mail/horde-imp: address ZDI-20-1051 / ZDI-CAN-10436
PR: 267049 Approved by: maintainer’s time-out Obtained from: https://github.com/horde/imp/pull/10/files Fixes: Address ZDI-20-1051 / ZDI-CAN-10436 MFH: 2022Q4 Security: https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
This commit is contained in:
parent
7918932f87
commit
dfa4c77343
|
@ -1,5 +1,6 @@
|
|||
PORTNAME= imp
|
||||
PORTVERSION= 6.2.27
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= mail www pear
|
||||
PKGNAMEPREFIX= ${PHP_PKGNAMEPREFIX}horde-
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- config/prefs.php.orig 2011-05-03 06:27:23.000000000 -0800
|
||||
+++ config/prefs.php 2011-05-07 10:06:10.000000000 -0800
|
||||
@@ -1200,7 +1200,7 @@
|
||||
--- config/prefs.php.orig 2020-08-27 19:34:20 UTC
|
||||
+++ config/prefs.php
|
||||
@@ -930,7 +930,7 @@ $_prefs['sourceselect'] = array(
|
||||
// You can provide default values this way:
|
||||
// 'value' => json_encode(array('source_one', 'source_two'))
|
||||
$_prefs['search_sources'] = array(
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
--- lib/Prefs/Sort.php.orig 2020-08-27 19:34:20 UTC
|
||||
+++ lib/Prefs/Sort.php
|
||||
@@ -39,9 +39,13 @@ class IMP_Prefs_Sort implements ArrayAccess, IteratorA
|
||||
{
|
||||
global $prefs;
|
||||
|
||||
- $sortpref = @unserialize($prefs->getValue(self::SORTPREF));
|
||||
- if (is_array($sortpref)) {
|
||||
- $this->_sortpref = $sortpref;
|
||||
+ $serializedPref = $prefs->getValue(self::SORTPREF);
|
||||
+ // Only unserialize non-empty strings. Disallow yielding any classes.
|
||||
+ if (!empty($serializedPref && is_string($serializedPref))) {
|
||||
+ $sortpref = @unserialize($serializedPref, ['allowed_classes' => false]);
|
||||
+ if (is_array($sortpref)) {
|
||||
+ $this->_sortpref = $sortpref;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue