[Pkg-owncloud-commits] [SCM] owncloud.git branch, master, updated. debian/4.0.8debian-1.4-8-g69e7abb
David Prévot
taffit at debian.org
Tue Mar 19 00:12:00 UTC 2013
The following commit has been merged in the master branch:
commit ec3eac5a9ccadc664e31afd476d441a9c5522136
Author: Prach Pongpanich <prachpub at gmail.com>
Date: Wed Feb 27 11:38:52 2013 +0700
Imported Debian patch 4.0.8debian-1.5
diff --git a/debian/changelog b/debian/changelog
index c3be537..cfe7bd8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+owncloud (4.0.8debian-1.5) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Multiple security fixes (Closes: #701115):
+ + debian/patches/13_oc-sa-2013-003.patch:
+ - CVE-2013-0297 and CVE-2013-0307: XSS vulnerability
+ + debian/patches/14_oc-sa-2013-004.patch:
+ - CVE-2013-0299 and CVE-2013-0301: Multiple CSRF vulnerabilities
+ + debian/patches/15_oc-sa-2013-006.patch:
+ - CVE-2013-0303: Multiple code executions
+
+ -- Prach Pongpanich <prachpub at gmail.com> Wed, 27 Feb 2013 11:38:52 +0700
+
owncloud (4.0.8debian-1.4) unstable; urgency=high
* Non-maintainer upload.
diff --git a/debian/patches/13_oc-sa-2013-003.patch b/debian/patches/13_oc-sa-2013-003.patch
new file mode 100644
index 0000000..c8c8573
--- /dev/null
+++ b/debian/patches/13_oc-sa-2013-003.patch
@@ -0,0 +1,32 @@
+Description: Fix multiple cross-site scripting (XSS) vulnerabilities (CVE-2013-0297, CVE-2013-0307)
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
+
+Index: owncloud-4.0.8debian/settings/js/users.js
+===================================================================
+--- owncloud-4.0.8debian.orig/settings/js/users.js 2012-10-09 22:10:37.000000000 +0700
++++ owncloud-4.0.8debian/settings/js/users.js 2013-02-27 11:48:53.000000000 +0700
+@@ -43,7 +43,7 @@
+ var addGroup = function(group) {
+ $('select[multiple]').each(function(index, element) {
+ if ($(element).find('option[value="'+group +'"]').length == 0) {
+- $(element).append('<option value="'+group+'">'+group+'</option>');
++ $(element).append('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>');
+ }
+ })
+ };
+Index: owncloud-4.0.8debian/apps/external/templates/settings.php
+===================================================================
+--- owncloud-4.0.8debian.orig/apps/external/templates/settings.php 2012-10-09 22:10:37.000000000 +0700
++++ owncloud-4.0.8debian/apps/external/templates/settings.php 2013-02-27 11:48:53.000000000 +0700
+@@ -6,8 +6,8 @@
+ <?php
+ $sites = OC_External::getSites();
+ for($i = 0; $i < sizeof($sites); $i++) {
+- echo '<li><input type="text" name="site_name[]" class="site_name" value="'.$sites[$i][0].'" placeholder="'.$l->t('Name').'" />
+- <input type="text" class="site_url" name="site_url[]" value="'.$sites[$i][1].'" placeholder="'.$l->t('URL').'" />
++ echo '<li><input type="text" name="site_name[]" class="site_name" value="'.OC_Util::sanitizeHTML($sites[$i][0]).'" placeholder="'.$l->t('Name').'" />
++ <input type="text" class="site_url" name="site_url[]" value="'.OC_Util::sanitizeHTML($sites[$i][1]).'" placeholder="'.$l->t('URL').'" />
+ <img class="svg action delete_button" src="'.OCP\image_path("", "actions/delete.svg") .'" title="'.$l->t("Remove site").'" />
+ </li>';
+ }
diff --git a/debian/patches/14_oc-sa-2013-004.patch b/debian/patches/14_oc-sa-2013-004.patch
new file mode 100644
index 0000000..319491d
--- /dev/null
+++ b/debian/patches/14_oc-sa-2013-004.patch
@@ -0,0 +1,126 @@
+Description: Fix multiple cross-site request forgery (CSRF) vulnerabilities (CVE-2013-0299,CVE-2013-0301)
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
+
+--- a/apps/calendar/ajax/settings/guesstimezone.php
++++ b/apps/calendar/ajax/settings/guesstimezone.php
+@@ -9,6 +9,7 @@
+
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+
+ $l = OC_L10N::get('calendar');
+
+--- a/apps/admin_migrate/settings.php
++++ b/apps/admin_migrate/settings.php
+@@ -27,6 +27,8 @@ OCP\App::checkAppEnabled('admin_migrate');
+
+ // Export?
+ if (isset($_POST['admin_export'])) {
++ OCP\JSON::callCheck();
++
+ // Create the export zip
+ $response = json_decode( OC_Migrate::export( null, $_POST['export_type'] ) );
+ if( !$response->success ){
+@@ -44,6 +46,7 @@ if (isset($_POST['admin_export'])) {
+ }
+ // Import?
+ } else if( isset($_POST['admin_import']) ){
++ OCP\JSON::callCheck();
+ $from = $_FILES['owncloud_import']['tmp_name'];
+
+ if( !OC_Migrate::import( $from, 'instance' ) ){
+--- a/apps/admin_migrate/templates/settings.php
++++ b/apps/admin_migrate/templates/settings.php
+@@ -6,6 +6,7 @@
+ </p>
+ <h3>What would you like to export?</h3>
+ <p>
++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
+ <input type="radio" name="export_type" value="instance" style="width:20px;" /> ownCloud instance (suitable for import )<br />
+ <input type="radio" name="export_type" value="system" style="width:20px;" /> ownCloud system files<br />
+ <input type="radio" name="export_type" value="userfiles" style="width:20px;" /> Just user files<br />
+--- a/apps/calendar/ajax/settings/settimezone.php
++++ b/apps/calendar/ajax/settings/settimezone.php
+@@ -14,6 +14,7 @@ $l=OC_L10N::get('calendar');
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
+
+ // Get data
+ if( isset( $_POST['timezone'] ) ){
+--- a/apps/calendar/ajax/settings/timezonedetection.php
++++ b/apps/calendar/ajax/settings/timezonedetection.php
+@@ -8,6 +8,8 @@
+
+ OCP\JSON::checkLoggedIn();
+ OCP\JSON::checkAppEnabled('calendar');
++OCP\JSON::callCheck();
++
+ if(array_key_exists('timezonedetection', $_POST) && $_POST['timezonedetection'] == 'on'){
+ OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timezonedetection', 'true');
+ }else{
+--- a/apps/user_ldap/settings.php
++++ b/apps/user_ldap/settings.php
+@@ -28,6 +28,8 @@ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'lda
+ OCP\Util::addscript('user_ldap', 'settings');
+
+ if ($_POST) {
++ OCP\JSON::callCheck();
++
+ foreach($params as $param){
+ if(isset($_POST[$param])){
+ if('ldap_agent_password' == $param) {
+--- a/apps/user_ldap/templates/settings.php
++++ b/apps/user_ldap/templates/settings.php
+@@ -28,6 +28,7 @@
+ <p><label for="ldap_email_attr">Email Attribute</label><input type="text" id="ldap_email_attr" name="ldap_email_attr" value="<?php echo $_['ldap_email_attr']; ?>" /></p>
+ </fieldset>
+ <input type="submit" value="Save" /> <a href="http://owncloud.org/support/ldap-backend/" target="_blank"><img src="<?php echo OCP\Util::imagePath('','actions/info.png'); ?>" style="height:1.75ex" /> <?php echo $l->t('Help');?></a>
++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
+ </div>
+
+ </form>
+--- a/apps/user_migrate/ajax/export.php
++++ b/apps/user_migrate/ajax/export.php
+@@ -25,6 +25,7 @@
+
+ // Check if we are a user
+ OCP\JSON::checkLoggedIn();
++OCP\JSON::callCheck();
+ OCP\App::checkAppEnabled('user_migrate');
+ // Which operation
+ if( $_GET['operation']=='create' ){
+--- a/apps/user_migrate/js/export.js
++++ b/apps/user_migrate/js/export.js
+@@ -9,7 +9,7 @@ $(document).ready(function(){
+ function(result){
+ if(result.status == 'success'){
+ // Download the file
+- window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download';
++ window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download&requesttoken=' + requesttoken;
+ $('.loading').hide();
+ $('#exportbtn').val(t('user_migrate', 'Export'));
+ } else {
+--- a/apps/user_migrate/settings.php
++++ b/apps/user_migrate/settings.php
+@@ -27,6 +27,7 @@ OC_Util::checkLoggedIn();
+
+ OCP\App::checkAppEnabled('user_migrate');
+ if (isset($_POST['user_import'])) {
++ OCP\JSON::callCheck();
+ $root = OC::$SERVERROOT . "/";
+ $importname = "owncloud_import_" . date("y-m-d_H-i-s");
+
+--- a/apps/user_migrate/templates/settings.php
++++ b/apps/user_migrate/templates/settings.php
+@@ -14,6 +14,7 @@
+ </p>
+ <p><input type="file" id="owncloud_import" name="owncloud_import" style="width:180px;"><label for="owncloud_import"> <?php echo $l->t('ownCloud User Zip');?></label>
+ </p>
++ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
+ <input type="submit" name="user_import" value="<?php echo $l->t('Import'); ?>" />
+ </fieldset>
+ </form>
diff --git a/debian/patches/15_oc-sa-2013-006.patch b/debian/patches/15_oc-sa-2013-006.patch
new file mode 100644
index 0000000..ed68bae
--- /dev/null
+++ b/debian/patches/15_oc-sa-2013-006.patch
@@ -0,0 +1,74 @@
+Description: Fix a code executions vulnerability (CVE-2013-0303)
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
+
+--- a/core/ajax/translations.php
++++ b/core/ajax/translations.php
+@@ -25,6 +25,7 @@
+ require_once('../../lib/base.php');
+
+ $app = $_POST["app"];
++$app = OC_App::cleanAppId($app);
+
+ $l = OC_L10N::get( $app );
+
+--- a/lib/app.php
++++ b/lib/app.php
+@@ -38,6 +38,15 @@ class OC_App{
+ static private $loadedApps = array();
+
+ /**
++ * @brief clean the appid
++ * @param $app Appid that needs to be cleaned
++ * @return string
++ */
++ public static function cleanAppId($app) {
++ return str_replace(array('\0', '/', '\\', '..'), '', $app);
++ }
++
++ /**
+ * @brief loads all apps
+ * @param array $types
+ * @returns true/false
+--- a/lib/base.php
++++ b/lib/base.php
+@@ -444,7 +444,7 @@ class OC{
+ register_shutdown_function(array('OC_Helper','cleanTmp'));
+
+ //parse the given parameters
+- self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
++ self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?OC_App::cleanAppId(strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
+ if(substr_count(self::$REQUESTEDAPP, '?') != 0){
+ $app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?'));
+ $param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1);
+--- a/lib/l10n.php
++++ b/lib/l10n.php
+@@ -77,6 +77,7 @@ class OC_L10N{
+ * language.
+ */
+ public function __construct($app, $lang = null){
++ $app = OC_App::cleanAppId($app);
+ // Find the right language
+ if(is_null($lang)){
+ $lang = self::findLanguage($app);
+--- a/settings/ajax/disableapp.php
++++ b/settings/ajax/disableapp.php
+@@ -5,6 +5,6 @@ OC_JSON::checkAdminUser();
+ OCP\JSON::callCheck();
+ OC_JSON::setContentTypeHeader();
+
+-OC_App::disable($_POST['appid']);
++OC_App::disable(OC_App::cleanAppId($_POST['appid']));
+
+ OC_JSON::success();
+--- a/settings/ajax/enableapp.php
++++ b/settings/ajax/enableapp.php
+@@ -6,7 +6,7 @@ OC_JSON::checkAdminUser();
+ OCP\JSON::callCheck();
+ OC_JSON::setContentTypeHeader();
+
+-if(OC_App::enable($_POST['appid'])){
++if(OC_App::enable(OC_App::cleanAppId($_POST['appid']))){
+ OC_JSON::success();
+ }else{
+ OC_JSON::error();
diff --git a/debian/patches/series b/debian/patches/series
index f18ce3f..478f829 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,6 @@ fix_config.php_mode.diff
10_oc-sa-2012-006.patch
11_oc-sa-2012-007.patch
12_oc-sa-2013-001.patch
+13_oc-sa-2013-003.patch
+14_oc-sa-2013-004.patch
+15_oc-sa-2013-006.patch
--
owncloud.git
More information about the Pkg-owncloud-commits
mailing list