[Pkg-owncloud-commits] [php-sabredav] 03/07: Merge branch '1.7' into 1.8

Wed Mar 19 18:01:23 UTC 2014

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to tag 1.8.9
in repository php-sabredav.

commit 4e0f21d8de143a5acda19c5ac000d6621362e887
Merge: 3037a75 e3f46e0
Author: Evert Pot <evert at rooftopsolutions.nl>
Date:   Wed Feb 26 17:15:26 2014 -0500

    Merge branch '1.7' into 1.8
    
    Conflicts:
    	ChangeLog

 ChangeLog                      | 3 ++-
 lib/Sabre/DAV/Client.php       | 5 +++++
 lib/Sabre/DAV/Locks/Plugin.php | 7 +++++++
 lib/Sabre/DAV/XMLUtil.php      | 6 +++++-
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --cc ChangeLog
index 8946482,5e303d2..341bfdc

--- a/ChangeLog
+++ b/ChangeLog
@@@ -1,63 -1,6 +1,64 @@@
 +1.8.9-stable (2014-??-??)
 +	* includes changes from version 1.7.11.
 +
 +1.8.8-stable (2013-02-09)
 +	* The zip release ships with sabre/vobject 2.1.3.
 +	* includes changes from version 1.7.10.
 +
 +1.8.7-stable (2013-10-02)
 +	* the zip release ships with sabre/vobject 2.1.3.
 +	* includes changes from version 1.7.9.
 +
 +1.8.6-stable (2013-06-18)
 +	* The zip release ships with sabre/vobject 2.1.0.
 +	* Includes changes from version 1.7.8.
 +
 +1.8.5-stable (2013-04-11)
 +	* The zip release ships with sabre/vobject 2.0.7.
 +	* Includes changes from version 1.7.7.
 +
 +1.8.4-stable (2013-04-08)
 +	* The zip release ships with sabre/vobject 2.0.7.
 +	* Includes changes from version 1.7.6.
 +
 +1.8.3-stable (2013-03-01)
 +	* The zip release ships with sabre/vobject 2.0.6.
 +	* Includes changes from version 1.7.5.
 +	* Fixed: organizer email-address for shared calendars is now prefixed with
 +	  mailto:, as it should.
 +
 +1.8.2-stable (2013-01-19)
 +	* The zip release ships with sabre/vobject 2.0.5.
 +	* Includes changes from version 1.7.4.
 +
 +1.8.1-stable (2012-12-01)
 +	* The zip release ships with sabre/vobject 2.0.5.
 +	* Includes changes from version 1.7.3.
 +	* Fixed: Typo in 1.7 migration script caused it to fail.
 +
 +1.8.0-stable (2012-11-08)
 +	* The zip release ships with sabre/vobject 2.0.5.
 +	* BC Break: Moved the entire codebase to PHP namespaces.
 +	* BC Break: Every backend package (CalDAV, CardDAV, Auth, Locks,
 +	  Principals) now has consistent naming conventions. There's a
 +	  BackendInterface, and an AbstractBackend class.
 +	* BC Break: Changed a bunch of constructor signatures in the CalDAV
 +	  package, to reduce dependencies on the ACL package.
 +	* BC Break: Sabre_CalDAV_ISharedCalendar now also has a getShares method,
 +	  so sharees can figure out who is also on a shared calendar.
 +
 +	* Added: Sabre_DAVACL_IPrincipalCollection interface, to advertise support
 +	  for principal-property-search on any node.
 +	* Added: Simple console script to fire up a fileserver in the current
 +	  directory using PHP 5.4's built-in webserver.
 +	* Added: Sharee's can now also read out the list of invites for a shared
 +	  calendar.
 +	* Added: The Proxy principal classes now both implement an interface, for
 +	  greater flexiblity.
 +
- 1.7.11-stable (2014-??-??)
+ 1.7.11-stable (2014-02-26)
  	* Fixed: Issue #407: large downloads failed.
+ 	* Fixed: Issue #414: XXE security problem on older PHP versions.
  
  1.7.10-stable (2014-02-09)
  	* The zip release ships with sabre/vobject 2.1.3.
diff --cc lib/Sabre/DAV/Client.php
index 60cd0e7,8bd7c7a..1cec8ff
--- a/lib/Sabre/DAV/Client.php
+++ b/lib/Sabre/DAV/Client.php
@@@ -528,11 -528,16 +528,16 @@@ class Client 
       */
      public function parseMultiStatus($body) {
  
 -        $body = Sabre_DAV_XMLUtil::convertDAVNamespace($body);
 +        $body = XMLUtil::convertDAVNamespace($body);
  
+         // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+         // 5.4.13.
+         $previous = libxml_disable_entity_loader(true);
          $responseXML = simplexml_load_string($body, null, LIBXML_NOBLANKS | LIBXML_NOCDATA);
+         libxml_disable_entity_loader($previous);
+ 
          if ($responseXML===false) {
 -            throw new InvalidArgumentException('The passed data is not valid XML');
 +            throw new \InvalidArgumentException('The passed data is not valid XML');
          }
  
          $responseXML->registerXPathNamespace('d', 'urn:DAV');
diff --cc lib/Sabre/DAV/Locks/Plugin.php
index 873f058,ff724ea..34e1b53
--- a/lib/Sabre/DAV/Locks/Plugin.php
+++ b/lib/Sabre/DAV/Locks/Plugin.php
@@@ -621,12 -619,19 +621,19 @@@ class Plugin extends DAV\ServerPlugin 
       */
      protected function parseLockRequest($body) {
  
+         // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+         // 5.4.13.
+         $previous = libxml_disable_entity_loader(true);
+ 
+ 
          $xml = simplexml_load_string(
 -            Sabre_DAV_XMLUtil::convertDAVNamespace($body),
 +            DAV\XMLUtil::convertDAVNamespace($body),
              null,
              LIBXML_NOWARNING);
+         libxml_disable_entity_loader($previous);
+ 
          $xml->registerXPathNamespace('d','urn:DAV');
 -        $lockInfo = new Sabre_DAV_Locks_LockInfo();
 +        $lockInfo = new LockInfo();
  
          $children = $xml->children("urn:DAV");
          $lockInfo->owner = (string)$children->owner;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git

