[Pkg-owncloud-commits] [SCM] owncloud.git branch, debian-wheezy, updated. debian/4.0.4debian2-2-2-g245a2f4
Thomas Mueller
thomas.mueller at tmit.eu
Sat Sep 22 14:24:55 UTC 2012
The following commit has been merged in the debian-wheezy branch:
commit 245a2f4ccf6d5d892bff8479fe8ad637021b4602
Author: Thomas Mueller <thomas.mueller at tmit.eu>
Date: Sat Sep 22 16:24:48 2012 +0200
Backport of some security fixes
diff --git a/debian/changelog b/debian/changelog
index a1d634e..a7a81d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ owncloud (4.0.4debian2-3) UNRELEASED; urgency=low
* debian/patches:
- Added BTS688394.diff (Closes: #688394)
+ - Added backported_security_fixes.diff
-- Thomas Mueller <thomas.mueller at tmit.eu> Sat, 22 Sep 2012 15:57:03 +0200
diff --git a/debian/patches/backported_security_fixes.diff b/debian/patches/backported_security_fixes.diff
new file mode 100644
index 0000000..7b157b3
--- /dev/null
+++ b/debian/patches/backported_security_fixes.diff
@@ -0,0 +1,62 @@
+--- owncloud-4.0.4debian2.orig/apps/files/index.php
++++ owncloud-4.0.4debian2/apps/files/index.php
+@@ -39,7 +39,7 @@ OCP\App::setActiveNavigationEntry( 'file
+ $dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : '';
+ // Redirect if directory does not exist
+ if(!OC_Filesystem::is_dir($dir.'/')) {
+- header('Location: '.$_SERVER['PHP_SELF'].'');
++ header('Location: '.$_SERVER['SCRIPT_NAME'].'');
+ }
+
+ $files = array();
+--- a/apps/gallery/templates/index.php
++++ b/apps/gallery/templates/index.php
+@@ -17,7 +17,7 @@
+ </style>
+ <script type="text/javascript">
+
+-var root = "<?php echo $root; ?>";
++var root = "<?php echo htmlentities($root); ?>";
+
+ function explode(element) {
+ $('div', element).each(function(index, elem) {
+
+--- a/lib/base.php
++++ b/lib/base.php
+@@ -434,6 +434,7 @@ public static function init(){
+
+ // Check for blacklisted files
+ OC_Hook::connect('OC_Filesystem','write','OC_Filesystem','isBlacklisted');
++ OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
+
+ //make sure temporary files are cleaned up
+ register_shutdown_function(array('OC_Helper','cleanTmp'));
+
+--- a/lib/filesystem.php
++++ b/lib/filesystem.php
+@@ -372,13 +372,21 @@ static public function isValidPath($path){
+
+ /**
+ * checks if a file is blacklsited for storage in the filesystem
++ * Listens to write and rename hooks
+ * @param array $data from hook
+ */
+ static public function isBlacklisted($data){
+ $blacklist = array('.htaccess');
+- $filename = strtolower(basename($data['path']));
+- if(in_array($filename,$blacklist)){
+- $data['run'] = false;
++ if (isset($data['path'])) {
++ $path = $data['path'];
++ } else if (isset($data['newpath'])) {
++ $path = $data['newpath'];
++ }
++ if (isset($path)) {
++ $filename = strtolower(basename($path));
++ if (in_array($filename, $blacklist)) {
++ $data['run'] = false;
++ }
+ }
+ }
+
+
diff --git a/debian/patches/series b/debian/patches/series
index 47bc128..88e947f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,4 +14,5 @@ CVE-2012-4393.diff
CVE-2012-4394.diff
remove_unused_unsecure_files.diff
BTS688394.diff
+backported_security_fixes.diff
--
owncloud.git
More information about the Pkg-owncloud-commits
mailing list