[Pkg-owncloud-commits] [SCM] owncloud.git branch, debian-wheezy, updated. debian/4.0.4debian-1-18-gc56361e

Wed Sep 12 21:19:31 UTC 2012

The following commit has been merged in the debian-wheezy branch:
commit c56361e1c766592eaee6ca437797524c103e15a8
Author: Thomas Mueller <thomas.mueller at tmit.eu>
Date:   Wed Sep 12 23:19:19 2012 +0200

    Added patches to fix CVE-2012-4389 CVE-2012-4390 CVE-2012-4391 CVE-2012-4392 CVE-2012-4393 CVE-2012-4394

diff --git a/debian/changelog b/debian/changelog
index 03d2bb6..27f6988 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,13 @@ owncloud (4.0.4debian2-2) UNRELEASED; urgency=low
   * debian/patches:
     - Added fix_writing_to_shared_readonly.diff to fix WebDAV write access to 
       shared files (Closes: #684426)
+    - Added remove_unused_unsecure_files.diff to fix user and group sniffing
+    - Added CVE-2012-4389.diff (Closes: CVE-2012-4389)
+    - Added CVE-2012-4390.diff (Closes: CVE-2012-4390)
+    - Added CVE-2012-4391.diff (Closes: CVE-2012-4391)
+    - Added CVE-2012-4392.diff (Closes: CVE-2012-4392)
+    - Added CVE-2012-4393.diff (Closes: CVE-2012-4393)
+    - Added CVE-2012-4394.diff (Closes: CVE-2012-4394)
 
   * debian/rules:
     - Remove experimental feature 'files_external'
diff --git a/debian/patches/CVE-2012-4389.diff b/debian/patches/CVE-2012-4389.diff
new file mode 100644
index 0000000..26a979e
--- /dev/null
+++ b/debian/patches/CVE-2012-4389.diff
@@ -0,0 +1,13 @@
+diff -Nru owncloud-4.0.4debian/lib/migrate.php owncloud-4.0.7debian/lib/migrate.php
+--- owncloud-4.0.4debian/lib/migrate.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/lib/migrate.php	2012-08-14 20:11:17.000000000 +0200
+@@ -322,7 +322,7 @@
+ 			$objects = scandir( $path );
+ 			if( sizeof( $objects ) > 0 ){
+ 				foreach( $objects as $file ){
+-					if( $file == "." || $file == ".." )
++					if( $file == "." || $file == ".." || $file == ".htaccess")
+ 					continue;
+ 					// go on
+ 					if( is_dir( $path . '/' . $file ) ){
+
diff --git a/debian/patches/CVE-2012-4390.diff b/debian/patches/CVE-2012-4390.diff
new file mode 100644
index 0000000..f49a9f5
--- /dev/null
+++ b/debian/patches/CVE-2012-4390.diff
@@ -0,0 +1,50 @@
+diff -Nru owncloud-4.0.4debian/apps/calendar/appinfo/remote.php owncloud-4.0.7debian/apps/calendar/appinfo/remote.php
+--- owncloud-4.0.4debian/apps/calendar/appinfo/remote.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/appinfo/remote.php	2012-08-14 20:11:16.000000000 +0200
+@@ -21,10 +21,17 @@
+ $caldavBackend    = new OC_Connector_Sabre_CalDAV();
+ 
+ // Root nodes
+-$nodes = array(
+-	new Sabre_CalDAV_Principal_Collection($principalBackend),
+-	new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend),
+-);
++$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
++$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
++
++$Sabre_CalDAV_CalendarRootNode = new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend); 
++$Sabre_CalDAV_CalendarRootNode->disableListing = true; // Disable listening
++
++$nodes = array( 
++	$Sabre_CalDAV_Principal_Collection, 
++	$Sabre_CalDAV_CalendarRootNode,
++	);
++
+ 
+ // Fire up server
+ $server = new Sabre_DAV_Server($nodes);
+diff -Nru owncloud-4.0.4debian/apps/contacts/appinfo/remote.php owncloud-4.0.7debian/apps/contacts/appinfo/remote.php
+--- owncloud-4.0.4debian/apps/contacts/appinfo/remote.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/contacts/appinfo/remote.php	2012-08-14 20:11:16.000000000 +0200
+@@ -36,10 +36,16 @@
+ $carddavBackend   = new OC_Connector_Sabre_CardDAV();
+ 
+ // Root nodes
+-$nodes = array(
+-	new Sabre_CalDAV_Principal_Collection($principalBackend),
+-	new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend),
+-);
++$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
++$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
++
++$Sabre_CardDAV_AddressBookRoot = new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend);
++$Sabre_CardDAV_AddressBookRoot->disableListing = true; // Disable listening
++
++$nodes = array( 
++	$Sabre_CalDAV_Principal_Collection, 
++	$Sabre_CardDAV_AddressBookRoot,
++	);
+ 
+ // Fire up server
+ $server = new Sabre_DAV_Server($nodes);
+
diff --git a/debian/patches/CVE-2012-4391.diff b/debian/patches/CVE-2012-4391.diff
new file mode 100644
index 0000000..0be3134
--- /dev/null
+++ b/debian/patches/CVE-2012-4391.diff
@@ -0,0 +1,15 @@
+diff -Nru owncloud-4.0.4debian/core/ajax/appconfig.php owncloud-4.0.7debian/core/ajax/appconfig.php
+--- owncloud-4.0.4debian/core/ajax/appconfig.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/core/ajax/appconfig.php	2012-08-14 20:11:16.000000000 +0200
+@@ -6,7 +6,9 @@
+  */
+ 
+ require_once ("../../lib/base.php");
+-OC_JSON::checkLoggedIn();
++OC_Util::checkAdminUser();
++OCP\JSON::callCheck();
++
+ $action=isset($_POST['action'])?$_POST['action']:$_GET['action'];
+ $result=false;
+ switch($action){
+
diff --git a/debian/patches/CVE-2012-4392.diff b/debian/patches/CVE-2012-4392.diff
new file mode 100644
index 0000000..acf4d21
--- /dev/null
+++ b/debian/patches/CVE-2012-4392.diff
@@ -0,0 +1,13 @@
+diff -Nru owncloud-4.0.4debian/index.php owncloud-4.0.7debian/index.php
+--- owncloud-4.0.4debian/index.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/index.php	2012-08-14 20:11:17.000000000 +0200
+@@ -77,7 +77,7 @@
+ 		}
+ 		// confirm credentials in cookie
+ 		if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username']) &&
+-		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") == $_COOKIE['oc_token']) {
++		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") === $_COOKIE['oc_token']) {
+ 			OC_User::setUserId($_COOKIE['oc_username']);
+ 			OC_Util::redirectToDefaultPage();
+ 		}
+
diff --git a/debian/patches/CVE-2012-4393.diff b/debian/patches/CVE-2012-4393.diff
new file mode 100644
index 0000000..89cc169
--- /dev/null
+++ b/debian/patches/CVE-2012-4393.diff
@@ -0,0 +1,542 @@
+diff -Nru owncloud-4.0.4debian/apps/bookmarks/ajax/addBookmark.php owncloud-4.0.7debian/apps/bookmarks/ajax/addBookmark.php
+--- owncloud-4.0.4debian/apps/bookmarks/ajax/addBookmark.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/bookmarks/ajax/addBookmark.php	2012-08-14 20:11:16.000000000 +0200
+@@ -29,6 +29,7 @@
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('bookmarks');
++OCP\JSON::callCheck();
+ 
+ require_once(OC::$APPSROOT . '/apps/bookmarks/bookmarksHelper.php');
+ $id = addBookmark($_POST['url'], $_POST['title'], $_POST['tags']);
+diff -Nru owncloud-4.0.4debian/apps/bookmarks/ajax/delBookmark.php owncloud-4.0.7debian/apps/bookmarks/ajax/delBookmark.php
+--- owncloud-4.0.4debian/apps/bookmarks/ajax/delBookmark.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/bookmarks/ajax/delBookmark.php	2012-08-14 20:11:16.000000000 +0200
+@@ -29,6 +29,7 @@
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('bookmarks');
++OCP\JSON::callCheck();
+ 
+ $id = $_POST['id'];
+ if (!OC_Bookmarks_Bookmarks::deleteUrl($id)){
+diff -Nru owncloud-4.0.4debian/apps/bookmarks/ajax/editBookmark.php owncloud-4.0.7debian/apps/bookmarks/ajax/editBookmark.php
+--- owncloud-4.0.4debian/apps/bookmarks/ajax/editBookmark.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/bookmarks/ajax/editBookmark.php	2012-08-14 20:11:16.000000000 +0200
+@@ -29,6 +29,7 @@
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('bookmarks');
++OCP\JSON::callCheck();
+ 
+ $CONFIG_DBTYPE = OCP\Config::getSystemValue( "dbtype", "sqlite" );
+ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/calendar/delete.php owncloud-4.0.7debian/apps/calendar/ajax/calendar/delete.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/calendar/delete.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/calendar/delete.php	2012-08-14 20:11:16.000000000 +0200
+@@ -9,6 +9,7 @@
+ 
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ $cal = $_POST["calendarid"];
+ $calendar = OC_Calendar_App::getCalendar($cal, true);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/calendar/edit.php owncloud-4.0.7debian/apps/calendar/ajax/calendar/edit.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/calendar/edit.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/calendar/edit.php	2012-08-14 20:11:16.000000000 +0200
+@@ -9,6 +9,7 @@
+  
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ $calendarcolor_options = OC_Calendar_Calendar::getCalendarColorOptions();
+ $calendar = OC_Calendar_App::getCalendar($_GET['calendarid'], true);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/calendar/new.php owncloud-4.0.7debian/apps/calendar/ajax/calendar/new.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/calendar/new.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/calendar/new.php	2012-08-14 20:11:16.000000000 +0200
+@@ -11,6 +11,7 @@
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ if(trim($_POST['name']) == ''){
+ 	OCP\JSON::error(array('message'=>'empty'));
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/calendar/update.php owncloud-4.0.7debian/apps/calendar/ajax/calendar/update.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/calendar/update.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/calendar/update.php	2012-08-14 20:11:16.000000000 +0200
+@@ -11,6 +11,7 @@
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ if(trim($_POST['name']) == ''){
+ 	OCP\JSON::error(array('message'=>'empty'));
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/event/delete.php owncloud-4.0.7debian/apps/calendar/ajax/event/delete.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/event/delete.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/event/delete.php	2012-08-14 20:11:16.000000000 +0200
+@@ -9,6 +9,7 @@
+ 
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ $id = $_POST['id'];
+ $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/event/edit.php owncloud-4.0.7debian/apps/calendar/ajax/event/edit.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/event/edit.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/event/edit.php	2012-08-14 20:11:16.000000000 +0200
+@@ -9,6 +9,7 @@
+  
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ $id = $_POST['id'];
+ 
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/event/move.php owncloud-4.0.7debian/apps/calendar/ajax/event/move.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/event/move.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/event/move.php	2012-08-14 20:11:16.000000000 +0200
+@@ -7,6 +7,7 @@
+  */
+  
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ $id = $_POST['id'];
+ $access = OC_Calendar_App::getaccess($id, OC_Calendar_App::EVENT);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/event/new.php owncloud-4.0.7debian/apps/calendar/ajax/event/new.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/event/new.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/event/new.php	2012-08-14 20:11:16.000000000 +0200
+@@ -10,6 +10,7 @@
+ 
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+ 
+ $errarr = OC_Calendar_Object::validateRequest($_POST);
+ if($errarr){
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/import/import.php owncloud-4.0.7debian/apps/calendar/ajax/import/import.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/import/import.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/import/import.php	2012-08-14 20:11:16.000000000 +0200
+@@ -8,6 +8,7 @@
+ //check for calendar rights or create new one
+ ob_start();
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ OCP\App::checkAppEnabled('calendar');
+ $nl="\r\n";
+ $comps = array('VEVENT'=>true, 'VTODO'=>true, 'VJOURNAL'=>true);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/settings/setfirstday.php owncloud-4.0.7debian/apps/calendar/ajax/settings/setfirstday.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/settings/setfirstday.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/settings/setfirstday.php	2012-08-14 20:11:16.000000000 +0200
+@@ -7,6 +7,8 @@
+  */
+  
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
++
+ if(isset($_POST["firstday"])){
+ 	OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'firstday', $_POST["firstday"]);
+ 	OCP\JSON::success();
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/settings/settimeformat.php owncloud-4.0.7debian/apps/calendar/ajax/settings/settimeformat.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/settings/settimeformat.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/settings/settimeformat.php	2012-08-14 20:11:16.000000000 +0200
+@@ -7,6 +7,8 @@
+  */
+  
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
++
+ if(isset($_POST["timeformat"])){
+ 	OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timeformat', $_POST["timeformat"]);
+ 	OCP\JSON::success();
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/share/changepermission.php owncloud-4.0.7debian/apps/calendar/ajax/share/changepermission.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/share/changepermission.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/share/changepermission.php	2012-08-14 20:11:16.000000000 +0200
+@@ -5,7 +5,8 @@
+  * later.
+  * See the COPYING-README file.
+  */
+- 
++ OCP\JSON::callCheck();
++
+ $id = strip_tags($_GET['id']);
+ $idtype = strip_tags($_GET['idtype']);
+ $permission = (int) strip_tags($_GET['permission']);
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/share/share.php owncloud-4.0.7debian/apps/calendar/ajax/share/share.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/share/share.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/share/share.php	2012-08-14 20:11:16.000000000 +0200
+@@ -5,7 +5,8 @@
+  * later.
+  * See the COPYING-README file.
+  */
+- 
++ OCP\JSON::callCheck();
++
+ $id = strip_tags($_GET['id']);
+ $idtype = strip_tags($_GET['idtype']);
+ switch($idtype){
+diff -Nru owncloud-4.0.4debian/apps/calendar/ajax/share/unshare.php owncloud-4.0.7debian/apps/calendar/ajax/share/unshare.php
+--- owncloud-4.0.4debian/apps/calendar/ajax/share/unshare.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/calendar/ajax/share/unshare.php	2012-08-14 20:11:16.000000000 +0200
+@@ -5,7 +5,8 @@
+  * later.
+  * See the COPYING-README file.
+  */
+- 
++ OCP\JSON::callCheck();
++
+ $id = strip_tags($_GET['id']);
+ $idtype = strip_tags($_GET['idtype']);
+ switch($idtype){
+diff -Nru owncloud-4.0.4debian/apps/external/ajax/setsites.php owncloud-4.0.7debian/apps/external/ajax/setsites.php
+--- owncloud-4.0.4debian/apps/external/ajax/setsites.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/external/ajax/setsites.php	2012-08-14 20:11:16.000000000 +0200
+@@ -8,6 +8,7 @@
+ 
+  
+ OCP\User::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ $sites = array();
+ for ($i = 0; $i < sizeof($_POST['site_name']); $i++) {
+diff -Nru owncloud-4.0.4debian/apps/files/ajax/delete.php owncloud-4.0.7debian/apps/files/ajax/delete.php
+--- owncloud-4.0.4debian/apps/files/ajax/delete.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/ajax/delete.php	2012-08-14 20:11:16.000000000 +0200
+@@ -4,6 +4,7 @@
+ 
+ 
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get data
+ $dir = stripslashes($_GET["dir"]);
+diff -Nru owncloud-4.0.4debian/apps/files/ajax/move.php owncloud-4.0.7debian/apps/files/ajax/move.php
+--- owncloud-4.0.4debian/apps/files/ajax/move.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/ajax/move.php	2012-08-14 20:11:16.000000000 +0200
+@@ -4,6 +4,7 @@
+ 
+ 
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get data
+ $dir = stripslashes($_GET["dir"]);
+diff -Nru owncloud-4.0.4debian/apps/files/ajax/newfile.php owncloud-4.0.7debian/apps/files/ajax/newfile.php
+--- owncloud-4.0.4debian/apps/files/ajax/newfile.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/ajax/newfile.php	2012-08-14 20:11:16.000000000 +0200
+@@ -4,6 +4,7 @@
+ 
+ 
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get the params
+ $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';
+diff -Nru owncloud-4.0.4debian/apps/files/ajax/newfolder.php owncloud-4.0.7debian/apps/files/ajax/newfolder.php
+--- owncloud-4.0.4debian/apps/files/ajax/newfolder.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/ajax/newfolder.php	2012-08-14 20:11:16.000000000 +0200
+@@ -4,6 +4,7 @@
+ 
+ 
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get the params
+ $dir = isset( $_POST['dir'] ) ? stripslashes($_POST['dir']) : '';
+diff -Nru owncloud-4.0.4debian/apps/files/ajax/rename.php owncloud-4.0.7debian/apps/files/ajax/rename.php
+--- owncloud-4.0.4debian/apps/files/ajax/rename.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/ajax/rename.php	2012-08-14 20:11:16.000000000 +0200
+@@ -4,6 +4,7 @@
+ 
+ 
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get data
+ $dir = stripslashes($_GET["dir"]);
+diff -Nru owncloud-4.0.4debian/apps/files_sharing/ajax/setpermissions.php owncloud-4.0.7debian/apps/files_sharing/ajax/setpermissions.php
+--- owncloud-4.0.4debian/apps/files_sharing/ajax/setpermissions.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_sharing/ajax/setpermissions.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ 
+ OCP\JSON::checkAppEnabled('files_sharing');
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ $source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
+ $uid_shared_with = $_POST['uid_shared_with'];
+diff -Nru owncloud-4.0.4debian/apps/files_sharing/ajax/share.php owncloud-4.0.7debian/apps/files_sharing/ajax/share.php
+--- owncloud-4.0.4debian/apps/files_sharing/ajax/share.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_sharing/ajax/share.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ 
+ OCP\JSON::checkAppEnabled('files_sharing');
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ $userDirectory = '/'.OCP\USER::getUser().'/files';
+ $sources = explode(';', $_POST['sources']);
+diff -Nru owncloud-4.0.4debian/apps/files_sharing/ajax/toggleresharing.php owncloud-4.0.7debian/apps/files_sharing/ajax/toggleresharing.php
+--- owncloud-4.0.4debian/apps/files_sharing/ajax/toggleresharing.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_sharing/ajax/toggleresharing.php	2012-08-14 20:11:17.000000000 +0200
+@@ -1,5 +1,7 @@
+ <?php
+ 
++OCP\JSON::callCheck();
++
+ OCP\JSON::checkAppEnabled('files_sharing');
+ OCP\JSON::checkAdminUser();
+ if ($_POST['resharing'] == true) {
+diff -Nru owncloud-4.0.4debian/apps/files_sharing/ajax/togglesharewitheveryone.php owncloud-4.0.7debian/apps/files_sharing/ajax/togglesharewitheveryone.php
+--- owncloud-4.0.4debian/apps/files_sharing/ajax/togglesharewitheveryone.php	1970-01-01 01:00:00.000000000 +0100
++++ owncloud-4.0.7debian/apps/files_sharing/ajax/togglesharewitheveryone.php	2012-08-14 20:11:17.000000000 +0200
+@@ -0,0 +1,11 @@
++<?php
++
++OCP\JSON::callCheck();
++
++OCP\JSON::checkAppEnabled('files_sharing');
++OCP\JSON::checkAdminUser();
++if ($_POST['allowSharingWithEveryone'] == true) {
++	OCP\Config::setAppValue('files_sharing', 'allowSharingWithEveryone', 'yes');
++} else {
++	OCP\Config::setAppValue('files_sharing', 'allowSharingWithEveryone', 'no');
++}
+\ Kein Zeilenumbruch am Dateiende.
+diff -Nru owncloud-4.0.4debian/apps/files_sharing/ajax/unshare.php owncloud-4.0.7debian/apps/files_sharing/ajax/unshare.php
+--- owncloud-4.0.4debian/apps/files_sharing/ajax/unshare.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_sharing/ajax/unshare.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ 
+ OCP\JSON::checkAppEnabled('files_sharing');
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ $source = '/'.OCP\USER::getUser().'/files'.$_POST['source'];
+ $uid_shared_with = $_POST['uid_shared_with'];
+diff -Nru owncloud-4.0.4debian/apps/files_texteditor/ajax/savefile.php owncloud-4.0.7debian/apps/files_texteditor/ajax/savefile.php
+--- owncloud-4.0.4debian/apps/files_texteditor/ajax/savefile.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_texteditor/ajax/savefile.php	2012-08-14 20:11:17.000000000 +0200
+@@ -26,6 +26,7 @@
+ 
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ // Get paramteres
+ $filecontents = isset($_POST['filecontents']) ? $_POST['filecontents'] : false;
+diff -Nru owncloud-4.0.4debian/apps/files_versions/ajax/rollbackVersion.php owncloud-4.0.7debian/apps/files_versions/ajax/rollbackVersion.php
+--- owncloud-4.0.4debian/apps/files_versions/ajax/rollbackVersion.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files_versions/ajax/rollbackVersion.php	2012-08-14 20:11:17.000000000 +0200
+@@ -1,6 +1,7 @@
+ <?php
+ 
+ OCP\JSON::checkAppEnabled('files_versions');
++OCP\JSON::callCheck();
+ 
+ require_once('apps/files_versions/versions.php');
+
+diff -Nru owncloud-4.0.4debian/apps/gallery/ajax/createAlbum.php owncloud-4.0.7debian/apps/gallery/ajax/createAlbum.php
+--- owncloud-4.0.4debian/apps/gallery/ajax/createAlbum.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/gallery/ajax/createAlbum.php	2012-08-14 20:11:17.000000000 +0200
+@@ -24,6 +24,7 @@
+  
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('gallery');
++OCP\JSON::callCheck();
+ 
+ OC_Gallery_Album::create(OCP\USER::getUser(), $_GET['album_name']);
+ 
+diff -Nru owncloud-4.0.4debian/apps/gallery/ajax/sharing.php owncloud-4.0.7debian/apps/gallery/ajax/sharing.php
+--- owncloud-4.0.4debian/apps/gallery/ajax/sharing.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/apps/gallery/ajax/sharing.php	2012-08-14 20:11:17.000000000 +0200
+@@ -22,6 +22,7 @@
+ */
+ 
+  
++OCP\JSON::callCheck();
+ 
+ if (!isset($_GET['token']) || !isset($_GET['operation'])) {
+   OCP\JSON::error(array('cause' => 'Not enought arguments'));
+diff -Nru owncloud-4.0.4debian/apps/tasks/ajax/addtaskform.php owncloud-4.0.7debian/apps/tasks/ajax/addtaskform.php
+--- owncloud-4.0.4debian/apps/tasks/ajax/addtaskform.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/tasks/ajax/addtaskform.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ // Init owncloud
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('tasks');
++OCP\JSON::callCheck();
+ 
+ $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
+ $category_options = OC_Calendar_App::getCategoryOptions();
+diff -Nru owncloud-4.0.4debian/apps/tasks/ajax/addtask.php owncloud-4.0.7debian/apps/tasks/ajax/addtask.php
+--- owncloud-4.0.4debian/apps/tasks/ajax/addtask.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/tasks/ajax/addtask.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ // Init owncloud
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('tasks');
++OCP\JSON::callCheck();
+ 
+ $calendars = OC_Calendar_Calendar::allCalendars(OCP\User::getUser(), true);
+ $first_calendar = reset($calendars);
+diff -Nru owncloud-4.0.4debian/apps/tasks/ajax/delete.php owncloud-4.0.7debian/apps/tasks/ajax/delete.php
+--- owncloud-4.0.4debian/apps/tasks/ajax/delete.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/tasks/ajax/delete.php	2012-08-14 20:11:16.000000000 +0200
+@@ -23,6 +23,7 @@
+ // Init owncloud
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('tasks');
++OCP\JSON::callCheck();
+ 
+ $id = $_POST['id'];
+ $task = OC_Calendar_App::getEventObject( $id );
+diff -Nru owncloud-4.0.4debian/apps/tasks/ajax/edittask.php owncloud-4.0.7debian/apps/tasks/ajax/edittask.php
+--- owncloud-4.0.4debian/apps/tasks/ajax/edittask.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/tasks/ajax/edittask.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ // Init owncloud
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('tasks');
++OCP\JSON::callCheck();
+ 
+ $l10n = new OC_L10N('tasks');
+ 
+diff -Nru owncloud-4.0.4debian/settings/ajax/changepassword.php owncloud-4.0.7debian/settings/ajax/changepassword.php
+--- owncloud-4.0.4debian/settings/ajax/changepassword.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/changepassword.php	2012-08-14 20:11:17.000000000 +0200
+@@ -2,6 +2,7 @@
+ 
+ // Init owncloud
+ require_once('../../lib/base.php');
++OCP\JSON::callCheck();
+ 
+ $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();
+ $password = $_POST["password"];
+diff -Nru owncloud-4.0.4debian/settings/ajax/creategroup.php owncloud-4.0.7debian/settings/ajax/creategroup.php
+--- owncloud-4.0.4debian/settings/ajax/creategroup.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/creategroup.php	2012-08-14 20:11:17.000000000 +0200
+@@ -2,6 +2,7 @@
+ 
+ // Init owncloud
+ require_once('../../lib/base.php');
++OCP\JSON::callCheck();
+ 
+ // Check if we are a user
+ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )){
+diff -Nru owncloud-4.0.4debian/settings/ajax/createuser.php owncloud-4.0.7debian/settings/ajax/createuser.php
+--- owncloud-4.0.4debian/settings/ajax/createuser.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/createuser.php	2012-08-14 20:11:17.000000000 +0200
+@@ -2,6 +2,7 @@
+ 
+ // Init owncloud
+ require_once('../../lib/base.php');
++OCP\JSON::callCheck();
+ 
+ // Check if we are a user
+ if( !OC_User::isLoggedIn() || !OC_Group::inGroup( OC_User::getUser(), 'admin' )){
+diff -Nru owncloud-4.0.4debian/settings/ajax/disableapp.php owncloud-4.0.7debian/settings/ajax/disableapp.php
+--- owncloud-4.0.4debian/settings/ajax/disableapp.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/disableapp.php	2012-08-14 20:11:16.000000000 +0200
+@@ -2,6 +2,7 @@
+ // Init owncloud
+ require_once('../../lib/base.php');
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ OC_JSON::setContentTypeHeader();
+ 
+ OC_App::disable($_POST['appid']);
+diff -Nru owncloud-4.0.4debian/settings/ajax/enableapp.php owncloud-4.0.7debian/settings/ajax/enableapp.php
+--- owncloud-4.0.4debian/settings/ajax/enableapp.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/enableapp.php	2012-08-14 20:11:17.000000000 +0200
+@@ -3,6 +3,7 @@
+ // Init owncloud
+ require_once('../../lib/base.php');
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ OC_JSON::setContentTypeHeader();
+ 
+ if(OC_App::enable($_POST['appid'])){
+diff -Nru owncloud-4.0.4debian/settings/ajax/removegroup.php owncloud-4.0.7debian/settings/ajax/removegroup.php
+--- owncloud-4.0.4debian/settings/ajax/removegroup.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/removegroup.php	2012-08-14 20:11:17.000000000 +0200
+@@ -4,6 +4,7 @@
+ require_once('../../lib/base.php');
+ 
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ $name = $_POST["groupname"];
+ 
+diff -Nru owncloud-4.0.4debian/settings/ajax/removeuser.php owncloud-4.0.7debian/settings/ajax/removeuser.php
+--- owncloud-4.0.4debian/settings/ajax/removeuser.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/removeuser.php	2012-08-14 20:11:17.000000000 +0200
+@@ -4,6 +4,7 @@
+ require_once('../../lib/base.php');
+ 
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ $username = $_POST["username"];
+ 
+diff -Nru owncloud-4.0.4debian/settings/ajax/setlanguage.php owncloud-4.0.7debian/settings/ajax/setlanguage.php
+--- owncloud-4.0.4debian/settings/ajax/setlanguage.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/setlanguage.php	2012-08-14 20:11:17.000000000 +0200
+@@ -6,7 +6,7 @@
+ $l=OC_L10N::get('settings');
+ 
+ OC_JSON::checkLoggedIn();
+-
++OCP\JSON::callCheck();
+ 
+ // Get data
+ if( isset( $_POST['lang'] ) ){
+diff -Nru owncloud-4.0.4debian/settings/ajax/setloglevel.php owncloud-4.0.7debian/settings/ajax/setloglevel.php
+--- owncloud-4.0.4debian/settings/ajax/setloglevel.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/setloglevel.php	2012-08-14 20:11:16.000000000 +0200
+@@ -7,6 +7,7 @@
+ 
+ require_once('../../lib/base.php');
+ OC_Util::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ OC_Config::setValue( 'loglevel', $_POST['level'] );
+ 
+diff -Nru owncloud-4.0.4debian/settings/ajax/setquota.php owncloud-4.0.7debian/settings/ajax/setquota.php
+--- owncloud-4.0.4debian/settings/ajax/setquota.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/setquota.php	2012-08-14 20:11:17.000000000 +0200
+@@ -9,6 +9,7 @@
+ require_once('../../lib/base.php');
+ 
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ $username = isset($_POST["username"])?$_POST["username"]:'';
+ 
+diff -Nru owncloud-4.0.4debian/settings/ajax/togglegroups.php owncloud-4.0.7debian/settings/ajax/togglegroups.php
+--- owncloud-4.0.4debian/settings/ajax/togglegroups.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/togglegroups.php	2012-08-14 20:11:17.000000000 +0200
+@@ -4,6 +4,7 @@
+ require_once('../../lib/base.php');
+ 
+ OC_JSON::checkAdminUser();
++OCP\JSON::callCheck();
+ 
+ $success = true;
+ $error = "add user to";
+diff -Nru owncloud-4.0.4debian/settings/ajax/lostpassword.php owncloud-4.0.7debian/settings/ajax/lostpassword.php
+--- owncloud-4.0.4debian/settings/ajax/lostpassword.php	2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.7debian/settings/ajax/lostpassword.php	2012-08-14 20:11:17.000000000 +0200
+@@ -4,6 +4,7 @@
+ require_once('../../lib/base.php');
+ 
+ OC_JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ 
+ $l=OC_L10N::get('core');
+ 
diff --git a/debian/patches/CVE-2012-4394.diff b/debian/patches/CVE-2012-4394.diff
new file mode 100644
index 0000000..a7e9d34
--- /dev/null
+++ b/debian/patches/CVE-2012-4394.diff
@@ -0,0 +1,13 @@
+diff -Nru owncloud-4.0.4debian/apps/files/js/filelist.js owncloud-4.0.7debian/apps/files/js/filelist.js
+--- owncloud-4.0.4debian/apps/files/js/filelist.js	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/apps/files/js/filelist.js	2012-08-14 20:11:16.000000000 +0200
+@@ -14,7 +14,7 @@
+ 			var extension=false;
+ 		}
+ 		html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
+-		html+='<a class="name" href="download.php?file='+$('#dir').val()+'/'+name+'"><span class="nametext">'+basename
++		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename
+ 		if(extension){
+ 			html+='<span class="extension">'+extension+'</span>';
+ 		}
+
diff --git a/debian/patches/remove_unused_unsecure_files.diff b/debian/patches/remove_unused_unsecure_files.diff
new file mode 100644
index 0000000..878568e
--- /dev/null
+++ b/debian/patches/remove_unused_unsecure_files.diff
@@ -0,0 +1,149 @@
+diff -Nru owncloud-4.0.4debian/core/ajax/grouplist.php owncloud-4.0.7debian/core/ajax/grouplist.php
+--- owncloud-4.0.4debian/core/ajax/grouplist.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/core/ajax/grouplist.php	1970-01-01 01:00:00.000000000 +0100
+@@ -1,49 +0,0 @@
+-<?php
+-
+-/**
+-* ownCloud - ajax group list
+-*
+-* @author Hans Bakker
+-* @copyright 2011 hansmbakker+kde at gmail.com
+-*
+-* This library is free software; you can redistribute it and/or
+-* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+-* License as published by the Free Software Foundation; either
+-* version 3 of the License, or any later version.
+-*
+-* This library is distributed in the hope that it will be useful,
+-* but WITHOUT ANY WARRANTY; without even the implied warranty of
+-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+-*
+-* You should have received a copy of the GNU Affero General Public
+-* License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+-*
+-*/
+-
+-$RUNTIME_NOAPPS = TRUE; //no apps, yet
+-require_once('../../lib/base.php');
+-
+-if(!OC_User::isLoggedIn()){
+-	if(!isset($_SERVER['PHP_AUTH_USER'])){
+-		header('WWW-Authenticate: Basic realm="ownCloud Server"');
+-		header('HTTP/1.0 401 Unauthorized');
+-		echo 'Valid credentials must be supplied';
+-		exit();
+-	} else {
+-		if(!OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+-			exit();
+-		}
+-	}
+-}
+-
+-$groups = array();
+-
+-foreach( OC_Group::getGroups() as $i ){
+-       	// Do some more work here soon
+-        $groups[] = array( "groupname" => $i );
+-}
+-
+-OC_JSON::encodedPrint($groups);
+-
+-?>
+diff -Nru owncloud-4.0.4debian/core/ajax/userlist.php owncloud-4.0.7debian/core/ajax/userlist.php
+--- owncloud-4.0.4debian/core/ajax/userlist.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/core/ajax/userlist.php	1970-01-01 01:00:00.000000000 +0100
+@@ -1,48 +0,0 @@
+-<?php
+-
+-/**
+-* ownCloud - ajax user list
+-*
+-* @author Hans Bakker
+-* @copyright 2011 hansmbakker+kde at gmail.com
+-*
+-* This library is free software; you can redistribute it and/or
+-* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+-* License as published by the Free Software Foundation; either
+-* version 3 of the License, or any later version.
+-*
+-* This library is distributed in the hope that it will be useful,
+-* but WITHOUT ANY WARRANTY; without even the implied warranty of
+-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+-*
+-* You should have received a copy of the GNU Affero General Public
+-* License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+-*
+-*/
+-
+-$RUNTIME_NOAPPS = TRUE; //no apps, yet
+-require_once('../../lib/base.php');
+-
+-if(!OC_User::isLoggedIn()){
+-        if(!isset($_SERVER['PHP_AUTH_USER'])){
+-                header('WWW-Authenticate: Basic realm="ownCloud Server"');
+-                header('HTTP/1.0 401 Unauthorized');
+-                echo 'Valid credentials must be supplied';
+-                exit();
+-        } else {
+-                if(!OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+-                        exit();
+-                }
+-        }
+-}
+-
+-$users = array();
+-
+-foreach( OC_User::getUsers() as $i ){
+-       	$users[] = array( "username" => $i, "groups" => join( ", ", OC_Group::getUserGroups( $i ) ));
+-}
+-
+-OC_JSON::encodedPrint($users);
+-
+-?>
+diff -Nru owncloud-4.0.4debian/core/ajax/validateuser.php owncloud-4.0.7debian/core/ajax/validateuser.php
+--- owncloud-4.0.4debian/core/ajax/validateuser.php	2012-06-26 21:54:06.000000000 +0200
++++ owncloud-4.0.7debian/core/ajax/validateuser.php	1970-01-01 01:00:00.000000000 +0100
+@@ -1,40 +0,0 @@
+-<?php
+-
+-/**
+-* ownCloud
+-*
+-* @author Hans Bakker
+-* @copyright 2011 Hans Bakker hansmbakker+kde at gmail.com
+-*
+-* This library is free software; you can redistribute it and/or
+-* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+-* License as published by the Free Software Foundation; either
+-* version 3 of the License, or any later version.
+-*
+-* This library is distributed in the hope that it will be useful,
+-* but WITHOUT ANY WARRANTY; without even the implied warranty of
+-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+-*
+-* You should have received a copy of the GNU Affero General Public
+-* License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+-*
+-*/
+-
+-$RUNTIME_NOAPPS = TRUE; //no apps, yet
+-require_once('../../lib/base.php');
+-
+-if(!isset($_SERVER['PHP_AUTH_USER'])){
+-        header('WWW-Authenticate: Basic realm="ownCloud Server"');
+-        header('HTTP/1.0 401 Unauthorized');
+-        echo 'Valid credentials must be supplied';
+-        exit();
+-} else {
+-        if(OC_User::checkPassword($_SERVER["PHP_AUTH_USER"], $_SERVER["PHP_AUTH_PW"])){
+-		OC_JSON::encodedPrint(array("username" => $_SERVER["PHP_AUTH_USER"], "user_valid" => "true"));
+-	} else {
+-	        OC_JSON::encodedPrint(array("username" => $_SERVER["PHP_AUTH_USER"], "user_valid" => "false"));
+-	}
+-}
+-
+-?>
diff --git a/debian/patches/series b/debian/patches/series
index f9e4be2..9ee7019 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,11 @@ fix_tar_require.diff
 fix_sabre_requires.diff
 fix_config.php_mode.diff
 fix_writing_to_shared_readonly.diff
+CVE-2012-4389.diff
+CVE-2012-4390.diff
+CVE-2012-4391.diff
+CVE-2012-4392.diff
+CVE-2012-4393.diff
+CVE-2012-4394.diff
+remove_unused_unsecure_files.diff
+

-- 
owncloud.git

