Update roundcube carddav plugin to support roundcube 1.5 and close a security hole

2025-04-04 00:17:06 +00:00 · 2021-11-15 16:07:54 -05:00 · 2021-11-15 16:07:54 -05:00 · 06216876a2
commit 06216876a2
parent 334c7f71b5
4 changed files with 27 additions and 11 deletions
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@ -34,8 +34,8 @@ VERSION=1.5.0
 HASH=2a9d11d9c10c8e8756120606c47eef702f00fe6d
 PERSISTENT_LOGIN_VERSION=59ca1b0d3a02cff5fa621c1ad581d15f9d642fe8
 HTML5_NOTIFIER_VERSION=68d9ca194212e15b3c7225eb6085dbcf02fd13d7 # version 0.6.4+
-CARDDAV_VERSION=3.0.3
-CARDDAV_HASH=d1e3b0d851ffa2c6bd42bf0c04f70d0e1d0d78f8
+CARDDAV_VERSION=4.2.2
+CARDDAV_HASH=1bd48bf92fdd987a8e2589eb27948500f59a3047

 UPDATE_KEY=$VERSION:$PERSISTENT_LOGIN_VERSION:$HTML5_NOTIFIER_VERSION:$CARDDAV_VERSION

@ -78,13 +78,15 @@ if [ $needs_update == 1 ]; then

 	# download and verify the full release of the carddav plugin
 	wget_verify \
-		https://github.com/blind-coder/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-${CARDDAV_VERSION}.zip \
+		https://github.com/mstilkerich/rcmcarddav/releases/download/v${CARDDAV_VERSION}/carddav-v${CARDDAV_VERSION}.tar.gz \
 		$CARDDAV_HASH \
-		/tmp/carddav.zip
+		/tmp/carddav.tar.gz

 	# unzip and cleanup
-	unzip -q /tmp/carddav.zip -d ${RCM_PLUGIN_DIR}
-	rm -f /tmp/carddav.zip
+	pushd ${RCM_PLUGIN_DIR} >/dev/null
+	tar xzf /tmp/carddav.tar.gz
+	popd >/dev/null
+	rm -f /tmp/carddav.tar.gz

 	# record the version we've installed
 	echo $UPDATE_KEY > ${RCM_DIR}/version
--- a/tests/assets/mail/roundcube/carddav_refresh_v3.sh
+++ b/tests/assets/mail/roundcube/carddav_refresh_v3.sh
--- a/tests/lib/carddav.sh
+++ b/tests/lib/carddav.sh
@ -240,14 +240,26 @@ roundcube_force_carddav_refresh() {
    local pass="$2"
    local assets_dir="${ASSETS_DIR:-tests/assets}"
    local code
-    if [ ! -e "$RCM_DIR/bin/carddav_refresh.sh" ]; then
-        echo "Please ignore the following errors about no such table carddav_addressbooks and carddav_migrations"
+
+    local carddav_major
+    local sync_script
+    carddav_major=$(grep "PLUGIN_VERSION\\s*=" "$RCM_DIR/plugins/carddav/carddav.php" | head -1 | sed -e 's/^.*v\([0-9][0-9]*\).*$/\1/')
+    [ -z "$carddav_major" ] && carddav_major="3"
+
+    if [ $carddav_major -eq 3 ]; then
+        if [ ! -e "$RCM_DIR/bin/carddav_refresh.sh" ]; then
+            echo "Please ignore the following errors about no such table carddav_addressbooks and carddav_migrations"
+        fi
+        sync_script="$assets_dir/mail/roundcube/carddav_refresh_v3.sh"
+    else
+        sync_script="$assets_dir/mail/roundcube/carddav_refresh.sh"
    fi

-    if ! cp "$assets_dir/mail/roundcube/carddav_refresh.sh" $RCM_DIR/bin
+    if ! cp "$sync_script" "$RCM_DIR/bin/carddav_refresh.sh"
    then
        return 1
    fi
+    
    pushd "$RCM_DIR" >/dev/null
    bin/carddav_refresh.sh "$user" "$pass"
    code=$?
--- a/tests/system-setup/populate/basic-verify.sh
+++ b/tests/system-setup/populate/basic-verify.sh
@ -24,9 +24,11 @@ echo "[Force Roundcube contact sync]" 1>&2
 # contacts for it will be removed in the Roundcube database after the
 # sync

-if ! roundcube_force_carddav_refresh "$TEST_USER" "$TEST_USER_PASS" 1>&2
+roundcube_force_carddav_refresh "$TEST_USER" "$TEST_USER_PASS" 1>&2
+rc=$?
+if [ $rc -ne 0 ]
 then
-    echo "Roundcube <-> Nextcloud contact sync failed ($?)"
+    echo "Roundcube <-> Nextcloud contact sync failed ($rc)"
    exit 1
 fi