mail/horde-imp: address ZDI-20-1051 / ZDI-CAN-10436

PR: 267049 Approved by: maintainer’s time-out Obtained from: https://github.com/horde/imp/pull/10/files Fixes: Address ZDI-20-1051 / ZDI-CAN-10436 MFH: 2022Q4 Security: https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
2022-10-14 10:35:37 +02:00 · 2022-10-14 10:35:37 +02:00 · dfa4c77343
parent 7918932f87
commit dfa4c77343
3 changed files with 23 additions and 3 deletions
--- a/mail/horde-imp/Makefile
+++ b/mail/horde-imp/Makefile
@ -1,5 +1,6 @@
 PORTNAME=	imp
 PORTVERSION=	6.2.27
+PORTREVISION=	1
 CATEGORIES=	mail www pear
 PKGNAMEPREFIX=	${PHP_PKGNAMEPREFIX}horde-

--- a/mail/horde-imp/files/patch-config_prefs.php
+++ b/mail/horde-imp/files/patch-config_prefs.php
@ -1,6 +1,6 @@
--- config/prefs.php.orig	2011-05-03 06:27:23.000000000 -0800
-+++ config/prefs.php	2011-05-07 10:06:10.000000000 -0800
-@@ -1200,7 +1200,7 @@
+--- config/prefs.php.orig	2020-08-27 19:34:20 UTC
+++ config/prefs.php
+@@ -930,7 +930,7 @@ $_prefs['sourceselect'] = array(
 // You can provide default values this way:
 //   'value' => json_encode(array('source_one', 'source_two'))
 $_prefs['search_sources'] = array(
--- a/mail/horde-imp/files/patch-lib_Prefs_Sort.php
+++ b/mail/horde-imp/files/patch-lib_Prefs_Sort.php
@ -0,0 +1,19 @@
+--- lib/Prefs/Sort.php.orig	2020-08-27 19:34:20 UTC
+++ lib/Prefs/Sort.php
+@@ -39,9 +39,13 @@ class IMP_Prefs_Sort implements ArrayAccess, IteratorA
+     {
+         global $prefs;
+ 
+-        $sortpref = @unserialize($prefs->getValue(self::SORTPREF));
+-        if (is_array($sortpref)) {
+-            $this->_sortpref = $sortpref;
+        $serializedPref = $prefs->getValue(self::SORTPREF);
+        // Only unserialize non-empty strings. Disallow yielding any classes.
+        if (!empty($serializedPref && is_string($serializedPref))) {
+            $sortpref = @unserialize($serializedPref, ['allowed_classes' => false]);
+            if (is_array($sortpref)) {
+                $this->_sortpref = $sortpref;
+            }
+         }
+     }
+