From 5417b583db5f29ab384aaad8d9b9b5446b209ab8 Mon Sep 17 00:00:00 2001
From: WofWca <wofwca@protonmail.com>
Date: Fri, 5 Jul 2024 18:57:53 +0400
Subject: [PATCH 1/2] fix: webxdc: CSP bypass

This doesn't appear to fix an exploitable vulnerability
because `host-rules` is already set to disable network access,
so "XDC-01-002 WP1" from the Cure53 audit has not been brought back
ever since the initial fix.

Initially fixed in a9e5242acb
Reintroduced in fd1f8ce27b6e6

Related refactor commit 2cd310ec08f8f

Also bring back and improve the PDF comment about "XDC-01-005 WP1"
---
 CHANGELOG.md                 |  1 +
 src/main/deltachat/webxdc.ts | 48 +++++++++++++++++++++++++-----------
 2 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4474721f8..7ce9d0840 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@
 - Fix the problem of Quit menu item on WebXDC apps closes the whole DC app #3995
 - minor performance improvements #3981
 - fix chat list items (e.g. Archive) and contacts not showing up sometimes #4004
+- fix CSP bypass in webxdc (not a vulnerability) #4011
 
 <a id="1_46_1"></a>
 
diff --git a/src/main/deltachat/webxdc.ts b/src/main/deltachat/webxdc.ts
index 4580af074..994dcb4f3 100644
--- a/src/main/deltachat/webxdc.ts
+++ b/src/main/deltachat/webxdc.ts
@@ -123,16 +123,38 @@ export default class DCWebxdc extends SplitOut {
       if (!accounts_sessions.includes(accountId)) {
         accounts_sessions.push(accountId)
         ses.protocol.handle('webxdc', async request => {
-          const get_headers = (mime_type: string | undefined) => {
+          /**
+           * Make sure to only `return makeResponse()` because it sets headers
+           * that are important for security, namely `Content-Security-Policy`.
+           * Failing to set CSP might result in the app being able to create
+           * an <iframe> with no CSP, e.g. `<iframe src="/no_such_file.lol">`
+           * within which they can then do whatever
+           * through the parent frame, see
+           * "XDC-01-002 WP1: Full CSP bypass via desktop app webxdc.js"
+           * https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
+           */
+          const makeResponse = (
+            body: BodyInit,
+            responseInit: Omit<ResponseInit, 'headers'>,
+            mime_type?: undefined | string
+          ) => {
             const headers = new Headers()
             if (!open_apps[id].internet_access) {
               headers.append('Content-Security-Policy', CSP)
             }
+            // Ensure that the client doesn't try to interpret a file as
+            // one with 'application/pdf' mime type and therefore open it
+            // in the PDF viewer, see
+            // "XDC-01-005 WP1: Full CSP bypass via desktop app PDF embed"
+            // https://public.opentech.fund/documents/XDC-01-report_2_1.pdf
             headers.append('X-Content-Type-Options', 'nosniff')
             if (mime_type) {
               headers.append('content-type', mime_type)
             }
-            return headers
+            return new Response(body, {
+              ...responseInit,
+              headers,
+            })
           }
 
           const url = new URL(request.url)
@@ -140,7 +162,7 @@ export default class DCWebxdc extends SplitOut {
           const id = `${account}.${msg}`
 
           if (!open_apps[id]) {
-            return new Response('', { status: 500 })
+            return makeResponse('', { status: 500 })
           }
 
           let filename = url.pathname
@@ -164,11 +186,10 @@ export default class DCWebxdc extends SplitOut {
           }
 
           if (filename === WRAPPER_PATH) {
-            return new Response(
+            return makeResponse(
               await readFile(join(htmlDistDir(), '/webxdc_wrapper.html')),
-              {
-                headers: get_headers(mimeType),
-              }
+              {},
+              mimeType
             )
           } else if (filename === 'webxdc.js') {
             const displayName = Buffer.from(
@@ -179,15 +200,14 @@ export default class DCWebxdc extends SplitOut {
             )
 
             // initializes the preload script, the actual implementation of `window.webxdc` is found there: static/webxdc-preload.js
-            return new Response(
+            return makeResponse(
               Buffer.from(
                 `window.parent.webxdc_internal.setup("${selfAddr}","${displayName}")
                 window.webxdc = window.parent.webxdc
                 window.webxdc_custom = window.parent.webxdc_custom`
               ),
-              {
-                headers: get_headers(mimeType),
-              }
+              {},
+              mimeType
             )
           } else {
             try {
@@ -199,12 +219,10 @@ export default class DCWebxdc extends SplitOut {
                 ),
                 'base64'
               )
-              return new Response(blob, {
-                headers: get_headers(mimeType),
-              })
+              return makeResponse(blob, {}, mimeType)
             } catch (error) {
               log.error('webxdc: load blob:', error)
-              return new Response('', { status: 404 })
+              return makeResponse('', { status: 404 })
             }
           }
         })

From 6aba3bb3b81f5f84d3d6fd1c8c7a5c428ac48ead Mon Sep 17 00:00:00 2001
From: Nico de Haen <mail@ndh-websolutions.de>
Date: Thu, 18 Jul 2024 16:59:36 +0200
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7ce9d0840..b0e0db7f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,9 +10,16 @@
 - reword advanced setting "Disable Background Sync For All Accounts" -> "Only Synchronize the Currently Selected Account" #3960
 - use 'Info' and 'Message Info' consistently #3961
 - consolidate 'Profile' wording #3963
+- consolidate 'Export/Import secret keys' button format #4019
+- name "Search" fields as such #4015
 - Update local help (2024-06-19)
 - refactor: safer types #3993
 - keep aspect ratio in quoted images #3999
+- Update `@deltachat/stdio-rpc-server` and `deltachat/jsonrpc-client` to `1.141.2`
+  - fix memory leak in jsonrpc client code (to be specific in yerpc)
+  - support vcards exported by protonmail
+  - Display vCard contact name in the message summary
+  - Case-insensitive search for non-ASCII messages
 
 ### Fixed
 - Fix crash on "Settings" click when not on main screen (e.g. no account selected): hide the "settings" button
@@ -26,6 +33,11 @@
 - Fix the problem of Quit menu item on WebXDC apps closes the whole DC app #3995
 - minor performance improvements #3981
 - fix chat list items (e.g. Archive) and contacts not showing up sometimes #4004
+- fix bug notifications not being removed on Mac  #4010
+- fix bug "Mark All as Read" does not remove notifications #4002
+- fix update unread badge on when muting / unmuting a chat #4020
+- fix update unread badge on receiving device messages #4020
+- fix target chat was not opened on notification click #3983
 - fix CSP bypass in webxdc (not a vulnerability) #4011
 
 <a id="1_46_1"></a>