) +License: http://opensource.org/licenses/bsd-license.php BSD + + +lib/Horde/Auth/customsql.php: +Copyright 2002 Ronnie Garcia + + +lib/Horde/Auth/kolab.php: +Copyright 2004-2007 Stuart Binge + + +lib/Horde/Auth/passwd.php: +Copyright 1997-2007 Rasmus Lerdorf +Copyright 2002-2008 Chuck Hagenbuch + + +lib/Horde/Auth/shibboleth.php: +Copyright 9Star Research, Inc. 2006 http://www.protectnetwork.org + + +lib/Horde/Browser/imode.php: +Copyright 2000-2007 Mika Tuupola +Copyright 2002-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Cache/memcache.php: +Copyright 2006-2007 Duck +Copyright 2007-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Cache/xcache.php: +Copyright 2006-2007 Duck + + +lib/Horde/Cache/apc.php: +Copyright 2006-2007 Duck + + +lib/Horde/Cache/eaccelerator.php: +Copyright 2006-2007 Duck + + +lib/Horde/Compress/dbx.php: +This class is based on code by: +Antony Raijekov +http://uruds.gateway.bg/zeos/ + +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Compress/tnef.php: +The TNEF rendering is based on code by: + Graham Norbury +Original design by: + Thomas Boll , Mark Simpson + +Copyright 2002-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Compress/zip.php: +The ZIP compression code is partially based on code from: + Eric Mueller + http://www.zend.com/codex.php?id=535&single=1 + + Deins125 + http://www.zend.com/codex.php?id=470&single=1 + +The ZIP compression date code is partially based on code from + Peter Listiak + +Copyright 2000-2008 The Horde Project (http://www.horde.org/) +Copyright 2003-2007 Michael Slusarz + + +lib/Horde/Feed/*.php: +Portions Copyright 2005-2007 Zend Technologies USA Inc. (http://www.zend.com) +Copyright 2007-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Image/Effect/gd/{drop_shadow,round_corners}.php: +This algorithm is from the phpThumb project available at +http://phpthumb.sourceforge.net and all credit for this script should go to +James Heinrich . Modifications made to the code +to fit it within the Horde framework and to adjust for our coding standards. + + +lib/Horde/Image/Effect/gd/unsharp_mask.php: +Unsharp mask algorithm by Torstein Hønsi 2003 +From: http://www.vikjavev.com/hovudsida/umtestside.php + + +lib/Horde/iCalendar/vcard.php: +Copyright 2003-2007 Karsten Fourmont (karsten@horde.org) + + +lib/Horde/Log/*: +Authors: Mike Naberezny (mike@maintainable.com), Chuck Hagenbuch +(chuck@horde.org) +License: http://opensource.org/licenses/bsd-license.php BSD + + +lib/Horde/MIME/Viewer/rtf.php: +Copyright 2007 Duck + + +lib/Horde/MIME/Viewer/ooo/*.xsl: +The Contents of this file are made available subject to the terms of +either of the following licenses + + - GNU Lesser General Public License Version 2.1 + - Sun Industry Standards Source License Version 1.1 + +Sun Microsystems Inc., October, 2000 + +GNU Lesser General Public License Version 2.1 +============================================= +Copyright 2000 by Sun Microsystems, Inc. +901 San Antonio Road, Palo Alto, CA 94303, USA + +This library is free software; you can redistribute it and/or +modify it under the terms of the GNU Lesser General Public +License version 2.1, as published by the Free Software Foundation. + +This library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public +License along with this library; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + +Sun Industry Standards Source License Version 1.1 +================================================= +The contents of this file are subject to the Sun Industry Standards +Source License Version 1.1 (the "License"); You may not use this file +except in compliance with the License. You may obtain a copy of the +License at http://www.openoffice.org/license.html. + +Software provided under this License is provided on an "AS IS" basis, +WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, +WITHOUT LIMITATION, WARRANTIES THAT THE SOFTWARE IS FREE OF DEFECTS, +MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE, OR NON-INFRINGING. +See the License for the specific provisions governing your rights and +obligations concerning the Software. + +The Initial Developer of the Original Code is: Sun Microsystems, Inc. + +Copyright © 2002 by Sun Microsystems, Inc. + +All Rights Reserved. + + +lib/Horde/NLS/GeoIP.php: +Based on PHP geoip.inc library by MaxMind LLC: + http://www.maxmind.com/download/geoip/api/php/ + +Originally based on php version of the geoip library written in May +2002 by jim winstead + +Copyright (C) 2003 MaxMind LLC +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/NLS/tld.php: +Generated from IANA (Internet Assigned Numbers Authority) data located +at http://www.iana.org/cctld/cctld-whois.htm + + +lib/Horde/Prefs/kolab.php: +Copyright 2004-2007 Stuart Binge + + +lib/Horde/Routes/*.php: +Authors: Maintainable Software, LLC. (http://www.maintainable.com), Mike +Naberezny (mike@maintainable.com) +License: http://opensource.org/licenses/bsd-license.php BSD + + +lib/Horde/Serialize/JSON.php: +Copyright: 2005 Michal Migurski +Authors: Michal Migurski , Matt Knapp +, Brett Stimmerman +License: http://www.opensource.org/licenses/bsd-license.php + +LICENSE: Redistribution and use in source and binary forms, with or +without modification, are permitted provided that the following +conditions are met: Redistributions of source code must retain the +above copyright notice, this list of conditions and the following +disclaimer. Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN +NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + + +lib/Horde/SessionHandler/ldap.php: +This code is adapted from the comments at +http://www.php.net/session-set-save-handler. + + +lib/Horde/SessionHandler/oci8.php: +Copyright 2003-2007 Liam Hoekenga + + +lib/Horde/Share/datatree.php: +Copyright 2002-2008 The Horde Project (http://www.horde.org/) +Copyright 2002-2007 Infoteck Internet + + +lib/Horde/UI/Tabs.php: +Copyright 2001-2003 Robert E. Coyle +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/VC/rcs.php: +Copyright 2004-2007 Jeff Schwentner + + +lib/Horde/VC/cvs.php: +Copyright 2000-2008 The Horde Project (http://www.horde.org/) +Copyright Anil Madhavapeddy, + + +lib/Horde/VC/svn.php: +Copyright 2000-2008 The Horde Project (http://www.horde.org/) +Copyright Anil Madhavapeddy, + + +lib/Net/SMS/vodafoneitaly_smtp.php: +Copyright 2003-2008 The Horde Project (http://www.horde.org/) +Copyright 2003-2007 Matteo Zambelli + + +lib/Net/SMS/generic_*.php: +Copyright 2005-2007 WebSprockets, LLC + + +lib/Net/IMSP/Auth/imtest.php: +Copyright 2005-2007 Liam Hoekenga +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/SyncML/*: +Copyright 2003-2007 Karsten Fourmont +Copyright 2003-2008 The Horde Project (http://www.horde.org/) + + +lib/Text/Diff.php: +Copyright 2004 Geoffrey T. Dairiki +Copyright 2004-2008 The Horde Project (http://www.horde.org/) + + +lib/Text/Flowed.php: +Copyright 2002-2003 Philip Mak +Copyright 2004-2008 The Horde Project (http://www.horde.org/) + + +lib/Text/Diff/Engine/string.php: +Copyright 2005 Örjan Persson +Copyright 2005-2008 The Horde Project (http://www.horde.org/) + + +lib/Horde/Text/Filter/html2text.php: +Copyright 2003-2004 Jon Abernathy +Original source: http://www.chuggnutt.com/html2text.php +Copyright 2004-2008 The Horde Project (http://www.horde.org/) + + +lib/VFS/ftp.php: +Copyright 2002-2008 The Horde Project (http://www.horde.org/) +Copyright 2002-2007 Michael Varghese + + +lib/VFS/smb.php: +Codebase copyright 2002 Paul Gareau . Adapted with +permission by Patrice Levesque from phpsmb-0.8 code, and +converted to the LGPL. Please do not taunt original author, contact +Patrice Levesque or dev@lists.horde.org. + + +lib/VFS/Object.php: +Copyright 2002-2007 Jon Wood + + +lib/VFS/ListItem.php: +Copyright 2002-2007 Jon Wood + + +po/README: +Copyright 2004 The Horde Project (http://www.horde.org/) +Joris Braakman , 2004. + + +po/zh_CN.po: +Copyright (C) 2001 WangHengWen. +WangHengWen , 2001. +David Chang , 2001. +liaobin ,2004. + + +po/zh_TW.po: +Copyright (C) 2001 David Chang,TAIWAN. +David Chang , 2001. + + +po/hu_HU.po: +Copyright (C) 2002-2008 Laszlo L. Tornoci +Laszlo L. Tornoci , 2008. + + +po/fi_FI.po: +Copyright (C) Leena Heino , 2001-2008. + + +po/ru_RU.po: +Copyright (C) Ignat Ikryanov , 2001 +Fedor A. Fetisov , 2002 +Alexey Zakharov , 2008 + + +po/ca_ES.po: +Copyright 2004 The Horde Project (http://www.horde.org/) +Jordi Giralt , 2006. + + +po/bs_BA.po: +Copyright 2003 The Horde Project (http://www.horde.org/) +Alen Sarkinovic , 2004. +Vedran Ljubovic , 2005. + + +po/id_ID.po: +Copyright 2005 The Horde Project (http://www.horde.org/) +James , 2005. + + +po/ro_RO.po: +Copyright 2002 The Horde Project (http://www.horde.org/) +Corneliu MUSAT , 2002. + + +po/sk_SK.po: +Copyright (C) 2002 Leo Mrafko (original translator) +(C) 2002, 2003 Ivan Noris +Martin Matu¹ka , 2008 + + +po/lt_LT.po: +Copyright 2007 The Horde Project (http://www.horde.org/) +Darius Matuliauskas , 2002. +Vilius Sumskas , 2003, 2004, 2007. + + +po/de_DE.po: +Copyright 2001-2008 The Horde Project (http://www.horde.org/) +Jan Schneider , 2001-2008. + + +po/nl_NL.po: +Copyright (C) 2001 Jan Kuipers. +Jan Kuipers , 2001-2007. +Updated Han Spruyt 2005 + + +po/ja_JP.po: +Copyright 2004 The Horde Project (http://www.horde.org/) +Hiromi Kimura + + +po/bg_BG.po: +Copyright 2002 The Horde Project (http://www.horde.org/) +Miroslav Pendev , 2002. + + +po/fr_FR.po: +Copyright 2001-2002 The Horde Project (http://www.horde.org/) +Pierre Lachance et Benoit St-André +(ben@benoitst-andre.net), 2003, 2004. +Frederic Trudeau , 2001. +Thierry Thomas , 2002, 2005, 2006, 2007. +Country tranlations from Miguel Tremblay , 2004. +Benoit St-André , 2004. +Yannick Sebastia , 2008. + + +po/ar_SY.po: +Copyright (C) 2003 Platinum Inc. +Custom Web Applications +Platinum Development Team + + +po/uk_UA.po: +Copyright (C) Andriy Kopystyansky , 2007 + + +po/it_IT.po: +Copyright (C) 2001 Paola Carpenter. +Paola Carpenter , 2001. +Giovanni Meneghetti , 2001. +Copyright (c) 2003 Sergio G. Caredda. +Sergio G. Caredda , 2003. +Copyright (c) 2007 nethesis srl. +Cristian Manoni, Alessio Fattorini, Davide marini 2007 + + +po/mk_MK.po: +Copyright (C) 2003 Eureka Informatika +Stojan Pesov , 2003 + + +po/nn_NO.po: +Copyright (C) 2002 Per-Stian Vatne +Per-Stian Vatne , 2002. + + +po/pl_PL.po: +Copyright (C) 2001 Mariusz Zynel +Mariusz Zynel , 2001. +Piotr Roszatycki , 2001. +Krzysztof Kozlowski , 2005. +Daniel Horecki , 2007. + + +po/km_KH.po: +Leang Chumsoben , 2006. + + +po/da_DK.po: +Copyright 2001-2006 The Horde Project (http://www.horde.org/) +Martin List-Petersen , 2001 +Brian Truelsen , 2005-2006. + + +po/cs_CZ.po: +Copyright 2004 The Horde Project (http://www.horde.org/) +Pavel Chytil , 2001-2004. + + +po/pt_BR.po: +Fabio Gomes , 2005. + + +po/nb_NO.po: +Copyright 2001-2007 The Horde Project (http://www.horde.org/) +Oystein Steimler , 2001. +Torstein S. Hansen , 2002. +Andreas Gunleikskaas , 2003. +Geir O. Hogberg , 2005. +Lars Tobias Børsting , 2007. + + +po/sv_SE.po: +Copyright (C) 2002-2005 Andreas Dahlén. +Andreas Dahlén , 2005. + + +po/tr_TR.po: +Copyright 2008 The Horde Project (http://www.horde.org/) +horde-tr at metu.edu.tr, 2005-2008. + + +po/el_GR.po: +Copyright (C) 2002 Stefanos I. Dimitriou. +Stefanos I. Dimitriou , 2002. +Silligardos Xristoforos, 2002. +Anagnostopoulos Apostolis, 2002. +Milosis C. Konstantinos, 2005. + + +po/fa_IR.po: +Copyright (C) 2004 High Concil of Informatics (www.shci.ir) +Provided by Amirkabir Metanetworking Ltd, 2004 + +Mohsen Nader-Badr +Chackameh Mortezania +Salman Niksefat +Hamed Gheybi +Vahid Ghafarpour +Zahra Ahmadi + + +services/editors/xinha/*: +htmlArea License (based on BSD license) +Copyright (c) 2002-2004, interactivetools.com, inc. +Copyright (c) 2003-2004 dynarch.com +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1) Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + +2) Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3) Neither the name of interactivetools.com, inc. nor the names of its + contributors may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + + + +License: Horde is licenced under LGPL license. + +This library is free software; you can redistribute it and/or +modify it under the terms of the GNU Library General Public +License as published by the Free Software Foundation; either +version 2 of the License, or (at your option) any later version. + +This library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Library General Public License for more details. + +A copy of the GNU Library General Public License is available as +/usr/share/common-licenses/LGPL in the Debian GNU/Linux distribution +or on the World Wide Web at http://www.gnu.org/copyleft/lgpl.html. +You can also obtain it by writing to the Free Software Foundation, +Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. --- horde3-3.2.2+debian0.orig/debian/NEWS +++ horde3-3.2.2+debian0/debian/NEWS @@ -0,0 +1,10 @@ +horde3 (3.2.1+debian0-2) unstable; urgency=low + + * All Horde components are now inactive by default! If you want to use a + component (IMP, Turba, Kronolith, etcetera.): configure it and active it + in /etc/horde/horde3/registry.php file (set 'status' => 'active'). + + * /etc/horde directory is now restricted to root:www-data. Be sure that your + httpd server is running under the group www-data. + + -- Gregory Colpart (evolix) Mon, 21 Jul 2008 03:23:51 +0200 --- horde3-3.2.2+debian0.orig/debian/horde3.preinst +++ horde3-3.2.2+debian0/debian/horde3.preinst @@ -0,0 +1,34 @@ +#!/bin/sh +# preinst script for horde3 + +set -e + +case "$1" in + install|upgrade) + + CONFFILE=/etc/horde/horde3/registry.php + + if dpkg --compare-versions "$2" lt "3.2.1+debian0-2"; then + if [ -e "$CONFFILE" ]; then + md5sum="`md5sum \"$CONFFILE\" | sed -e \"s/ .*//\"`" + old_md5sum="`dpkg-query -W -f='${Conffiles}' horde3 | sed -n -e \"\\\\' $CONFFILE '{s/ obsolete$//;s/.* //p}\"`" + if [ "$md5sum" = "$old_md5sum" ]; then + echo >> "$CONFFILE" + fi + fi + fi + + ;; + + abort-upgrade) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- horde3-3.2.2+debian0.orig/debian/changelog +++ horde3-3.2.2+debian0/debian/changelog @@ -0,0 +1,411 @@ +horde3 (3.2.2+debian0-2+lenny1build0.9.04.1) jaunty-security; urgency=low + + * fake sync from Debian + + -- Jamie Strandboge Tue, 06 Oct 2009 10:06:35 -0500 + +horde3 (3.2.2+debian0-2+lenny1) stable-security; urgency=high + + * Add patch stuff on debian/rules to have clean security patches. + * Backport security patches from 3.3.5, mainly fix vulnerability in image + form fields that allows overwriting of arbitrary local files. See + CVE-2009-3236 for more information. (Closes: #547318) + + -- Gregory Colpart Fri, 25 Sep 2009 21:00:46 +0200 + +horde3 (3.2.2+debian0-2) unstable; urgency=high + + * Add informations in README.Debian about test.php files: these files should + not be "allow from all", because test.php includes private informations and + could be unsafe (for example see CVE-2008-4182). + * Include a patch from Horde upstream to fix an IE-only hole in XSS filter + (See CVE-2008-5917 for more information). (Closes: #512592) + * Include patches from Horde upstream to fix a file inclusion issue in + Horde_Image driver name (Image/Image.php) and an unescaped output in + the tag cloud block (services/portal/cloud_search.php). (Closes: #513265) + + -- Gregory Colpart Thu, 29 Jan 2009 01:15:51 +0100 + +horde3 (3.2.2+debian0-1) unstable; urgency=high + + * New upstream release. + * This version is mainly for fixing two security bugs: unescaped output in + the MIME library and improve the XSS filter for HTML (See CVE-2008-3823 for + more information). (Closes: #499579) + * Add changelog entry with CVE ID in changelog for 3.2.1+debian0-1. + * Fix misspelling in Recommends: field. (Closes: #499001) + * Improve upgrade path Etch->Lenny with forcing to show diff of + /etc/horde/horde3/registry.php because all horde components are now + inactive by default. (Closes: #493885) + * Change Gregory Colpart's email address in debian/control file. + + -- Gregory Colpart Mon, 22 Sep 2008 03:28:05 +0200 + +horde3 (3.2.1+debian0-2) unstable; urgency=low + + [ Mathieu Parent ] + * debian/rules: remove js/src/* in the target directory instead of the + source directory + + [ Gregory Colpart (evolix) ] + * Backport patch from Horde CVS to fix a MIME handling bug. Thanks to Marc + Dequènes to report it. (Closes: #490125) + * Adjust dependencies (php5-gd, php5-mcrypt, php-mail and php-mail-mime are + now required; php5-cli is now recommended, etcetera). + * Execute now temp-cleanup.cron script as www-data instead of root, and + redirect errors to /dev/null. + * Add cron script for Alarms. + * Allow only www-data to read Horde configuration files. (Closes: #432814) + * Adjust watch file with adding dversionmangle option. + * Fix line-too-long lintian warnings in debian/copyright. + * Disable all Horde components by default, and initial configuration + settings to avoid broken pages. (Closes: #487799, #486679) + + -- Gregory Colpart (evolix) Mon, 21 Jul 2008 04:06:39 +0200 + +horde3 (3.2.1+debian0-1) unstable; urgency=low + + * New upstream release. + * This new version has major changes compared to the previous version: an + alarm system that can send email, generate inline notifications, and play + sounds for events in any Horde application; support for read and write + databases; operation when the database is down; many performance + improvements, several slick new themes; WCAG 1.0 Priority 2/Section 508 + accessibility guidelines compliance; full Kolab webclient support; many + improvements in the JavaScript and user interface; a new tree view for + Help along with keyword search; support for memcache clustering; and many, + many bug fixes and small enhancements. + * This new upstream release fixes a security bug: a small XSS/unescaped + output in obrowser (See CVE-2008-3330 and #492578 for more informations). + * With this new version: remove of backported patch for correcting invalid + entities in es_ES (#461400) and manual merge for + config/mime_drivers.php.dist and config.conf.xml for keeping Debian + specific patches. + * Thanks to Mathieu Parent for his help/patches for + this package. + * Repack upstream source to remove fckeditor, tinymce and scriptaculous + (size of upstream source is now instead 7 Mo instead of 8 Mo). + * Added a check in debian/rules to make sure that those external libs are not + in the orig.tar.gz + * A lot of improvements in debian/copyright file. + * Some adjustements in debian/rules: remove exec rights for xml/png/gif/css/ + js/jpg/html/htm files, no more need to remove empty directories and copy + CREDITS file. + * Link some *.js files with libjs-scriptaculous package. + * Link editors (tinymce and fckeditor) with tinymce2 and fckeditor packages. + * Add unrtf and libwpd-tools in "Suggests" field. + * Add patch to keep PAM authentication stays compatible with precedent + version (and with php5-auth-pam package). Add php5-auth-pam to Suggests: + field. + * Update to standards version 3.8.0, no further required changes. + + -- Gregory Colpart (evolix) Sat, 14 Jun 2008 17:14:51 +0200 + +horde3 (3.1.7-1) unstable; urgency=high + + * New upstream release. + * This new version has security fix: fix arbitrary file inclusion through + abuse of the theme preference (see CVE-2008-1284 for more informations). + (Closes: #470640) + * Fix typo in debian/rules comments. + * Add php-net-imap package in "Suggests" field. (Closes: #470283) + * Add libgeoip1 package in "Suggests" field. (Closes: #376935) + + -- Gregory Colpart (evolix) Sat, 15 Mar 2008 14:00:34 +0100 + +horde3 (3.1.6-1) unstable; urgency=high + + * New upstream release. + * This new version has security fixes : privilege escalation in the Horde + API and XSS vulnerabilities (see CVE-2007-6018 for more informations). + (Closes: #461131) + * This new version fixes also translation error in it_IT locale + (Closes: #459555) + * Import fix from Horde CVS to correct invalid entities in es_ES + translantion (thanks to Adrian Santos Marrero ) + (Closes: #461400) + * Update to standards version 3.7.3, no further required changes. + * Use now Vcs-* fields in debian/control. + * Remove empty directories which causes lintian warnings. + * Bump debhelper compat level to 5. + * Add Homepage field. + + -- Gregory Colpart (evolix) Sun, 20 Jan 2008 20:52:59 +0100 + +horde3 (3.1.4-2) unstable; urgency=low + + [ Gregory Colpart (evolix) ] + * Added XS-VCS-* fields in debian/control. + * Typo in previous changelog. + + [ Ola Lundqvist ] + * Correction of log file problem in configuration file, closes: #452351. + * Document that the echo line need to be removed as well, closes: #456908. + + -- Ola Lundqvist Sat, 22 Dec 2007 11:21:40 +0100 + +horde3 (3.1.4-1) unstable; urgency=high + + * New upstream release. + * Transition to PHP5 for Recommends and Suggests fields. (Closes: #432237) + * Remove old phpapi-* from Depends: (Closes: #420644) + * Clean Depends, Recommends and Suggests fields. + * Remove exec right for XML files in debian/rules. + * Add locales in Recommends. + * Disable upstream _detect_webroot() function (unusable in Debian). + * Fix XSS vulnerability. See CVE-2007-1473 for more information. + (Closes: #434045) + + -- Gregory Colpart (evolix) Tue, 24 Jul 2007 18:48:35 -0400 + +horde3 (3.1.3-5) unstable; urgency=low + + * Changed webroot from /horde to /horde3, especially regarding cookie + handling, closes: #391493. + + -- Ola Lundqvist Mon, 21 May 2007 07:03:41 +0200 + +horde3 (3.1.3-4) unstable; urgency=high + + * Correction for arbitrary file deletion vulnerability, + closes: #415116. Thanks to Paul TBBle Hampson + for providing the patch. + + -- Ola Lundqvist Sat, 24 Mar 2007 21:19:05 +0100 + +horde3 (3.1.3-3) unstable; urgency=low + + * Recommend php-db (closes: #400277) + + -- Lionel Elie Mamane Sat, 27 Jan 2007 19:38:21 +0100 + +horde3 (3.1.3-2) unstable; urgency=low + + * Changed the default cookie path from /horde to horde3, closes: + #391493. Thanks for Gregory Colpart for committing + this change and to Lorenzo Bettini for + suggesting it. + + -- Ola Lundqvist Mon, 9 Oct 2006 14:00:35 +0200 + +horde3 (3.1.3-1) unstable; urgency=low + + * New upstream version, closes: #383416. This is a bugfix release to + correct CVE-2006-4256. + * Now suggests gettext, closes: #385457. + + -- Ola Lundqvist Sun, 3 Sep 2006 12:34:06 +0200 + +horde3 (3.1.2-1) unstable; urgency=medium + + * New upstream release. + One of the following is true: + - This release fixes security problems CVE-2006-3549 and CVE-2006-3548 + - These security problems were already fixed in the past in the Debian + branch. + - These security problems were already partially fixed in the past in + the Debian version and this release mops up the rest. + In all cases, closes: #378281 + * Tweak README.Debian and example config a bit (closes: #373235) + * Make the PHP tempdir configurable instead of hardcoded in the weekly + cleanup script (closes: #376526) + * Put the CREDITS file where the online help viewer expects it + (closes: #357377) + * Bump up Standards-Version + + -- Lionel Elie Mamane Sun, 16 Jul 2006 13:12:10 +0200 + +horde3 (3.1.1-4) UNRELEASED; urgency=low + + * Put debhelper in Build-Depends, not B-D-Indep. + + -- Lionel Elie Mamane Fri, 16 Jun 2006 11:49:45 +0200 + +horde3 (3.1.1-3) unstable; urgency=high + + * The SuSE maintainer found several XSS isses in Horde. See + CVE-2006-2195 for more information. Thanks to Moritz Muehlenhoff + for providing the patch. + + -- Ola Lundqvist Wed, 14 Jun 2006 09:36:43 +0200 + +horde3 (3.1.1-2) unstable; urgency=low + + * Correcting the dependencies for php5. + * Jose Carlos Medeiros no longer maintainer of this package. + + -- Ola Lundqvist Sat, 6 May 2006 21:01:48 +0200 + +horde3 (3.1.1-1) unstable; urgency=high + + [ Lionel Elie Mamane ] + * New upstream version + - Close remote arbitrary command execution hole (closes: #360023) + CVE-2006-1491 + * Really exclude {arch} directory from being installed in binary + package. + + -- Lionel Elie Mamane Thu, 6 Apr 2006 19:14:56 +0200 + +horde3 (3.1-2) UNRELEASED; urgency=low + + [ Lionel Elie Mamane ] + * Conflict with versions of turba2 we break compatibility with. + (closes: #360231) + + -- Lionel Elie Mamane Fri, 31 Mar 2006 23:08:02 +0200 + +horde3 (3.1-1) unstable; urgency=low + + [ Lionel Elie Mamane ] + * Tweak the "Admin interface disabled because insecure" message. + + [ Ola Lundqvist ] + * Updated to upstream version 3.1, closes: #356186, #356526. + With correction for CVE-2006-1260 file disclosure vulnerability. + Closes: #358812. + This version correct CVE-2005-4190 as well, closes: #354512. + * Modified dependencies in order to support php5 and to support + recent installations of php4, closes: #353612, #359700, #359208. + + -- Ola Lundqvist Tue, 28 Mar 2006 20:58:38 +0200 + +horde3 (3.0.9-3) unstable; urgency=low + + * Move to team maintainership. + * Make sure that {arch} is not a part of installed dir. + + -- Ola Lundqvist Sun, 12 Mar 2006 21:40:35 +0100 + +horde3 (3.0.9-2) unstable; urgency=high + + * Correct fix for weatherdotcom. + + -- Ola Lundqvist Fri, 16 Dec 2005 20:50:01 +0100 + +horde3 (3.0.9-1) unstable; urgency=high + + * New upstream release that correct a cross site scripting vulnerability + as described in CVE-2005-4190, closes: #342942. + * Documented that horde is incompatible with php4 session.auto_start option + in the README.Debian file, closes: #341695. + * Added php-mail to recommends list, closes: #339135. + * Applied a patch to make weatherdotcom work, closes: #342161. + Thanks to Giuseppe Iuculano . + * Documented how to add alias to apache config, closes: #306605. + * Changed the initial config message slightly, closes: #341358. + + -- Ola Lundqvist Fri, 16 Dec 2005 17:51:15 +0100 + +horde3 (3.0.7-1) unstable; urgency=high + + * New upstream release. + This version fix cross site scripting vulnerabilities (CVE-2005-3759), + closes: #340323. + + -- Ola Lundqvist Tue, 22 Nov 2005 22:45:59 +0100 + +horde3 (3.0.6-1) unstable; urgency=low + + * New upstream release. + * Added phpapi-20041030 to the supported api versions (to support php5), + closes: #333155. + * Fixed so files in etc are rewritten the same was as files in usr/share, + closes: #319780. + * Updated to standards version 3.6.2. + * Corrected to new FSF address. + + -- Ola Lundqvist Sat, 5 Nov 2005 16:11:03 +0100 + +horde3 (3.0.5-4) unstable; urgency=low + + * Minor fix for README.Debian file. + * Added suggests of php4-mhash, closes: #335913. + * Corrected dependency on php4, closes: #329940. + * Corrected problem with ispell and Brazilian Language, closes: #328155. + Thanks to Jose Carlos Medeiros for the fix. + + -- Ola Lundqvist Sat, 5 Nov 2005 12:40:43 +0100 + +horde3 (3.0.5-3) unstable; urgency=high + + * Improved description on why horde3 is disabled by default. + + -- Ola Lundqvist Sun, 9 Oct 2005 12:54:43 +0200 + +horde3 (3.0.5-2) unstable; urgency=high + + * Configuration disabled by default, closes: #332290, #332289. + * Removed some crap from the README.Debian file, closes: #332276. + + -- Ola Lundqvist Sat, 8 Oct 2005 21:10:48 +0200 + +horde3 (3.0.5-1) unstable; urgency=low + + * New upstream release, + closes: #325146, #315571, #325727, #321490, #309729, #304186. + * Added gollem to suggest list, closes: #325492. + * Added webcpp, chora2, xlhtml, ppthtml, wv, source-highlight, enscript + and rpm to suggest list, closes: #309657, #326066. + * Patched config/mime_drivers.php.dist so that no /usr/local is used + for programs that exist in Debian archive, closes: #309661. + + -- Ola Lundqvist Fri, 9 Sep 2005 22:53:15 +0200 + +horde3 (3.0.4-4) unstable; urgency=low + + * Added conflict on horde so removing horde do not cause configuration + removal in horde3, closes: #307623. + + -- Ola Lundqvist Wed, 4 May 2005 23:08:08 +0200 + +horde3 (3.0.4-3) unstable; urgency=medium + + * Removed post* and pre* files becuase they contain nothing that + should remain. + * Fixed dependency problem, closes: #294026. + * Added a note about configuration to README.Debian, closes: #304086. + + -- Ola Lundqvist Sun, 17 Apr 2005 14:27:31 +0200 + +horde3 (3.0.4-2) unstable; urgency=low + + * Fixed permission problem on log file. + * Updated copyright file. It actually use LGPL and not GPL. + * Removed unnecessary config dir in /etc/horde/horde3. + + -- Ola Lundqvist Sun, 10 Apr 2005 19:51:55 +0200 + +horde3 (3.0.4-1) unstable; urgency=low + + * New upstream release. + + -- Ola Lundqvist Mon, 4 Apr 2005 08:11:18 +0200 + +horde3 (3.0.3-1) unstable; urgency=low + + * New upstream release. + Jose Carlos Medeiros have helped a lot with + this version. + + -- Ola Lundqvist Thu, 17 Feb 2005 15:41:33 -0200 + +horde3 (3.0.2-1) unstable; urgency=low + + * New upstream release. + * Cooperated with Roberto Sanchez in + order to complete this version. + + -- Ola Lundqvist Fri, 7 Jan 2005 13:41:54 +0100 + +horde3 (3.0.1-1) unstable; urgency=low + + * New upstream release. + + -- Ola Lundqvist Thu, 6 Jan 2005 16:35:23 +0100 + +horde3 (3.0-1) unstable; urgency=low + + * Initial Release. + + -- Ola Lundqvist Sat, 1 Jan 2005 14:51:04 +0100 --- horde3-3.2.2+debian0.orig/debian/logrotate +++ horde3-3.2.2+debian0/debian/logrotate @@ -0,0 +1,10 @@ +# Log rotation for horde3 + +/var/log/horde/horde3.log { + monthly + missingok + rotate 4 + compress + create 640 www-data www-data + notifempty +} --- horde3-3.2.2+debian0.orig/debian/watch +++ horde3-3.2.2+debian0/debian/watch @@ -0,0 +1,4 @@ +version=2 +opts=dversionmangle=s/\+debian\d$// \ + http://ftp.horde.org/pub/horde/horde-([\d\.]*)\.tar\.gz + --- horde3-3.2.2+debian0.orig/debian/links +++ horde3-3.2.2+debian0/debian/links @@ -0,0 +1,8 @@ +/usr/share/javascript/scriptaculous/dragdrop.js /usr/share/horde3/js/dragdrop.js +/usr/share/javascript/scriptaculous/slider.js /usr/share/horde3/js/slider.js +/usr/share/javascript/scriptaculous/controls.js /usr/share/horde3/js/controls.js +/usr/share/javascript/scriptaculous/scriptaculous.js /usr/share/horde3/js/scriptaculous.js +/usr/share/javascript/scriptaculous/effects.js /usr/share/horde3/js/effects.js +/usr/share/javascript/scriptaculous/prototype.js /usr/share/horde3/js/prototype.js +/usr/share/tinymce2/www /usr/share/horde3/services/editor/tinymce +/usr/share/fckeditor /usr/share/horde3/services/editor/fckeditor --- horde3-3.2.2+debian0.orig/debian/rules +++ horde3-3.2.2+debian0/debian/rules @@ -0,0 +1,218 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# List all Files and directories here that should not be copied to +# /usr/share/horde3 +COPY_EXCLUDE=^(\{arch\}|COPYING|README|po|scripts|config|debian|docs|build-stamp|configure-stamp|patch-stamp)$ + +patch: patch-stamp +patch-stamp: + dh_testdir + set -e; test -e patch-stamp || \ + for i in `ls -1 debian/patches/*.patch || :`; do patch -p1 <$$i > /dev/null; done + touch $@ + +unpatch: + dh_testdir + set -e; ! test -e patch-stamp || \ + for i in `ls -1r debian/patches/*.patch || :`; do patch -p1 -R <$$i > /dev/null; done + rm -f patch-stamp + +configure: configure-stamp patch +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + +build: check-external-libs build-stamp + +build-stamp: configure + dh_testdir + touch build-stamp + +clean: unpatch + dh_testdir + dh_testroot + dh_clean build-stamp configure-stamp + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/horde3. + #### copy stuff that belongs in /usr/share/horde3 ### + for i in $$(ls -1 | egrep -v "$(COPY_EXCLUDE)"); do \ + echo install $$i ; \ + cp -a $$i debian/horde3/usr/share/horde3 ; \ + done + + #### copy configuration files #### + for i in config/*.dist; do \ + NAME=etc/horde/horde3/$$(basename $$i ".dist"); \ + cp -a $$i debian/horde3/$$NAME; \ + done + + # Use '/horde3' for default cookie path (See #391493) + cat config/conf.xml | \ + sed -e "109,116s@/horde@/horde3@" > debian/horde3/etc/horde/horde3/conf.xml + + #### horde expects configuration in config subdir, create a symlink + #### to comply with FHS + dh_link etc/horde/horde3 usr/share/horde3/config + + #### copy scripts to run by cron #### + mkdir -p debian/horde3/usr/share/horde3/scripts + cp scripts/temp-cleanup.cron debian/horde3/usr/share/horde3/scripts + chmod +x debian/horde3/usr/share/horde3/scripts/temp-cleanup.cron + cp scripts/alarms.php debian/horde3/usr/share/horde3/scripts + + cp debian/horde3.default debian/horde3/etc/default/horde3 + + #### create htaccess to restrict acess by web #### + echo "Deny from all" > debian/horde3/usr/share/horde3/scripts/.htaccess + echo "Deny from all" > debian/horde3/etc/horde/horde3/.htaccess + + #### log file #### + printf "\n\$$conf['log']['name'] = '/var/log/horde/horde3.log';" >> \ + debian/horde3/etc/horde/horde3/conf.php + chown root:www-data debian/horde3/var/log/horde + chmod 750 debian/horde3/var/log/horde + + #### add default configuration to avoid broken pages + printf "\n\$$conf['datatree']['driver'] = 'null';" >> \ + debian/horde3/etc/horde/horde3/conf.php + printf "\n\$$conf['share']['no_sharing'] = true;" >> \ + debian/horde3/etc/horde/horde3/conf.php + printf "\n\$$conf['cache']['driver'] = 'none';" >> \ + debian/horde3/etc/horde/horde3/conf.php + + #### change made for program run with no problems ### + cat config/registry.php.dist | \ + sed -e "s/'fileroot' *=> *dirname(__FILE__)/'fileroot' => '\/usr\/share\/horde3\/lib'/"| \ + sed -e "s/'templates' *=> *dirname(__FILE__)/'templates' => '\/usr\/share\/horde3\/lib'/"| \ + sed -e "s/webroot *= * '\/horde';/webroot = '\/horde3';/" > \ + debian/horde3/etc/horde/horde3/registry.php + + # change HORDE_BASE in php files + # change /usr/local/bin/php to /usr/bin/php + for i in $$(find debian/horde3 -name "*.php"); do \ + cat $$i | \ + sed -e "s/define('HORDE_BASE'.*;/define\('HORDE_BASE', '\/usr\/share\/horde3\'\);/" |\ + sed -e "s/\/usr\/local\/bin/\/usr\/bin/" > $$i.rew; \ + mv $$i.rew $$i; \ + done + + #### change permissions of scripts #### + for i in $$(find debian/horde3/usr/share/horde3 -type f | \ + xargs grep '^#!\/' |cut -d: -f1); do \ + chmod u+x $$i; \ + done + + #### create link to access horde #### + #dh_link usr/share/horde3 var/www/horde3 + #### end #### + + #### no exec right for .xml/png/gif/css/js/jpg/html/htm files (lintian warnings) #### + find debian/horde3/usr/share/horde3 \( \ + -name "*.xml" \ + -o -name "*.png" \ + -o -name "*.gif" \ + -o -name "*.css" \ + -o -name "*.js" \ + -o -name "*.jpg" \ + -o -name "*.html" \ + -o -name "*.htm" \) \ + -type f -exec chmod -x '{}' \; + + #### CREDITS file accessible to help viewer (DEPRECATED ??) #### + #mkdir -m 755 debian/horde3/usr/share/horde3/docs + #cp -a docs/CREDITS debian/horde3/usr/share/horde3/docs/ + + #### Remove empty directories (lintian warnings) (DEPRECATED) #### + #rmdir debian/horde3/usr/share/horde3/lib/Horde/tests + #rmdir debian/horde3/usr/share/horde3/lib/Text/docs/examples + #rmdir debian/horde3/usr/share/horde3/lib/Text/docs + #rmdir debian/horde3/usr/share/horde3/lib/VFS/tests + #rmdir debian/horde3/usr/share/horde3/lib/Horde/docs/examples + #rmdir debian/horde3/usr/share/horde3/lib/Horde/docs + #rmdir debian/horde3/usr/share/horde3/lib/File/tests + #rmdir debian/horde3/usr/share/horde3/lib/XML/tests + #rmdir debian/horde3/usr/share/horde3/lib/data + #rmdir debian/horde3/usr/share/horde3/lib/Text/tests + #rmdir debian/horde3/usr/share/horde3/lib/XML/docs/examples + #rmdir debian/horde3/usr/share/horde3/lib/XML/docs + #rmdir debian/horde3/usr/share/horde3/lib/Horde/scripts + #rmdir debian/horde3/usr/share/horde3/lib/Horde/Text/tests + #rmdir debian/horde3/usr/share/horde3/lib/docs + + #### Remove extra license file (lintian warnings) #### + #### (This hack is temporary because waiting xinha package) #### + rm debian/horde3/usr/share/horde3/services/editor/xinha/license.txt + + #### Remove javascript source files + rm -rf debian/horde3/usr/share/horde3/js/src/ + +# Build architecture-dependent files here. +binary-arch: build install +# We have nothing to do by default. + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs -XINSTALL + mv debian/horde3/usr/share/doc/horde3/CHANGES \ + debian/horde3/usr/share/doc/horde3/changelog + dh_installexamples + -find debian/horde3 -depth -name ".arch-ids" -exec rm -Rf {} \; +# dh_install +# dh_installmenu +# dh_installdebconf + dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit + dh_installcron +# dh_installinfo + dh_installman +# dh_link (already used above) + dh_strip + dh_compress + dh_fixperms -Xdebian/horde3/var/log/horde +# dh_perl +# dh_python +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb +check-external-libs: + if [ -e services/editor/fckeditor ] || \ + [ -e services/editor/tinymce ] || \ + [ -e js/builder.js ] || [ -e js/src/builder.js ] || \ + [ -e js/controls.js ] || [ -e js/src/controls.js ] || \ + [ -e js/dragdrop.js ] || [ -e js/src/dragdrop.js ] || \ + [ -e js/effects.js ] || [ -e js/src/effects.js ] || \ + [ -e js/prototype.js ] || [ -e js/src/prototype.js ] || \ + [ -e js/scriptaculous.js ] || [ -e js/src/scriptaculous.js ] || \ + [ -e js/slider.js ] || [ -e js/src/slider.js ] || \ + [ -e js/sound.js ] || [ -e js/src/sound.js ] || \ + [ -e js/unittest.js ] || [ -e js/src/unittest.js ]; then \ + echo ""; \ + echo " ** **"; \ + echo " ** tar contains external files! **"; \ + echo " ** **"; \ + echo ""; \ + exit 1; \ + fi + +binary: binary-indep binary-arch +.PHONY: patch unpatch build clean binary-indep binary-arch binary install configure --- horde3-3.2.2+debian0.orig/debian/README.Debian +++ horde3-3.2.2+debian0/debian/README.Debian @@ -0,0 +1,221 @@ +horde3 for Debian +----------------- + +Configuring Horde +================= + +1. Configuring the web server + + The webserver is normally configured by default in a Debian system but you + need to check if you have configured it in some other way; in + particular, you need the following to apply to the + /usr/share/horde3/ hierarchy: + + Options FollowSymLinks + AllowOverride Limit + + For the webserver you also need to tell where your horde3 installation + is. This done by adding an alias to the apache configuration like this: + + Alias /horde3 /usr/share/horde3 + + Note that the /horde3 prefix is only the default; it is configured in + /etc/horde/horde3/registry.php, in: + + $this->applications['horde'] = array( + ... + 'webroot' => $webroot, + ... + ) + + You can change this setting if you wish. + + Note there are ``test.php`` files for helping you to verify if everything is + installed on your system. But these files can be used against the site by + attackers. Then you need restrict access. The advised method is to do it via + the web server. For example with Apache: + + + deny from all + + + Horde requires the following webserver settings. Examples shown are for + Apache; other webservers' configurations will differ. + + a. PHP interpretation for files matching ``*.php``:: + + AddType application/x-httpd-php .php + + .. Note:: The above instructions may not work if you have specified PHP + as an output filter with ``SetOutputFilter`` directive in + Apache 2.x versions. In particular, Red Hat 8.0 and above + Apache 2.x RPMS have the output filter set, and **MUST NOT** + have the above ``AddType`` directive added. + + b. ``index.php`` as an index file (brought up when a user requests a URL for + a directory):: + + DirectoryIndex index.php + + c. Horde also require that the php is set to session.auto_start = Off. + So if you have changed that you need to add this to your apache + configuration (at least for horde). + + php_flag session.auto_start Off + +2. Creating databases + + The specific steps to create a preferences storage container depend on + which database you've chosen to use. + + First, look in ``usr/share/doc/horde3/examples/scripts/sql``/ to see + if a ``create.`` script already exists for your database. + If so, you should be able to simply execute that + script as superuser in your database. Consult the ``scripts/sql/README`` + file for more information. + + Be sure to change the default password, ``horde``, to something else before + creating the tables! (Remember to use this password when you configure + Horde in the next step.) + + If such a script does not exist, you'll need to build your own, using the + files ``horde_users.sql``, ``horde_prefs.sql``, and ``horde_datatree.sql`` + as a starting point. If you need assistance in creating databases for a + database for which no ``create.`` script exists, you may wish to let us + know on the `Horde mailing list`_. + + If you are going to use database based sessions, create a table using the + files ``scripts/sql/horde_sessionhandler*.sql`` as a starting point. + + .. _`Horde mailing list`: horde@lists.horde.org + +3. Configuring Horde + + To configure horde3 use the web configuration wizard. It is disabled + by default for security reasons. To enable it remove the exit (0) directive + and the echo line above it in /etc/horde/horde3/conf.php file. To let the + configuration wizard write to the configuration files you have to change + the owner of the /etc/horde/horde3 dir and config files to be owned by + www-data. + + If you do not do that you have to cut from the web configuration + program and paste into the config file yourself. + + The reason why this is not the default option is, that allow writing + to configuration files without any authentication is a big + security hole, so you should reset the owner to root when you are done + with the configuration. + + The wizard appears at the webroot of Horde if the latter is not + configured yet; later, login as an admin user to get it in the + menu. The webroot of Horde is http://HOSTNAME/horde3/ by default. + + You can now access Horde without a password, and you will be logged in as + an administrator. You should first configure a real authentication backend. + Click on ``Configuration`` in the ``Administration`` menu and configure + Horde. Start in the ``Authentication`` tab. + + Here is an example for configuring authentication against a remote IMAP + server. Similar steps apply for authenticating against a database, an LDAP + server, etc. + + If you want the Administrator of the web account able to write to the + configuration files without the need of cut and paste you need to make + /etc/horde/horde3/config (with corresponding files) owned and writeable + by the webserver user (normally www-data). In order to configure other + applications like imp such files also need to be writeable by the webserver + user. + + Note! Giving the web user access to write to the configuration may be + a security issue, so this is not recommended to keep for a long time (if + at all). + + a. In the ``Which users should be treated as administrators`` field enter a + comma separated list of user names of your choosing. This will control + who is allowed to make configuration changes, see passwords, potentially + add users, etc. + + b. In the ``What backend should we use for authenticating users to Horde`` + pulldown menu select ``IMAP authentication``. The page will reload and + you will have specific options for IMAP authentication. + + c. In the ``Configuration type`` pulldown menu select ``Separate values``. + The page will reload with additional options. Fill in the remaining + three fields appropriately: + + - IP name/number of the IMAP server + - For a secure connection, select port 993. + - Select the protocol; for a secure connection either ``imap/ssl`` or + ``imap/ssl/novalidate-cert`` (for self-signed certificates). + + Continue to configure Horde through all the tabs of the configuration + interface and click on ``Generate Horde Configuration``. + + Configuration of applications in ``registry.php`` is documented in the + ``INSTALL`` file of each application. Most applications require you to + configure them with a "Horde administrator" account. A Horde administrator + account is any normal Horde account that has been added to the + administrator list in the ``Authentication`` tab of the Horde + configuration. + + The other files in that directory need only be modified if you wish to + customize Horde's appearance or behaviour -- the defaults will work at most + sites. + + .. _translations: + + Note for international users: Horde uses GNU gettext to provide local + translations of text displayed by applications; the translations are found + in the po/ directory. If a translation is not yet available for your + locale (and you wish to create one), see the ``horde/po/README`` file, or + if you're having trouble using a provided translation, please see the + `horde/docs/TRANSLATIONS`_ file for instructions. + +4. Miscellaneous + + If the temporary directory of the PHP serving Horde is not /tmp/, + you need to set it in /etc/default/horde3 for the weekly clean-up + to work correctly. + +6. Securing Horde + + a. Passwords + + Some of Horde's configuration files contain passwords which local users + could use to access your database. It is recommended to ensure that at + least the Horde configuration files (in ``/etc/horde/horde3/``) are not + readable to system users. There are ``.htaccess`` files restricting + access to directories that do not need to be accessed directly; before + relying on those, ensure that your webserver supports ``.htaccess`` and + is configured to use them, and that the files in those directories are in + fact inaccessible via the browser. + + An additional approach is to make Horde's configuration files owned by + the user ``root`` and by a group which only the webserver user belongs + to, and then making them readable only to owner and group. For example, + if your webserver runs as ``www-data.www-data``, do as follows:: + + chown root.www-data config/* + chmod 0440 config/* + + b. Sessions + + Session data -- including hashed versions of your users' passwords, in + some applications -- may not be stored as securely as necessary. + + If you are using file-based PHP sessions (which are the default), be + sure that session files are not being written into ``/tmp`` with + permissions that allow other users to read them. Ideally, change the + ``session.save_path`` setting in ``php.ini`` to a directory only + readable and writeable by your webserver. + + Additionally, you can change the session handler of PHP to use any + storage backend requested (e.g. SQL database) via the ``Custom Session + Handler`` tab in the Horde configuration. + +7. Entering the survey + + If you like, go to http://www.horde.org/survey/ and enter the details of + your system. + + -- Lionel Elie Mamane , Sun, 16 Jul 2006 12:54:19 +0200 --- horde3-3.2.2+debian0.orig/debian/patches/0001-backport-security-patches-from-3.3.5.patch +++ horde3-3.2.2+debian0/debian/patches/0001-backport-security-patches-from-3.3.5.patch @@ -0,0 +1,288 @@ +diff -uNr horde-3.2.4/lib/Horde/Form.php horde-3.2.5/lib/Horde/Form.php +--- horde-3.2.4/lib/Horde/Form.php 2009-09-14 10:12:53.000000000 +0200 ++++ horde-3.2.5/lib/Horde/Form.php 2009-09-14 10:10:30.000000000 +0200 +@ -1648,7 +1648,14 @@ + * + * @var array + */ +- var $_img = array(); ++ var $_img; ++ ++ /** ++ * A random id that identifies the image information in the session data. ++ * ++ * @var string ++ */ ++ var $_random; + + function init($show_upload = true, $show_keeporig = false, $max_filesize = null) + { +@@ -1660,7 +1667,7 @@ + function onSubmit(&$var, &$vars) + { + /* Get the upload. */ +- $this->_getUpload($vars, $var); ++ $this->getImage($vars, $var); + + /* If this was done through the upload button override the submitted + * value of the form. */ +@@ -1671,25 +1678,24 @@ + + function isValid(&$var, &$vars, $value, &$message) + { +- $field = $vars->get($var->getVarName()); +- + /* Get the upload. */ +- $this->_getUpload($vars, $var); ++ $this->getImage($vars, $var); ++ $field = $vars->get($var->getVarName()); + + /* The upload generated a PEAR Error. */ + if (is_a($this->_uploaded, 'PEAR_Error')) { + /* Not required and no image upload attempted. */ +- if (!$var->isRequired() && empty($field['img']) && ++ if (!$var->isRequired() && empty($field['hash']) && + $this->_uploaded->getCode() == UPLOAD_ERR_NO_FILE) { + return true; + } + + if (($this->_uploaded->getCode() == UPLOAD_ERR_NO_FILE) && +- empty($field['img'])) { ++ empty($field['hash'])) { + /* Nothing uploaded and no older upload. */ + $message = _("This field is required."); + return false; +- } elseif (!empty($field['img'])) { ++ } elseif (!empty($field['hash'])) { + /* Nothing uploaded but older upload present. */ + return true; + } else { +@@ -1697,11 +1703,11 @@ + $message = $this->_uploaded->getMessage(); + return false; + } +- } elseif (empty($this->_img['size'])) { ++ } elseif (empty($this->_img['img']['size'])) { + $message = _("The image file size could not be determined or it was 0 bytes. The upload may have been interrupted."); + return false; + } elseif ($this->_max_filesize && +- $this->_img['size'] > $this->_max_filesize) { ++ $this->_img['img']['size'] > $this->_max_filesize) { + $message = sprintf(_("The image file was larger than the maximum allowed size (%d bytes)."), $this->_max_filesize); + return false; + } +@@ -1712,11 +1718,11 @@ + function getInfo(&$vars, &$var, &$info) + { + /* Get the upload. */ +- $this->_getUpload($vars, $var); ++ $this->getImage($vars, $var); + + /* Get image params stored in the hidden field. */ + $value = $var->getValue($vars); +- $info = $this->_img; ++ $info = $this->_img['img']; + if (empty($info['file'])) { + unset($info['file']); + return; +@@ -1771,7 +1777,7 @@ + if ($this->_uploaded === true) { + /* A file has been uploaded on this submit. Save to temp dir for + * preview work. */ +- $this->_img['type'] = $this->getUploadedFileType($varname . '[new]'); ++ $this->_img['img']['type'] = $this->getUploadedFileType($varname . '[new]'); + + /* Get the other parts of the upload. */ + require_once 'Horde/Array.php'; +@@ -1779,19 +1785,22 @@ + + /* Get the temporary file name. */ + $keys_path = array_merge(array($base, 'tmp_name'), $keys); +- $this->_img['file'] = Horde_Array::getElement($_FILES, $keys_path); ++ $this->_img['img']['file'] = Horde_Array::getElement($_FILES, $keys_path); + + /* Get the actual file name. */ +- $keys_path= array_merge(array($base, 'name'), $keys); +- $this->_img['name'] = Horde_Array::getElement($_FILES, $keys_path); ++ $keys_path = array_merge(array($base, 'name'), $keys); ++ $this->_img['img']['name'] = Horde_Array::getElement($_FILES, $keys_path); + + /* Get the file size. */ +- $keys_path= array_merge(array($base, 'size'), $keys); +- $this->_img['size'] = Horde_Array::getElement($_FILES, $keys_path); ++ $keys_path = array_merge(array($base, 'size'), $keys); ++ $this->_img['img']['size'] = Horde_Array::getElement($_FILES, $keys_path); + + /* Get any existing values for the image upload field. */ + $upload = $vars->get($var->getVarName()); +- $upload['img'] = @unserialize($upload['img']); ++ if (!empty($upload['hash'])) { ++ $upload['img'] = $_SESSION['horde_form'][$upload['hash']]; ++ unset($_SESSION['horde_form'][$upload['hash']]); ++ } + + /* Get the temp file if already one uploaded, otherwise create a + * new temporary file. */ +@@ -1802,19 +1811,21 @@ + } + + /* Move the browser created temp file to the new temp file. */ +- move_uploaded_file($this->_img['file'], $tmp_file); +- $this->_img['file'] = basename($tmp_file); +- +- /* Store the uploaded image file data to the hidden field. */ +- $upload['img'] = serialize($this->_img); +- $vars->set($var->getVarName(), $upload); ++ move_uploaded_file($this->_img['img']['file'], $tmp_file); ++ $this->_img['img']['file'] = basename($tmp_file); + } elseif ($this->_uploaded) { + /* File has not been uploaded. */ + $upload = $vars->get($var->getVarName()); +- if ($this->_uploaded->getCode() == 4 && !empty($upload['img'])) { +- $this->_img = @unserialize($upload['img']); ++ if ($this->_uploaded->getCode() == 4 && ++ !empty($upload['hash']) && ++ isset($_SESSION['horde_form'][$upload['hash']])) { ++ $this->_img['img'] = $_SESSION['horde_form'][$upload['hash']]; ++ unset($_SESSION['horde_form'][$upload['hash']]); + } + } ++ if (isset($this->_img['img'])) { ++ $_SESSION['horde_form'][$this->getRandomId()] = $this->_img['img']; ++ } + } + + function getUploadedFileType($field) +@@ -1865,6 +1876,27 @@ + } + + /** ++ * Returns the current image information. ++ * ++ * @return array The current image hash. ++ */ ++ function getImage($vars, $var) ++ { ++ $this->_getUpload($vars, $var); ++ if (!isset($this->_img)) { ++ $image = $vars->get($var->getVarName()); ++ if ($image) { ++ $this->loadImageData($image); ++ if (isset($image['img'])) { ++ $this->_img = $image; ++ $_SESSION['horde_form'][$this->getRandomId()] = $this->_img['img']; ++ } ++ } ++ } ++ return $this->_img; ++ } ++ ++ /** + * Loads any existing image data into the image field. Requires that the + * array $image passed to it contains the structure: + * $image['load']['file'] - the filename of the image; +@@ -1886,10 +1918,18 @@ + fclose($fd); + } + +- $image['img'] = serialize(array('file' => $image['load']['file'])); ++ $image['img'] = array('file' => $image['load']['file']); + unset($image['load']); + } + ++ function getRandomId() ++ { ++ if (!isset($this->_random)) { ++ $this->_random = uniqid(mt_rand()); ++ } ++ return $this->_random; ++ } ++ + /** + * Return info about field type. + */ +diff -uNr horde-3.2.4/lib/Horde/MIME/Viewer/simple.php horde-3.2.5/lib/Horde/MIME/Viewer/simple.php +--- horde-3.2.4/lib/Horde/MIME/Viewer/simple.php 2009-09-14 10:12:54.000000000 +0200 ++++ horde-3.2.5/lib/Horde/MIME/Viewer/simple.php 2009-09-14 10:10:30.000000000 +0200 +@@ -17,6 +17,21 @@ + class MIME_Viewer_simple extends MIME_Viewer { + + /** ++ * Renders out the contents. ++ * ++ * @param array $params Any parameters the Viewer may need. ++ * ++ * @return string The rendered contents. ++ */ ++ function render($params = array()) ++ { ++ // Bug #8311: Unknown text parts should not be rendered inline. ++ return MIME_Contents::viewAsAttachment() ++ ? parent::render($params) ++ : _("Can not display contents of text part inline."); ++ } ++ ++ /** + * Return the MIME type of the rendered content. + * + * @return string MIME-type of the output content. +diff -uNr horde-3.2.4/lib/Horde/Prefs/UI.php horde-3.2.5/lib/Horde/Prefs/UI.php +--- horde-3.2.4/lib/Horde/Prefs/UI.php 2009-09-14 10:12:56.000000000 +0200 ++++ horde-3.2.5/lib/Horde/Prefs/UI.php 2009-09-14 10:10:32.000000000 +0200 +@@ -120,9 +120,9 @@ + + case 'number': + $num = Util::getPost($pref); +- if (intval($num) != $num) { ++ if ((string)(double)$num !== $num) { + $notification->push(_("This value must be a number."), 'horde.error'); +- } elseif ($num == 0) { ++ } elseif (empty($num)) { + $notification->push(_("This number must be at least one."), 'horde.error'); + } else { + $updated = $updated | $save->setValue($pref, $num); +diff -uNr horde-3.2.4/lib/Horde/UI/VarRenderer/html.php horde-3.2.5/lib/Horde/UI/VarRenderer/html.php +--- horde-3.2.4/lib/Horde/UI/VarRenderer/html.php 2009-09-14 10:12:51.000000000 +0200 ++++ horde-3.2.5/lib/Horde/UI/VarRenderer/html.php 2009-09-14 10:10:26.000000000 +0200 +@@ -146,10 +146,7 @@ + function _renderVarInput_image($form, &$var, &$vars) + { + $varname = htmlspecialchars($var->getVarName()); +- $image = $var->getValue($vars); +- +- /* Check if existing image data is being loaded. */ +- $var->type->loadImageData($image); ++ $image = $var->type->getImage($vars, $var); + + Horde::addScriptFile('image.js', 'horde', true); + $graphics_dir = $GLOBALS['registry']->getImageDir('horde'); +@@ -159,13 +156,11 @@ + + /* Check if there is existing img information stored. */ + if (isset($image['img'])) { +- /* Hidden tag to store the preview image filename. */ ++ /* Hidden tag to store the preview image id. */ + $html = sprintf('', +- $varname . '[img]', +- $varname . '[img]', +- @htmlspecialchars($image['img'], ENT_QUOTES, $this->_charset)); +- /* Unserialize the img information to get the full array. */ +- $image['img'] = @unserialize($image['img']); ++ $varname . '[hash]', ++ $varname . '[hash]', ++ $var->type->getRandomId()); + } + + /* Output MAX_FILE_SIZE parameter to limit large files. */ +diff -uNr horde-3.2.4/lib/prefs.php horde-3.2.5/lib/prefs.php +--- horde-3.2.4/lib/prefs.php 2008-03-18 18:54:39.000000000 +0100 ++++ horde-3.2.5/lib/prefs.php 2009-07-12 01:39:12.000000000 +0200 +@@ -121,7 +121,7 @@ + } + + if ($prefs->isDirty('sidebar_width')) { +- $notification->push('if (window.parent && window.parent.document.getElementById(\'hf\') && window.parent.horde_menu && window.parent.horde_menu.document.getElementById(\'expandedSidebar\').style.display != \'hidden\') window.parent.document.getElementById(\'hf\').cols = window.parent.horde_menu.rtl ? \'*,' . $prefs->getValue('sidebar_width') . '\' : \'' . $prefs->getValue('sidebar_width') . ',*\';', 'javascript'); ++ $notification->push('if (window.parent && window.parent.document.getElementById(\'hf\') && window.parent.horde_menu && window.parent.horde_menu.document.getElementById(\'expandedSidebar\').style.display != \'hidden\') window.parent.document.getElementById(\'hf\').cols = window.parent.horde_menu.rtl ? \'*,' . (int)$prefs->getValue('sidebar_width') . '\' : \'' . (int)$prefs->getValue('sidebar_width') . ',*\';', 'javascript'); + } + + if ($prefs->isDirty('theme') || --- horde3-3.2.2+debian0.orig/services/portal/cloud_search.php +++ horde3-3.2.2+debian0/services/portal/cloud_search.php @@ -28,7 +28,9 @@ $results = array_merge($results, $registry->call('news/searchTags', array(array($tag)))); echo '
' - . sprintf(_("Results for %s"), '' . $tag . '') + // Backport security patch from upstream + //. sprintf(_("Results for %s"), '' . $tag . '') + . sprintf(_("Results for %s"), '' . htmlspecialchars($tag) . '') . '' . Horde::link('#', '', '', '', '$(\'cloudsearch\').hide();', '', '', array('style' => 'font-size:75%;')) . '(' . _("Hide Results") . ')
    '; --- horde3-3.2.2+debian0.orig/config/conf.php.dist +++ horde3-3.2.2+debian0/config/conf.php.dist @@ -1,4 +1,7 @@ applications['horde'] = array( 'fileroot' => dirname(__FILE__) . '/..', - 'webroot' => _detect_webroot(), + // To respect Debian FHS policy, config/ is in /etc/ directory + // Then _detect_webroot() is unusable in Debian + // 'webroot' => _detect_webroot(), + 'webroot' => '/horde3', 'initial_page' => 'login.php', 'name' => _("Horde"), 'status' => 'active', @@ -71,7 +74,7 @@ 'fileroot' => dirname(__FILE__) . '/../imp', 'webroot' => $this->applications['horde']['webroot'] . '/imp', 'name' => _("Mail"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => array('mail', 'contacts/favouriteRecipients') ); @@ -79,7 +82,7 @@ 'fileroot' => dirname(__FILE__) . '/../ingo', 'webroot' => $this->applications['horde']['webroot'] . '/ingo', 'name' => _("Filters"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => array('mail/blacklistFrom', 'mail/showBlacklist', 'mail/whitelistFrom', 'mail/showWhitelist', 'mail/applyFilters', 'mail/canApplyFilters', 'mail/showFilters'), 'menu_parent' => 'imp' ); @@ -88,7 +91,7 @@ 'fileroot' => dirname(__FILE__) . '/../sam', 'webroot' => $this->applications['horde']['webroot'] . '/sam', 'name' => _("Spam"), - 'status' => 'active', + 'status' => 'inactive', // Uncomment this line if you want Sam to handle the blacklist filter // instead of Ingo: // 'provides' => array('mail/blacklistFrom', 'mail/showBlacklist', 'mail/whitelistFrom', 'mail/showWhitelist'), @@ -99,7 +102,7 @@ 'fileroot' => dirname(__FILE__) . '/../forwards', 'webroot' => $this->applications['horde']['webroot'] . '/forwards', 'name' => _("Forwards"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => 'forwards', 'menu_parent' => 'imp', ); @@ -108,7 +111,7 @@ 'fileroot' => dirname(__FILE__) . '/../vacation', 'webroot' => $this->applications['horde']['webroot'] . '/vacation', 'name' => _("Vacation"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => 'vacation', 'menu_parent' => 'imp' ); @@ -129,7 +132,7 @@ 'fileroot' => dirname(__FILE__) . '/../turba', 'webroot' => $this->applications['horde']['webroot'] . '/turba', 'name' => _("Address Book"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => array('contacts', 'clients/getClientSource', 'clients/clientFields', 'clients/getClient', 'clients/getClients', 'clients/addClient', 'clients/updateClient', 'clients/deleteClient', 'clients/searchClients'), 'menu_parent' => 'organizing' ); @@ -145,7 +148,7 @@ 'fileroot' => dirname(__FILE__) . '/../kronolith', 'webroot' => $this->applications['horde']['webroot'] . '/kronolith', 'name' => _("Calendar"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => 'calendar', 'menu_parent' => 'organizing' ); @@ -168,7 +171,7 @@ 'fileroot' => dirname(__FILE__) . '/../nag', 'webroot' => $this->applications['horde']['webroot'] . '/nag', 'name' => _("Tasks"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => 'tasks', 'menu_parent' => 'organizing' ); @@ -191,7 +194,7 @@ 'fileroot' => dirname(__FILE__) . '/../mnemo', 'webroot' => $this->applications['horde']['webroot'] . '/mnemo', 'name' => _("Notes"), - 'status' => 'active', + 'status' => 'inactive', 'provides' => 'notes', 'menu_parent' => 'organizing' ); @@ -237,7 +240,7 @@ 'fileroot' => dirname(__FILE__) . '/../chora', 'webroot' => $this->applications['horde']['webroot'] . '/chora', 'name' => _("Version Control"), - 'status' => 'active', + 'status' => 'inactive', 'menu_parent' => 'devel' ); @@ -383,7 +386,7 @@ 'fileroot' => dirname(__FILE__) . '/../gollem', 'webroot' => $this->applications['horde']['webroot'] . '/gollem', 'name' => _("File Manager"), - 'status' => 'active', + 'status' => 'inactive', 'menu_parent' => 'myaccount', 'provides' => 'files', ); @@ -399,7 +402,7 @@ 'fileroot' => dirname(__FILE__) . '/../passwd', 'webroot' => $this->applications['horde']['webroot'] . '/passwd', 'name' => _("Password"), - 'status' => 'active', + 'status' => 'inactive', 'menu_parent' => 'myaccount' ); @@ -516,10 +519,10 @@ } elseif ($webroot === false) { $webroot = ''; } else { - $webroot = '/horde'; + $webroot = '/horde3'; } } else { - $webroot = '/horde'; + $webroot = '/horde3'; } return $webroot; --- horde3-3.2.2+debian0.orig/config/nls.php.dist +++ horde3-3.2.2+debian0/config/nls.php.dist @@ -257,7 +257,7 @@ $nls['spelling']['it_IT'] = '-T latin1 -d italian'; $nls['spelling']['nl_NL'] = '-d nederlands'; $nls['spelling']['pl_PL'] = '-d polish'; -$nls['spelling']['pt_BR'] = '-d br'; +$nls['spelling']['pt_BR'] = '-d brasileiro'; $nls['spelling']['pt_PT'] = '-T latin1 -d portuguese'; $nls['spelling']['ru_RU'] = '-d russian'; $nls['spelling']['sl_SI'] = '-d slovensko'; --- horde3-3.2.2+debian0.orig/config/mime_drivers.php.dist +++ horde3-3.2.2+debian0/config/mime_drivers.php.dist @@ -405,7 +405,7 @@ * xlhtml homepage: http://chicago.sourceforge.net/xlhtml/ */ $mime_drivers['horde']['msexcel'] = array( - 'location' => '/usr/local/bin/xlhtml', + 'location' => '/usr/bin/xlhtml', 'inline' => false, 'handles' => array( 'application/vnd.ms-excel', 'application/msexcel', @@ -423,7 +423,7 @@ * xlhtml homepage: http://chicago.sourceforge.net/xlhtml/ */ $mime_drivers['horde']['mspowerpoint'] = array( - 'location' => '/usr/local/bin/ppthtml', + 'location' => '/usr/bin/ppthtml', 'inline' => false, 'handles' => array( 'application/vnd.ms-powerpoint', 'application/mspowerpoint'