[Pkg-owncloud-commits] [SCM] owncloud.git branch, master, updated. debian/4.0.8debian-1.5-31-gb265ece
David Prévot
taffit at debian.org
Sun Mar 24 01:26:50 UTC 2013
The following commit has been merged in the master branch:
commit 864adf6b9d709755f63a57f88f7e88595695b33b
Author: David Prévot <taffit at debian.org>
Date: Sat Mar 23 17:12:25 2013 -0400
Drop unneeded patches
diff --git a/debian/changelog b/debian/changelog
index 593647a..84ced17 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,7 @@ owncloud (5.0.0+debian-1) UNRELEASED; urgency=low
- Remove incompatible PDF from pdfjs
* debian/patches/:
- Refresh existing patches
+ - Drop unneeded patches
- 04_add_onfontresize.diff: Add missing jquery.onfontresize source
* debian/owncloud.links: Link to Zend Framework instead of embedding a
partial copy
diff --git a/debian/patches/02_fix_crypt.diff b/debian/patches/02_fix_crypt.diff
deleted file mode 100644
index d180d7c..0000000
--- a/debian/patches/02_fix_crypt.diff
+++ /dev/null
@@ -1,25 +0,0 @@
-Description: Path to Blowfish.php is different
- We use Blowfish from the Debian package. The path is different and
- must be changed.
- .
- owncloud (2.0.0-1) unstable; urgency=low
- .
- * Initial release (Closes: #648674)
-Author: Thomas Mueller <thomas.mueller at tmit.eu>
-Bug-Debian: http://bugs.debian.org/648674
-
----
-Forwarded: not-needed
-Last-Update: <2011-11-17>
-
---- a/apps/files_encryption/lib/crypt.php
-+++ b/apps/files_encryption/lib/crypt.php
-@@ -31,7 +31,7 @@
- // - IMPORTANT! Check if the block lenght of the encrypted data stays the same
-
-
--require_once('Crypt_Blowfish/Blowfish.php');
-+require_once('Crypt/Blowfish.php');
-
- /**
- * This class is for crypting and decrypting
diff --git a/debian/patches/06_oc-sa-2012-001.patch b/debian/patches/06_oc-sa-2012-001.patch
deleted file mode 100644
index 3e339c7..0000000
--- a/debian/patches/06_oc-sa-2012-001.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Index: owncloud-4.0.8debian/core/js/js.js
-===================================================================
---- owncloud-4.0.8debian.orig/core/js/js.js 2012-10-09 17:10:37.000000000 +0200
-+++ owncloud-4.0.8debian/core/js/js.js 2012-12-05 21:31:14.538889999 +0100
-@@ -29,6 +29,15 @@
- }
- t.cache={};
-
-+/*
-+* Sanitizes a HTML string
-+* @param string
-+* @return Sanitized string
-+*/
-+function escapeHTML(s) {
-+ return s.toString().split('&').join('&').split('<').join('<').split('"').join('"');
-+}
-+
- OC={
- webroot:oc_webroot,
- appswebroot:oc_appswebroot,
-Index: owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js
-===================================================================
---- owncloud-4.0.8debian.orig/3rdparty/fullcalendar/js/fullcalendar.js 2012-11-25 12:57:59.258247853 +0100
-+++ owncloud-4.0.8debian/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-05 21:31:14.558890107 +0100
-@@ -4662,7 +4662,7 @@
- "</span>";
- }
- html +=
-- "<span class='fc-event-title'>" + event.title + "</span>" +
-+ "<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" +
- "</div>";
- if (seg.isEnd && isEventResizable(event)) {
- html +=
-@@ -5220,5 +5220,5 @@
- };
-
- }
--
-+
- })(jQuery);
-Index: owncloud-4.0.8debian/apps/files/js/filelist.js
-===================================================================
---- owncloud-4.0.8debian.orig/apps/files/js/filelist.js 2012-11-25 12:57:59.258247853 +0100
-+++ owncloud-4.0.8debian/apps/files/js/filelist.js 2012-12-05 21:31:14.574890191 +0100
-@@ -14,9 +14,9 @@
- var extension=false;
- }
- html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
-- html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename
-+ html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
- if(extension){
-- html+='<span class="extension">'+extension+'</span>';
-+ html+='<span class="extension">'+escapeHTML(extension)+'</span>';
- }
- html+='</span></a></td>';
- if(size!='Pending'){
-Index: owncloud-4.0.8debian/apps/files_versions/js/versions.js
-===================================================================
---- owncloud-4.0.8debian.orig/apps/files_versions/js/versions.js 2012-11-25 12:57:59.258247853 +0100
-+++ owncloud-4.0.8debian/apps/files_versions/js/versions.js 2012-12-05 21:31:14.614890392 +0100
-@@ -36,7 +36,7 @@
-
- var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename );
-
-- var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
-+ var html = '<div id="dropdown" class="drop" data-file="'+escapeHTML(files)+'">';
- html += '<div id="private">';
- html += '<select data-placeholder="Saved versions" id="found_versions" class="chzen-select" style="width:16em;">';
- html += '<option value=""></option>';
diff --git a/debian/patches/07_oc-sa-2012-002.patch b/debian/patches/07_oc-sa-2012-002.patch
deleted file mode 100644
index ff006e0..0000000
--- a/debian/patches/07_oc-sa-2012-002.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Index: owncloud-4.0.8debian/core/lostpassword/index.php
-===================================================================
---- owncloud-4.0.8debian.orig/core/lostpassword/index.php 2012-11-25 12:57:44.838176326 +0100
-+++ owncloud-4.0.8debian/core/lostpassword/index.php 2012-11-25 12:57:49.474199345 +0100
-@@ -13,8 +13,8 @@
- // Someone lost their password:
- if (isset($_POST['user'])) {
- if (OC_User::userExists($_POST['user'])) {
-- $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-- OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
-+ $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
-+ OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
- $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
- if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
- $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
-Index: owncloud-4.0.8debian/core/lostpassword/resetpassword.php
-===================================================================
---- owncloud-4.0.8debian.orig/core/lostpassword/resetpassword.php 2012-11-25 12:57:44.838176326 +0100
-+++ owncloud-4.0.8debian/core/lostpassword/resetpassword.php 2012-11-25 12:57:49.474199345 +0100
-@@ -10,7 +10,7 @@
- require_once('../../lib/base.php');
-
- // Someone wants to reset their password:
--if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
-+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
- if (isset($_POST['password'])) {
- if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
- OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
diff --git a/debian/patches/08_oc-sa-2012-004.patch b/debian/patches/08_oc-sa-2012-004.patch
deleted file mode 100644
index 2ee8b15..0000000
--- a/debian/patches/08_oc-sa-2012-004.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-Index: owncloud-4.0.8debian/lib/migrate.php
-===================================================================
---- owncloud-4.0.8debian.orig/lib/migrate.php 2012-11-25 12:57:40.610155372 +0100
-+++ owncloud-4.0.8debian/lib/migrate.php 2012-11-25 12:57:52.078212228 +0100
-@@ -199,8 +199,8 @@
- // Get export_info.json
- $scan = scandir( $extractpath );
- // Check for export_info.json
-- if( !in_array( 'export_info.json', $scan ) ){
-- OC_Log::write( 'migration', 'Invalid import file, export_info.json note found', OC_Log::ERROR );
-+ if( !in_array( 'export_info.json', $scan ) ) {
-+ OC_Log::write( 'migration', 'Invalid import file, export_info.json not found', OC_Log::ERROR );
- return json_encode( array( 'success' => false ) );
- }
- $json = json_decode( file_get_contents( $extractpath . 'export_info.json' ) );
-@@ -235,12 +235,19 @@
- return json_encode( array( 'success' => false ) );
- }
- // Copy data
-- if( !self::copy_r( $extractpath . $json->exporteduser, $datadir . '/' . self::$uid ) ){
-- return json_encode( array( 'success' => false ) );
-+ $userfolder = $extractpath . $json->exporteduser;
-+ $newuserfolder = $datadir . '/' . self::$uid;
-+ foreach(scandir($userfolder) as $file){
-+ if($file !== '.' && $file !== '..' && is_dir($file)){
-+ // Then copy the folder over
-+ OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
-+ }
- }
- // Import user app data
-- if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
-- return json_encode( array( 'success' => false ) );
-+ if(file_exists($extractpath . $json->exporteduser . '/migration.db')){
-+ if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ) {
-+ return json_encode( array( 'success' => false ) );
-+ }
- }
- // All done!
- if( !self::unlink_r( $extractpath ) ){
-@@ -305,37 +312,6 @@
- }
-
- /**
-- * @brief copies recursively
-- * @param $path string path to source folder
-- * @param $dest string path to destination
-- * @return bool
-- */
-- private static function copy_r( $path, $dest ){
-- if( is_dir($path) ){
-- @mkdir( $dest );
-- $objects = scandir( $path );
-- if( sizeof( $objects ) > 0 ){
-- foreach( $objects as $file ){
-- if( $file == "." || $file == ".." || $file == ".htaccess")
-- continue;
-- // go on
-- if( is_dir( $path . '/' . $file ) ){
-- self::copy_r( $path .'/' . $file, $dest . '/' . $file );
-- } else {
-- copy( $path . '/' . $file, $dest . '/' . $file );
-- }
-- }
-- }
-- return true;
-- }
-- elseif( is_file( $path ) ){
-- return copy( $path, $dest );
-- } else {
-- return false;
-- }
-- }
--
-- /**
- * @brief tries to extract the import zip
- * @param $path string path to the zip
- * @return string path to extract location (with a trailing slash) or false on failure
-Index: owncloud-4.0.8debian/lib/helper.php
-===================================================================
---- owncloud-4.0.8debian.orig/lib/helper.php 2012-11-25 12:57:40.610155372 +0100
-+++ owncloud-4.0.8debian/lib/helper.php 2012-11-25 12:57:52.078212228 +0100
-@@ -309,7 +309,8 @@
- self::copyr("$src/$file", "$dest/$file");
- }
- }
-- }elseif(file_exists($src)){
-+
-+ }elseif(file_exists($src) && !OC_Filesystem::isFileBlacklisted($src)) {
- copy($src, $dest);
- }
- }
diff --git a/debian/patches/09_oc-sa-2012-005.patch b/debian/patches/09_oc-sa-2012-005.patch
deleted file mode 100644
index 0b587ce..0000000
--- a/debian/patches/09_oc-sa-2012-005.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Index: owncloud-4.0.8debian/lib/filesystem.php
-===================================================================
---- owncloud-4.0.8debian.orig/lib/filesystem.php 2012-11-25 12:57:34.022122706 +0100
-+++ owncloud-4.0.8debian/lib/filesystem.php 2012-11-25 12:57:53.858221067 +0100
-@@ -361,12 +361,16 @@
- * @return bool
- */
- static public function isValidPath($path){
-+ $path = str_replace('\\', '/', $path);
- if(!$path || $path[0]!=='/'){
- $path='/'.$path;
- }
- if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
- return false;
- }
-+ if(self::isFileBlacklisted($path)){
-+ return false;
-+ }
- return true;
- }
-
-@@ -375,21 +379,23 @@
- * Listens to write and rename hooks
- * @param array $data from hook
- */
-- static public function isBlacklisted($data){
-- $blacklist = array('.htaccess');
-+ static public function isBlacklisted($data) {
- if (isset($data['path'])) {
- $path = $data['path'];
- } else if (isset($data['newpath'])) {
- $path = $data['newpath'];
- }
- if (isset($path)) {
-- $filename = strtolower(basename($path));
-- if (in_array($filename, $blacklist)) {
-- $data['run'] = false;
-- }
-+ $data['run'] = !self::isFileBlacklisted($path);
- }
- }
--
-+
-+ static public function isFileBlacklisted($path){
-+ $blacklist = array('.htaccess');
-+ $filename = strtolower(basename($path));
-+ return in_array($filename, $blacklist);
-+ }
-+
- /**
- * following functions are equivalent to their php builtin equivalents for arguments/return values.
- */
diff --git a/debian/patches/10_oc-sa-2012-006.patch b/debian/patches/10_oc-sa-2012-006.patch
deleted file mode 100644
index 438e754..0000000
--- a/debian/patches/10_oc-sa-2012-006.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Index: owncloud-4.0.8debian/apps/files_encryption/settings.php
-===================================================================
---- owncloud-4.0.8debian.orig/apps/files_encryption/settings.php 2012-10-09 17:09:46.000000000 +0200
-+++ owncloud-4.0.8debian/apps/files_encryption/settings.php 2012-12-25 16:29:57.110214044 +0100
-@@ -6,6 +6,8 @@
- * See the COPYING-README file.
- */
-
-+OC_Util::checkAdminUser();
-+
- $tmpl = new OCP\Template( 'files_encryption', 'settings');
- $blackList=explode(',',OCP\Config::getAppValue('files_encryption','type_blacklist','jpg,png,jpeg,avi,mpg,mpeg,mkv,mp3,oga,ogv,ogg'));
- $enabled=(OCP\Config::getAppValue('files_encryption','enable_encryption','true')=='true');
-Index: owncloud-4.0.8debian/apps/user_ldap/settings.php
-===================================================================
---- owncloud-4.0.8debian.orig/apps/user_ldap/settings.php 2012-10-09 17:10:37.000000000 +0200
-+++ owncloud-4.0.8debian/apps/user_ldap/settings.php 2012-12-25 16:29:57.114214045 +0100
-@@ -20,6 +20,9 @@
- * License along with this library. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-+
-+OC_Util::checkAdminUser();
-+
- $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'ldap_base', 'ldap_base_users', 'ldap_base_groups', 'ldap_userlist_filter', 'ldap_login_filter', 'ldap_group_filter', 'ldap_display_name', 'ldap_group_display_name', 'ldap_tls', 'ldap_nocase', 'ldap_quota_def', 'ldap_quota_attr', 'ldap_email_attr', 'ldap_group_member_assoc_attribute');
-
- OCP\Util::addscript('user_ldap', 'settings');
-Index: owncloud-4.0.8debian/apps/user_migrate/settings.php
-===================================================================
---- owncloud-4.0.8debian.orig/apps/user_migrate/settings.php 2012-10-09 17:10:37.000000000 +0200
-+++ owncloud-4.0.8debian/apps/user_migrate/settings.php 2012-12-25 16:29:57.114214045 +0100
-@@ -22,6 +22,9 @@
- * License along with this library. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-+
-+OC_Util::checkLoggedIn();
-+
- OCP\App::checkAppEnabled('user_migrate');
- if (isset($_POST['user_import'])) {
- $root = OC::$SERVERROOT . "/";
-@@ -86,4 +89,4 @@
- // fill template
- $tmpl = new OCP\Template('user_migrate', 'settings');
- return $tmpl->fetchPage();
--}
-\ No newline at end of file
-+}
diff --git a/debian/patches/11_oc-sa-2012-007.patch b/debian/patches/11_oc-sa-2012-007.patch
deleted file mode 100644
index db8e0f7..0000000
--- a/debian/patches/11_oc-sa-2012-007.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js
-===================================================================
---- owncloud-4.0.8debian.orig/apps/bookmarks/js/bookmarks.js 2012-10-09 17:10:37.000000000 +0200
-+++ owncloud-4.0.8debian/apps/bookmarks/js/bookmarks.js 2012-12-25 16:25:21.050223382 +0100
-@@ -141,7 +141,7 @@
- var taglist = '';
- for ( var i=0, len=tags.length; i<len; ++i ){
- if(tags[i] != '')
-- taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString( String(window.location), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
-+ taglist = taglist + '<a class="bookmark_tag" href="'+replaceQueryString(escapeHTML(String(window.location)), 'tag', encodeURIComponent(tags[i])) + '">' + tags[i] + '</a> ';
- }
- if(!hasProtocol(bookmark.url)) {
- bookmark.url = 'http://' + bookmark.url;
diff --git a/debian/patches/12_oc-sa-2013-001.patch b/debian/patches/12_oc-sa-2013-001.patch
deleted file mode 100644
index 902c08a..0000000
--- a/debian/patches/12_oc-sa-2013-001.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-Description: Fix multiple XSS vulnerabilities
- - CVE-2013-0201
- - CVE-2013-0202
- - CVE-2013-0203
- .
- See: http://owncloud.org/about/security/advisories/oC-SA-2013-001/
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/698737
-Author: Salvatore Bonaccorso <carnil at debian.org>
-Last-Update: 2013-01-24
-
---- a/apps/gallery/sharing.php
-+++ b/apps/gallery/sharing.php
-@@ -37,7 +37,7 @@
- <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
- <script src="js/sharing.js" type="text/javascript"></script>
- <script>
-- var TOKEN = '<?php echo htmlentities($_GET['token']); ?>';
-+ var TOKEN = '<?php echo OC_Util::sanitizeHTML($_GET['token']); ?>';
- </script>
- </head>
- <body>
---- a/core/lostpassword/templates/resetpassword.php
-+++ b/core/lostpassword/templates/resetpassword.php
-@@ -1,4 +1,4 @@
--<form action="<?php echo 'resetpassword.php?'.$_SERVER['QUERY_STRING']; ?>" method="post">
-+<form action="<?php echo 'resetpassword.php?user='.htmlentities($_GET['user']).'&token='.htmlentities($_GET['token']); ?>" method="post">
- <fieldset>
- <?php if($_['success']): ?>
- <h1><?php echo $l->t('Your password was reset'); ?></h1>
---- a/lib/helper.php
-+++ b/lib/helper.php
-@@ -179,8 +179,9 @@
- $mimetype=$alias[$mimetype];
- // echo $mimetype;
- }
-- // Replace slash with a minus
-+ // Replace slash and backslash with a minus
- $mimetype = str_replace( "/", "-", $mimetype );
-+ $mimetype = str_replace( "\\", "-", $mimetype );
-
- // Is it a dir?
- if( $mimetype == "dir" ){
---- a/apps/files_sharing/ajax/share.php
-+++ b/apps/files_sharing/ajax/share.php
-@@ -25,7 +25,7 @@
- }
- } catch (Exception $exception) {
- OCP\Util::writeLog('files_sharing', 'Unexpected Error : '.$exception->getMessage(), OCP\Util::ERROR);
-- OCP\JSON::error(array('data' => array('message' => $exception->getMessage())));
-+ OCP\JSON::error(array('data' => array('message' => OC_Util::sanitizeHTML($exception->getMessage()))));
- }
- } else {
- if ($file['encrypted'] == true) {
---- a/apps/bookmarks/js/bookmarks.js
-+++ b/apps/bookmarks/js/bookmarks.js
-@@ -158,9 +158,9 @@
- '</span> ' +
- '</p>' +
- '<p class="bookmark_title">'+
-- '<a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
-+ '<a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.title) + '</a>' +
- '</p>' +
-- '<p class="bookmark_url"><a href="' + encodeEntities(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeEntities(bookmark.url) + '</a></p>' +
-+ '<p class="bookmark_url"><a href="' + encodeURI(bookmark.url) + '" target="_blank" class="bookmark_link">' + encodeURI(bookmark.url) + '</a></p>' +
- '</div>'
- );
- if(taglist != '') {
-@@ -198,4 +198,4 @@
- function hasProtocol(url) {
- var regexp = /(ftp|http|https|sftp)/;
- return regexp.test(url);
--}
-+}
-\ No newline at end of file
---- a/apps/calendar/js/calendar.js
-+++ b/apps/calendar/js/calendar.js
-@@ -718,7 +718,7 @@
- ' class="' + classes.join(' ') + '"' +
- '>' +
- '<span class="fc-event-title">' +
-- event.title +
-+ escapeHTML(event.title) +
- '</span>' +
- '</span>' +
- '</td>' +
diff --git a/debian/patches/13_oc-sa-2013-003.patch b/debian/patches/13_oc-sa-2013-003.patch
deleted file mode 100644
index c8c8573..0000000
--- a/debian/patches/13_oc-sa-2013-003.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Description: Fix multiple cross-site scripting (XSS) vulnerabilities (CVE-2013-0297, CVE-2013-0307)
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
-
-Index: owncloud-4.0.8debian/settings/js/users.js
-===================================================================
---- owncloud-4.0.8debian.orig/settings/js/users.js 2012-10-09 22:10:37.000000000 +0700
-+++ owncloud-4.0.8debian/settings/js/users.js 2013-02-27 11:48:53.000000000 +0700
-@@ -43,7 +43,7 @@
- var addGroup = function(group) {
- $('select[multiple]').each(function(index, element) {
- if ($(element).find('option[value="'+group +'"]').length == 0) {
-- $(element).append('<option value="'+group+'">'+group+'</option>');
-+ $(element).append('<option value="' + escapeHTML(group) + '">' + escapeHTML(group) + '</option>');
- }
- })
- };
-Index: owncloud-4.0.8debian/apps/external/templates/settings.php
-===================================================================
---- owncloud-4.0.8debian.orig/apps/external/templates/settings.php 2012-10-09 22:10:37.000000000 +0700
-+++ owncloud-4.0.8debian/apps/external/templates/settings.php 2013-02-27 11:48:53.000000000 +0700
-@@ -6,8 +6,8 @@
- <?php
- $sites = OC_External::getSites();
- for($i = 0; $i < sizeof($sites); $i++) {
-- echo '<li><input type="text" name="site_name[]" class="site_name" value="'.$sites[$i][0].'" placeholder="'.$l->t('Name').'" />
-- <input type="text" class="site_url" name="site_url[]" value="'.$sites[$i][1].'" placeholder="'.$l->t('URL').'" />
-+ echo '<li><input type="text" name="site_name[]" class="site_name" value="'.OC_Util::sanitizeHTML($sites[$i][0]).'" placeholder="'.$l->t('Name').'" />
-+ <input type="text" class="site_url" name="site_url[]" value="'.OC_Util::sanitizeHTML($sites[$i][1]).'" placeholder="'.$l->t('URL').'" />
- <img class="svg action delete_button" src="'.OCP\image_path("", "actions/delete.svg") .'" title="'.$l->t("Remove site").'" />
- </li>';
- }
diff --git a/debian/patches/14_oc-sa-2013-004.patch b/debian/patches/14_oc-sa-2013-004.patch
deleted file mode 100644
index 319491d..0000000
--- a/debian/patches/14_oc-sa-2013-004.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-Description: Fix multiple cross-site request forgery (CSRF) vulnerabilities (CVE-2013-0299,CVE-2013-0301)
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
-
---- a/apps/calendar/ajax/settings/guesstimezone.php
-+++ b/apps/calendar/ajax/settings/guesstimezone.php
-@@ -9,6 +9,7 @@
-
- OCP\JSON::checkLoggedIn();
- OCP\JSON::checkAppEnabled('calendar');
-+OCP\JSON::callCheck();
-
- $l = OC_L10N::get('calendar');
-
---- a/apps/admin_migrate/settings.php
-+++ b/apps/admin_migrate/settings.php
-@@ -27,6 +27,8 @@ OCP\App::checkAppEnabled('admin_migrate');
-
- // Export?
- if (isset($_POST['admin_export'])) {
-+ OCP\JSON::callCheck();
-+
- // Create the export zip
- $response = json_decode( OC_Migrate::export( null, $_POST['export_type'] ) );
- if( !$response->success ){
-@@ -44,6 +46,7 @@ if (isset($_POST['admin_export'])) {
- }
- // Import?
- } else if( isset($_POST['admin_import']) ){
-+ OCP\JSON::callCheck();
- $from = $_FILES['owncloud_import']['tmp_name'];
-
- if( !OC_Migrate::import( $from, 'instance' ) ){
---- a/apps/admin_migrate/templates/settings.php
-+++ b/apps/admin_migrate/templates/settings.php
-@@ -6,6 +6,7 @@
- </p>
- <h3>What would you like to export?</h3>
- <p>
-+ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
- <input type="radio" name="export_type" value="instance" style="width:20px;" /> ownCloud instance (suitable for import )<br />
- <input type="radio" name="export_type" value="system" style="width:20px;" /> ownCloud system files<br />
- <input type="radio" name="export_type" value="userfiles" style="width:20px;" /> Just user files<br />
---- a/apps/calendar/ajax/settings/settimezone.php
-+++ b/apps/calendar/ajax/settings/settimezone.php
-@@ -14,6 +14,7 @@ $l=OC_L10N::get('calendar');
- // Check if we are a user
- OCP\JSON::checkLoggedIn();
- OCP\JSON::checkAppEnabled('calendar');
-+OCP\JSON::callCheck();
-
- // Get data
- if( isset( $_POST['timezone'] ) ){
---- a/apps/calendar/ajax/settings/timezonedetection.php
-+++ b/apps/calendar/ajax/settings/timezonedetection.php
-@@ -8,6 +8,8 @@
-
- OCP\JSON::checkLoggedIn();
- OCP\JSON::checkAppEnabled('calendar');
-+OCP\JSON::callCheck();
-+
- if(array_key_exists('timezonedetection', $_POST) && $_POST['timezonedetection'] == 'on'){
- OCP\Config::setUserValue(OCP\USER::getUser(), 'calendar', 'timezonedetection', 'true');
- }else{
---- a/apps/user_ldap/settings.php
-+++ b/apps/user_ldap/settings.php
-@@ -28,6 +28,8 @@ $params = array('ldap_host', 'ldap_port', 'ldap_dn', 'ldap_agent_password', 'lda
- OCP\Util::addscript('user_ldap', 'settings');
-
- if ($_POST) {
-+ OCP\JSON::callCheck();
-+
- foreach($params as $param){
- if(isset($_POST[$param])){
- if('ldap_agent_password' == $param) {
---- a/apps/user_ldap/templates/settings.php
-+++ b/apps/user_ldap/templates/settings.php
-@@ -28,6 +28,7 @@
- <p><label for="ldap_email_attr">Email Attribute</label><input type="text" id="ldap_email_attr" name="ldap_email_attr" value="<?php echo $_['ldap_email_attr']; ?>" /></p>
- </fieldset>
- <input type="submit" value="Save" /> <a href="http://owncloud.org/support/ldap-backend/" target="_blank"><img src="<?php echo OCP\Util::imagePath('','actions/info.png'); ?>" style="height:1.75ex" /> <?php echo $l->t('Help');?></a>
-+ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
- </div>
-
- </form>
---- a/apps/user_migrate/ajax/export.php
-+++ b/apps/user_migrate/ajax/export.php
-@@ -25,6 +25,7 @@
-
- // Check if we are a user
- OCP\JSON::checkLoggedIn();
-+OCP\JSON::callCheck();
- OCP\App::checkAppEnabled('user_migrate');
- // Which operation
- if( $_GET['operation']=='create' ){
---- a/apps/user_migrate/js/export.js
-+++ b/apps/user_migrate/js/export.js
-@@ -9,7 +9,7 @@ $(document).ready(function(){
- function(result){
- if(result.status == 'success'){
- // Download the file
-- window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download';
-+ window.location = OC.linkTo('user_migrate','ajax/export.php') + '?operation=download&requesttoken=' + requesttoken;
- $('.loading').hide();
- $('#exportbtn').val(t('user_migrate', 'Export'));
- } else {
---- a/apps/user_migrate/settings.php
-+++ b/apps/user_migrate/settings.php
-@@ -27,6 +27,7 @@ OC_Util::checkLoggedIn();
-
- OCP\App::checkAppEnabled('user_migrate');
- if (isset($_POST['user_import'])) {
-+ OCP\JSON::callCheck();
- $root = OC::$SERVERROOT . "/";
- $importname = "owncloud_import_" . date("y-m-d_H-i-s");
-
---- a/apps/user_migrate/templates/settings.php
-+++ b/apps/user_migrate/templates/settings.php
-@@ -14,6 +14,7 @@
- </p>
- <p><input type="file" id="owncloud_import" name="owncloud_import" style="width:180px;"><label for="owncloud_import"> <?php echo $l->t('ownCloud User Zip');?></label>
- </p>
-+ <input type="hidden" name="requesttoken" value="<?php echo $_['requesttoken'] ?>" id="requesttoken">
- <input type="submit" name="user_import" value="<?php echo $l->t('Import'); ?>" />
- </fieldset>
- </form>
diff --git a/debian/patches/15_oc-sa-2013-006.patch b/debian/patches/15_oc-sa-2013-006.patch
deleted file mode 100644
index ed68bae..0000000
--- a/debian/patches/15_oc-sa-2013-006.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Description: Fix a code executions vulnerability (CVE-2013-0303)
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701115
-
---- a/core/ajax/translations.php
-+++ b/core/ajax/translations.php
-@@ -25,6 +25,7 @@
- require_once('../../lib/base.php');
-
- $app = $_POST["app"];
-+$app = OC_App::cleanAppId($app);
-
- $l = OC_L10N::get( $app );
-
---- a/lib/app.php
-+++ b/lib/app.php
-@@ -38,6 +38,15 @@ class OC_App{
- static private $loadedApps = array();
-
- /**
-+ * @brief clean the appid
-+ * @param $app Appid that needs to be cleaned
-+ * @return string
-+ */
-+ public static function cleanAppId($app) {
-+ return str_replace(array('\0', '/', '\\', '..'), '', $app);
-+ }
-+
-+ /**
- * @brief loads all apps
- * @param array $types
- * @returns true/false
---- a/lib/base.php
-+++ b/lib/base.php
-@@ -444,7 +444,7 @@ class OC{
- register_shutdown_function(array('OC_Helper','cleanTmp'));
-
- //parse the given parameters
-- self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
-+ self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?OC_App::cleanAppId(strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
- if(substr_count(self::$REQUESTEDAPP, '?') != 0){
- $app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?'));
- $param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1);
---- a/lib/l10n.php
-+++ b/lib/l10n.php
-@@ -77,6 +77,7 @@ class OC_L10N{
- * language.
- */
- public function __construct($app, $lang = null){
-+ $app = OC_App::cleanAppId($app);
- // Find the right language
- if(is_null($lang)){
- $lang = self::findLanguage($app);
---- a/settings/ajax/disableapp.php
-+++ b/settings/ajax/disableapp.php
-@@ -5,6 +5,6 @@ OC_JSON::checkAdminUser();
- OCP\JSON::callCheck();
- OC_JSON::setContentTypeHeader();
-
--OC_App::disable($_POST['appid']);
-+OC_App::disable(OC_App::cleanAppId($_POST['appid']));
-
- OC_JSON::success();
---- a/settings/ajax/enableapp.php
-+++ b/settings/ajax/enableapp.php
-@@ -6,7 +6,7 @@ OC_JSON::checkAdminUser();
- OCP\JSON::callCheck();
- OC_JSON::setContentTypeHeader();
-
--if(OC_App::enable($_POST['appid'])){
-+if(OC_App::enable(OC_App::cleanAppId($_POST['appid']))){
- OC_JSON::success();
- }else{
- OC_JSON::error();
diff --git a/debian/patches/16_oc-sa-2013-010.patch b/debian/patches/16_oc-sa-2013-010.patch
deleted file mode 100644
index c7af69a..0000000
--- a/debian/patches/16_oc-sa-2013-010.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From edf7162762fc425df1ec2ce7149c18a0af82a3b8 Mon Sep 17 00:00:00 2001
-From: Lukas Reschke <lukas at statuscode.ch>
-Date: Mon, 11 Mar 2013 16:21:26 +0100
-Subject: [PATCH] Check if username is valid and remove slashes from filename
-
-Backport of #2236 to stable45
----
- lib/migrate.php | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/lib/migrate.php b/lib/migrate.php
-index 8d3610c..8465eed 100644
---- a/lib/migrate.php
-+++ b/lib/migrate.php
-@@ -234,11 +234,20 @@ class OC_Migrate{
- OC_Log::write( 'migration', 'User doesn\'t exist', OC_Log::ERROR );
- return json_encode( array( 'success' => false ) );
- }
-+
-+ // Check if the username is valid
-+ if( preg_match( '/[^a-zA-Z0-9 _\.@\-]/', $json->exporteduser )) {
-+ OC_Log::write( 'migration', 'Username is not valid', OC_Log::ERROR );
-+ return json_encode( array( 'success' => false ) );
-+ }
-+
- // Copy data
- $userfolder = $extractpath . $json->exporteduser;
- $newuserfolder = $datadir . '/' . self::$uid;
- foreach(scandir($userfolder) as $file){
-- if($file !== '.' && $file !== '..' && is_dir($file)){
-+ if($file !== '.' && $file !== '..' && is_dir($file)) {
-+ $file = str_replace(array('/', '\\'), '', $file);
-+
- // Then copy the folder over
- OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
- }
---
-1.7.10.4
-
diff --git a/debian/patches/17_oc-sa-2013-009.patch b/debian/patches/17_oc-sa-2013-009.patch
deleted file mode 100644
index 95c3053..0000000
--- a/debian/patches/17_oc-sa-2013-009.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408 Mon Sep 17 00:00:00 2001
-From: Thomas Tanghus <thomas at tanghus.net>
-Date: Sat, 9 Mar 2013 19:26:31 +0100
-Subject: [PATCH] Contacts: Backport filename sanitation and blacklist
- checking to stable4.
-
----
- apps/contacts/ajax/uploadimport.php | 8 ++++++++
- apps/contacts/import.php | 15 ++++++++++-----
- 2 files changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
-index 4c3f5ea..56a966b 100644
---- a/apps/contacts/ajax/uploadimport.php
-+++ b/apps/contacts/ajax/uploadimport.php
-@@ -35,7 +35,11 @@ $tmpfile = md5(rand());
-
- // If it is a Drag'n'Drop transfer it's handled here.
- $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
-+$fn = strtr($fn, array('/' => '', "\\" => ''));
- if($fn) {
-+ if(OC_Filesystem::isFileBlacklisted($fn)) {
-+ bailOut($l10n->t('Upload of blacklisted file:') . $fn);
-+ }
- if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) {
- OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
- exit();
-@@ -66,6 +70,10 @@ $file=$_FILES['importfile'];
-
- $tmpfname = tempnam(get_temp_dir(), "occOrig");
- if(file_exists($file['tmp_name'])) {
-+ $filename = strtr($file['name'], array('/' => '', "\\" => ''));
-+ if(OC_Filesystem::isFileBlacklisted($filename)) {
-+ bailOut($l10n->t('Upload of blacklisted file:') . $filename);
-+ }
- if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) {
- OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
- } else {
-diff --git a/apps/contacts/import.php b/apps/contacts/import.php
-index 85d4ceb..ffdc438 100644
---- a/apps/contacts/import.php
-+++ b/apps/contacts/import.php
-@@ -25,11 +25,16 @@ function writeProgress($pct) {
- }
- writeProgress('10');
- $view = $file = null;
-+$inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
-+if(OC_Filesystem::isFileBlacklisted($inputfile)) {
-+ OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
-+ exit();
-+}
- if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
- $view = OCP\Files::getStorage('contacts');
-- $file = $view->file_get_contents('/' . $_POST['file']);
-+ $file = $view->file_get_contents('/' . $inputfile);
- } else {
-- $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']);
-+ $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
- }
- if(!$file) {
- OCP\JSON::error(array('message' => 'Import file was empty.'));
-@@ -115,7 +120,7 @@ if(count($parts) == 1){
- $imported = 0;
- $failed = 0;
- if(!count($importready) > 0) {
-- OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.'))));
-+ OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.'))));
- exit();
- }
- foreach($importready as $import){
-@@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){
- unlink($progressfile);
- }
- if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
-- if(!$view->unlink('/' . $_POST['file'])) {
-- OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR);
-+ if(!$view->unlink('/' . $inputfile)) {
-+ OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR);
- }
- }
- OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed)));
---
-1.7.10.4
-
diff --git a/debian/patches/fix_config.php_mode.diff b/debian/patches/fix_config.php_mode.diff
deleted file mode 100644
index 1cf091d..0000000
--- a/debian/patches/fix_config.php_mode.diff
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Thomas Mueller <thomas.mueller at tmit.eu>
-Date: Tue, 12 Jun 2012 23:15:44 +0200
-Subject: Ensures that the generated configuration has the right mode
- The patch is updated for the path fixes.
-Origin: upstream, https://gitorious.org/owncloud/owncloud/commit/521294d0bf9803cb4ffdc6fb43bd9b9253fece40
-Bug: http://bugs.owncloud.org/thebuggenie/owncloud/issues/oc-987
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676131
-
---
- lib/config.php | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/lib/config.php b/lib/config.php
-index e3a9c11..9279549 100644
---- a/lib/config.php
-+++ b/lib/config.php
-@@ -170,14 +170,18 @@ class OC_Config{
- }
- $content .= ");\n?>\n";
-
-+ $filename = "/etc/owncloud/config.php";
- // Write the file
-- $result=@file_put_contents( "/etc/owncloud/config.php", $content );
-+ $result=@file_put_contents( $filename, $content );
- if(!$result) {
- $tmpl = new OC_Template( '', 'error', 'guest' );
- $tmpl->assign('errors',array(1=>array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud")));
- $tmpl->printPage();
- exit;
- }
-+ // Prevent others not to read the config
-+ @chmod($filename, 0640);
-+
- return true;
- }
- }
---
-1.7.10
-
diff --git a/debian/patches/fix_sabre_requires.diff b/debian/patches/fix_sabre_requires.diff
deleted file mode 100644
index f8a01a8..0000000
--- a/debian/patches/fix_sabre_requires.diff
+++ /dev/null
@@ -1,19 +0,0 @@
-Description: Path to Sabre is different
- We use Sabre from the php-sabredav Debian package.
- The path in upstream explicitly uses Sabre from the upstream 3rdparty/
- directory which is not available.
-Author: Paul van Tilburg <paulvt at debian.org>
-
---- a/apps/remoteStorage/WebDAV.php
-+++ b/apps/remoteStorage/WebDAV.php
-@@ -38,8 +38,8 @@
- require_once('../../lib/app.php');
- require_once('../../lib/public/app.php');
-
--require_once('../../3rdparty/Sabre/DAV/Auth/IBackend.php');
--require_once('../../3rdparty/Sabre/DAV/Auth/Backend/AbstractBasic.php');
-+require_once('Sabre/DAV/Auth/IBackend.php');
-+require_once('Sabre/DAV/Auth/Backend/AbstractBasic.php');
- require_once('../../lib/connector/sabre/auth.php');
-
- OCP\App::checkAppEnabled('remoteStorage');
diff --git a/debian/patches/series b/debian/patches/series
index 0ad6366..f6d8fb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,20 +1,5 @@
01_fix_data_path.diff
-02_fix_crypt.diff
03_fix_phpmailer.diff
04_add_onfontresize.diff
05_no_app_store.diff
fix_tar_require.diff
-fix_sabre_requires.diff
-fix_config.php_mode.diff
-06_oc-sa-2012-001.patch
-07_oc-sa-2012-002.patch
-08_oc-sa-2012-004.patch
-09_oc-sa-2012-005.patch
-10_oc-sa-2012-006.patch
-11_oc-sa-2012-007.patch
-12_oc-sa-2013-001.patch
-13_oc-sa-2013-003.patch
-14_oc-sa-2013-004.patch
-15_oc-sa-2013-006.patch
-16_oc-sa-2013-010.patch
-17_oc-sa-2013-009.patch
--
owncloud.git
More information about the Pkg-owncloud-commits
mailing list