From 817ee4a670e74ddd0d66adf8f9ce904f7a5065b9 Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Tue, 22 Aug 2023 01:53:47 +0200
Subject: [PATCH 1/7] escape messages where appropriate; refs #350

---
 htdocs/lib/MessagePanel.js | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/htdocs/lib/MessagePanel.js b/htdocs/lib/MessagePanel.js
index 1e7a75b2..17f935eb 100644
--- a/htdocs/lib/MessagePanel.js
+++ b/htdocs/lib/MessagePanel.js
@@ -47,6 +47,10 @@ MessagePanel.prototype.initClearButton = function() {
     $(me.el).append(me.clearButton);
 };
 
+MessagePanel.prototype.htmlEscape = function(input) {
+    return $('<div/>').text(input).html()
+}
+
 function WsjtMessagePanel(el) {
     MessagePanel.call(this, el);
     this.initClearTimer();
@@ -85,23 +89,19 @@ WsjtMessagePanel.prototype.pushMessage = function(msg) {
     var linkedmsg = msg['msg'];
     var matches;
 
-    var html_escape = function(input) {
-        return $('<div/>').text(input).html()
-    };
-
     if (this.qsoModes.indexOf(msg['mode']) >= 0) {
         matches = linkedmsg.match(/(.*\s[A-Z0-9]+\s)([A-R]{2}[0-9]{2})$/);
         if (matches && matches[2] !== 'RR73') {
-            linkedmsg = html_escape(matches[1]) + '<a href="map?locator=' + matches[2] + '" target="openwebrx-map">' + matches[2] + '</a>';
+            linkedmsg = this.htmlEscape(matches[1]) + '<a href="map?locator=' + matches[2] + '" target="openwebrx-map">' + matches[2] + '</a>';
         } else {
-            linkedmsg = html_escape(linkedmsg);
+            linkedmsg = this.htmlEscape(linkedmsg);
         }
     } else if (this.beaconModes.indexOf(msg['mode']) >= 0) {
         matches = linkedmsg.match(/([A-Z0-9]*\s)([A-R]{2}[0-9]{2})(\s[0-9]+)/);
         if (matches) {
-            linkedmsg = html_escape(matches[1]) + '<a href="map?locator=' + matches[2] + '" target="openwebrx-map">' + matches[2] + '</a>' + html_escape(matches[3]);
+            linkedmsg = this.htmlEscape(matches[1]) + '<a href="map?locator=' + matches[2] + '" target="openwebrx-map">' + matches[2] + '</a>' + this.htmlEscape(matches[3]);
         } else {
-            linkedmsg = html_escape(linkedmsg);
+            linkedmsg = this.htmlEscape(linkedmsg);
         }
     }
     $b.append($(
@@ -212,7 +212,7 @@ PacketMessagePanel.prototype.pushMessage = function(msg) {
         '<td>' + timestamp + '</td>' +
         '<td class="callsign">' + source + '</td>' +
         '<td class="coord">' + link + '</td>' +
-        '<td class="message">' + (msg.comment || msg.message || '') + '</td>' +
+        '<td class="message">' + this.htmlEscape(msg.comment || msg.message || '') + '</td>' +
         '</tr>'
     ));
     $b.scrollTop($b[0].scrollHeight);
@@ -253,7 +253,7 @@ PocsagMessagePanel.prototype.pushMessage = function(msg) {
     $b.append($(
         '<tr>' +
             '<td class="address">' + msg.address + '</td>' +
-            '<td class="message">' + msg.message + '</td>' +
+            '<td class="message">' + this.htmlEscape(msg.message) + '</td>' +
         '</tr>'
     ));
     $b.scrollTop($b[0].scrollHeight);

From fc136e2328db7936ee8a2a93757a15a0cedf16d3 Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Sun, 8 Oct 2023 23:21:56 +0200
Subject: [PATCH 2/7] prepare 1.2.2 release

---
 CHANGELOG.md     | 3 +++
 debian/changelog | 6 ++++++
 owrx/version.py  | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 19dd2d27..518db005 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+**1.2.2**
+- Fixed an over-the-air code injection vulnerability
+
 **1.2.1**
 - FifiSDR support fixed (pipeline formats now line up correctly)
 - Added "Device" input for FifiSDR devices for sound card selection
diff --git a/debian/changelog b/debian/changelog
index 57ddc0d2..599805bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openwebrx (1.2.2) bullseye jammy; urgency=high
+
+  * - Fixed an over-the-air code injection vulnerability
+
+ -- Jakob Ketterl <jakob.ketterl@gmx.de>  Sun, 08 Oct 2023 21:29:00 +0000
+
 openwebrx (1.2.1) bullseye jammy; urgency=low
 
   * FifiSDR support fixed (pipeline formats now line up correctly)
diff --git a/owrx/version.py b/owrx/version.py
index 063c62fc..fd776845 100644
--- a/owrx/version.py
+++ b/owrx/version.py
@@ -1,5 +1,5 @@
 from distutils.version import LooseVersion
 
-_versionstring = "1.2.1"
+_versionstring = "1.2.2"
 looseversion = LooseVersion(_versionstring)
 openwebrx_version = "v{0}".format(looseversion)

From 32bd4e288a7bb3e998c3154af498d0c78b407baf Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Sun, 8 Oct 2023 23:48:02 +0200
Subject: [PATCH 3/7] update docker dependencies

---
 docker/scripts/install-owrx-tools.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/scripts/install-owrx-tools.sh b/docker/scripts/install-owrx-tools.sh
index 24217f29..946ec5f0 100755
--- a/docker/scripts/install-owrx-tools.sh
+++ b/docker/scripts/install-owrx-tools.sh
@@ -31,11 +31,11 @@ popd
 rm -rf js8py
 
 git clone https://github.com/jketterl/csdr.git
-cmakebuild csdr 0.18.1
+cmakebuild csdr 0.18.2
 
 git clone https://github.com/jketterl/pycsdr.git
 cd pycsdr
-git checkout 0.18.1
+git checkout 0.18.2
 ./setup.py install install_headers
 cd ..
 rm -rf pycsdr

From 54b14330cffe1444bb6a5d05c862c344146837dd Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Mon, 9 Oct 2023 21:52:56 +0200
Subject: [PATCH 4/7] update docker dependencies

---
 docker/scripts/install-connectors.sh         | 2 +-
 docker/scripts/install-dependencies-runds.sh | 2 +-
 docker/scripts/install-owrx-tools.sh         | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/scripts/install-connectors.sh b/docker/scripts/install-connectors.sh
index 25646688..a929b147 100755
--- a/docker/scripts/install-connectors.sh
+++ b/docker/scripts/install-connectors.sh
@@ -24,7 +24,7 @@ apt-get update
 apt-get -y install --no-install-recommends $BUILD_PACKAGES
 
 git clone https://github.com/jketterl/owrx_connector.git
-cmakebuild owrx_connector 0.6.0
+cmakebuild owrx_connector 0.6.2
 
 apt-get -y purge --autoremove $BUILD_PACKAGES
 apt-get clean
diff --git a/docker/scripts/install-dependencies-runds.sh b/docker/scripts/install-dependencies-runds.sh
index 32c6c9a3..1abd7b05 100755
--- a/docker/scripts/install-dependencies-runds.sh
+++ b/docker/scripts/install-dependencies-runds.sh
@@ -25,7 +25,7 @@ apt-get update
 apt-get -y install --no-install-recommends $STATIC_PACKAGES $BUILD_PACKAGES
 
 git clone https://github.com/jketterl/runds_connector.git
-cmakebuild runds_connector 0.2.1
+cmakebuild runds_connector 0.2.3
 
 apt-get -y purge --autoremove $BUILD_PACKAGES
 apt-get clean
diff --git a/docker/scripts/install-owrx-tools.sh b/docker/scripts/install-owrx-tools.sh
index 946ec5f0..a66444a5 100755
--- a/docker/scripts/install-owrx-tools.sh
+++ b/docker/scripts/install-owrx-tools.sh
@@ -46,11 +46,11 @@ cp codecserver/conf/codecserver.conf /usr/local/etc/codecserver
 cmakebuild codecserver 0.2.0
 
 git clone https://github.com/jketterl/digiham.git
-cmakebuild digiham 0.6.0
+cmakebuild digiham 0.6.2
 
 git clone https://github.com/jketterl/pydigiham.git
 cd pydigiham
-git checkout 0.6.0
+git checkout 0.6.2
 ./setup.py install
 cd ..
 rm -rf pydigiham

From 419a0c6805e7fcc4d56c733f20a5fd4128d8bef9 Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Mon, 9 Oct 2023 22:09:20 +0200
Subject: [PATCH 5/7] update wsjt-x download location

---
 docker/scripts/install-dependencies.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/scripts/install-dependencies.sh b/docker/scripts/install-dependencies.sh
index 19f655f9..e3f974ab 100755
--- a/docker/scripts/install-dependencies.sh
+++ b/docker/scripts/install-dependencies.sh
@@ -53,7 +53,7 @@ rm ${JS8CALL_TGZ}
 
 WSJT_DIR=wsjtx-2.5.4
 WSJT_TGZ=${WSJT_DIR}.tgz
-wget http://physics.princeton.edu/pulsar/k1jt/${WSJT_TGZ}
+wget https://downloads.sourceforge.net/project/wsjt/${WSJT_DIR}/${WSJT_TGZ}
 tar xfz ${WSJT_TGZ}
 patch -Np0 -d ${WSJT_DIR} < /wsjtx-hamlib.patch
 mv /wsjtx.patch ${WSJT_DIR}

From aa67a17b9bde82c3945798b5bcf7908649c54ff9 Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Mon, 9 Oct 2023 22:29:31 +0200
Subject: [PATCH 6/7] switch to archive repo to be able to retain existing
 version

---
 docker/scripts/install-dependencies.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/scripts/install-dependencies.sh b/docker/scripts/install-dependencies.sh
index e3f974ab..1c0475c9 100755
--- a/docker/scripts/install-dependencies.sh
+++ b/docker/scripts/install-dependencies.sh
@@ -77,7 +77,7 @@ rm /usr/local/share/doc/direwolf/*.pdf
 # examples are pointless, too
 rm -rf /usr/local/share/doc/direwolf/examples/
 
-git clone https://github.com/drowe67/codec2.git
+git clone https://github.com/drowe67/codec2-dev.git
 cd codec2
 # latest commit from master as of 2020-10-04
 git checkout 55d7bb8d1bddf881bdbfcb971a718b83e6344598

From e4f9a25e279bba81bb663fbe01e5e81dad63f67d Mon Sep 17 00:00:00 2001
From: Jakob Ketterl <jakob.ketterl@gmx.de>
Date: Mon, 9 Oct 2023 22:39:43 +0200
Subject: [PATCH 7/7] override target dir

---
 docker/scripts/install-dependencies.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/scripts/install-dependencies.sh b/docker/scripts/install-dependencies.sh
index 1c0475c9..aa213182 100755
--- a/docker/scripts/install-dependencies.sh
+++ b/docker/scripts/install-dependencies.sh
@@ -77,7 +77,7 @@ rm /usr/local/share/doc/direwolf/*.pdf
 # examples are pointless, too
 rm -rf /usr/local/share/doc/direwolf/examples/
 
-git clone https://github.com/drowe67/codec2-dev.git
+git clone https://github.com/drowe67/codec2-dev.git codec2
 cd codec2
 # latest commit from master as of 2020-10-04
 git checkout 55d7bb8d1bddf881bdbfcb971a718b83e6344598