Merge to 2.0.6b

2013-06-27 11:36:30 -04:00 · 2013-06-27 11:36:30 -04:00 · bf398889bf
parent e26e3d7307 f42d52743d
commit bf398889bf
7 changed files with 69 additions and 8 deletions
--- a/43
+++ b/43
@ -1,3 +1,46 @@
+commit 4359b05da8ba291b9bbc00e330d65575a4dbb253
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Thu Jun 27 11:33:44 2013 -0400
+
+    updated NEWS
+
+M	NEWS
+
+commit 25dbd4849de23b9ceb747ff061dffd0f1cf98cde
+Author: Ludovic Marcotte <lmarcotte@inverse.ca>
+Date:   Thu Jun 27 11:06:07 2013 -0400
+
+    Properly escape the foldername to avoid XSS issues
+
+M	UI/WebServerResources/SchedulerUI.js
+M	UI/WebServerResources/UIxContactsUserFolders.js
+
+commit a2a89e8720cfd44f885c34d5626d78b6b20a6b3b
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Wed Jun 26 16:55:39 2013 -0400
+
+    Fix loading of MSExchangeFreeBusySOAPResponseMap
+
+M	SoObjects/Appointments/GNUmakefile
+M	SoObjects/Appointments/MSExchangeFreeBusy.m
+
+commit 2581f6c56895820d126fbbcdc45512f0c17a67df
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Tue Jun 25 09:19:37 2013 -0400
+
+    Update for 2.0.6a
+
+M	NEWS
+M	Version
+
+commit 20369631c9425d47d4e86d98d914c9d64b820c56
+Author: Jean Raby <jraby@inverse.ca>
+Date:   Tue Jun 25 09:17:03 2013 -0400
+
+    Update ChangeLog
+
+M	ChangeLog
+
 commit 1221da24439397bf66c9701ba356bd61fe4eff12
 Author: Jean Raby <jraby@inverse.ca>
 Date:   Tue Jun 25 09:12:27 2013 -0400
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2.0.6b (2013-06-27)
+------------------
+
+Bug fixes
+ - Properly escape the foldername to avoid XSS issues
+ - Fix loading of MSExchangeFreeBusySOAPResponseMap
+
 2.0.6a (2013-06-25)
 ------------------

--- a/SoObjects/Appointments/GNUmakefile
+++ b/SoObjects/Appointments/GNUmakefile
@ -50,7 +50,7 @@ Appointments_OBJC_FILES = \

 Appointments_RESOURCE_FILES +=		\
 	product.plist			\
-	\
+	MSExchangeFreeBusySOAPResponseMap.plist \
 	MSExchangeFreeBusySOAPRequest.wo

 Appointments_LANGUAGES = Arabic BrazilianPortuguese Catalan Czech Danish Dutch English Finnish French German Hungarian Icelandic Italian NorwegianBokmal NorwegianNynorsk Polish Russian Slovak SpanishSpain SpanishArgentina Swedish Ukrainian Welsh
--- a/SoObjects/Appointments/MSExchangeFreeBusy.m
+++ b/SoObjects/Appointments/MSExchangeFreeBusy.m
@ -20,6 +20,7 @@
 * Boston, MA 02111-1307, USA.
 */

+#import <Foundation/NSBundle.h>
 #import <Foundation/NSCalendarDate.h>
 #import <Foundation/NSDictionary.h>

@ -97,8 +98,10 @@ size_t curl_body_function_freebusy(void *ptr, size_t size, size_t nmemb, void *i
  MSExchangeFreeBusySOAPRequest *soapRequest;
  MSExchangeFreeBusyResponse *freeBusyResponse;
  NSString *rawRequest, *url, *body, *hostname, *httpauth, *authname, *password;
+  NSString *mapFile;
  NSArray *infos = nil;
  NSDictionary *root;
+  NSBundle *bundle;
  
  CURL *curl;
  struct curl_slist *headerlist=NULL;
@ -161,7 +164,13 @@ size_t curl_body_function_freebusy(void *ptr, size_t size, size_t nmemb, void *i
                }            
              if (sax == nil && parser != nil)
                {
-                  sax = [[SaxObjectDecoder alloc] initWithMappingAtPath:@"./MSExchangeFreeBusySOAPResponseMap.plist"];
+                  bundle = [NSBundle bundleForClass: [self class]];
+                  mapFile = [bundle pathForResource: @"MSExchangeFreeBusySOAPResponseMap" ofType: @"plist"];
+                  if (![mapFile length])
+                  {
+                    [self errorWithFormat: @"mapFile not found (MSExchangeFreeBusySOAPResponseMap.plist)"];
+                  }
+                  sax = [[SaxObjectDecoder alloc] initWithMappingAtPath: mapFile];
                  [parser setContentHandler:sax];
                  //[parser setErrorHandler:sax];
                }
--- a/UI/WebServerResources/SchedulerUI.js
+++ b/UI/WebServerResources/SchedulerUI.js
@ -3076,9 +3076,7 @@ function appendCalendar(folderName, folderPath) {

        var colorBox = document.createElement("div");
        li.appendChild(colorBox);
-        li.appendChild(document.createTextNode(folderName
-                                               .replace("&lt;", "<", "g")
-                                               .replace("&gt;", ">", "g")));
+        li.appendChild(document.createTextNode(folderName));
        colorBox.appendChild(document.createTextNode("OO"));

        $(colorBox).addClassName("colorBox");
@ -3119,7 +3117,7 @@ function appendStyleElement(folderPath, color) {
 function onFolderSubscribeCB(folderData) {
    var folder = $(folderData["folder"]);
    if (!folder) {
-        appendCalendar(folderData["folderName"], folderData["folder"]);
+        appendCalendar(folderData["folderName"].unescapeHTML(), folderData["folder"]);
        refreshEvents();
        refreshTasks();
        changeCalendarDisplay();
--- a/UI/WebServerResources/UIxContactsUserFolders.js
+++ b/UI/WebServerResources/UIxContactsUserFolders.js
@ -192,7 +192,11 @@ function addFolderBranchToTree(tree, user, folder, nodeId, subId, isLast) {
    else
        icon += 'calendar-folder-16x16.png';
    var folderId = user + ":" + folderInfos[1].substr(1);
-    var name = folderInfos[0]; // name has the format "Folername (Firstname Lastname <email>)"
+
+    // name has the format "Foldername (Firstname Lastname <email>)"
+    // We sanitize the value to avoid XSS issues
+    var name = folderInfos[0].escapeHTML(); 
+
    var pos = name.lastIndexOf(' (');
    if (pos > -1)
        name = name.substring(0, pos); // strip the part with fullname and email
--- a/2
+++ b/2
@ -4,4 +4,4 @@

 MAJOR_VERSION=2
 MINOR_VERSION=0
-SUBMINOR_VERSION=6a
+SUBMINOR_VERSION=6b