[Pkg-owncloud-commits] [php-sabredav] 01/23: Fixed a potential security issue.

David Prévot taffit at moszumanska.debian.org
Wed Mar 19 17:41:38 UTC 2014 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch 1.7
in repository php-sabredav.

commit 579dc8db3534f82bec03bdb463fd11d66a15ddf4
Author: Evert Pot <evert at rooftopsolutions.nl>
Date:   Sun Feb 9 16:09:04 2014 -0500

    Fixed a potential security issue.
---
 ChangeLog                  | 4 +++-
 lib/Sabre/DAV/Client.php   | 6 +++++-
 lib/Sabre/HTTP/Version.php | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 505b87e..3b63166 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
-1.7.10-stable (2014-??-??)
+1.7.10-stable (2014-02-09)
+	* The zip release ships with sabre/vobject 2.1.3.
+	* Fixed: Potential security vulnerability in the http client.
 	* Fixed: Issue #374: Don't urlescape colon (:) when it's not required.
 
 1.7.9-stable (2013-10-02)
diff --git a/lib/Sabre/DAV/Client.php b/lib/Sabre/DAV/Client.php
index 6f1b8c9..959025e 100644
--- a/lib/Sabre/DAV/Client.php
+++ b/lib/Sabre/DAV/Client.php
@@ -314,7 +314,11 @@ class Sabre_DAV_Client {
             CURLOPT_RETURNTRANSFER => true,
             // Return headers as part of the response
             CURLOPT_HEADER => true,
-            CURLOPT_POSTFIELDS => $body,
+
+            // For security we cast this to a string. If somehow an array could
+            // be passed here, it would be possible for an attacker to use @ to
+            // post local files.
+            CURLOPT_POSTFIELDS => (string)$body,
             // Automatically follow redirects
             CURLOPT_FOLLOWLOCATION => true,
             CURLOPT_MAXREDIRS => 5,
diff --git a/lib/Sabre/HTTP/Version.php b/lib/Sabre/HTTP/Version.php
index 5be8c53..4fc8c64 100644
--- a/lib/Sabre/HTTP/Version.php
+++ b/lib/Sabre/HTTP/Version.php
@@ -14,7 +14,7 @@ class Sabre_HTTP_Version {
     /**
      * Full version number
      */
-    const VERSION = '1.7.3';
+    const VERSION = '1.7.10';
 
     /**
      * Stability : alpha, beta, stable

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git

More information about the Pkg-owncloud-commits mailing list