[Pkg-owncloud-commits] [php-sabredav] 01/02: Only accept HTTP and HTTPS as protocol

David Prévot taffit at moszumanska.debian.org
Mon Sep 29 21:48:11 UTC 2014 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch 1.8
in repository php-sabredav.

commit 4f141d03b8b9af2e032a654820effa6204b359ab
Author: David Prévot <taffit at debian.org>
Date:   Mon Sep 29 14:53:04 2014 -0400

    Only accept HTTP and HTTPS as protocol
---
 ...03-Only-accept-HTTP-and-HTTPS-as-protocol.patch |  26 ++++++
 debian/patches/0004-Fix-unit-test.patch            | 102 +++++++++++++++++++++
 debian/patches/series                              |   2 +
 3 files changed, 130 insertions(+)

diff --git a/debian/patches/0003-Only-accept-HTTP-and-HTTPS-as-protocol.patch b/debian/patches/0003-Only-accept-HTTP-and-HTTPS-as-protocol.patch
new file mode 100644
index 0000000..1620939
--- /dev/null
+++ b/debian/patches/0003-Only-accept-HTTP-and-HTTPS-as-protocol.patch
@@ -0,0 +1,26 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Thu, 11 Sep 2014 19:45:34 +0200
+Subject: Only accept HTTP and HTTPS as protocol
+
+We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)
+
+See https://github.com/owncloud/core/pull/11032 for the change in ownCloud and https://github.com/fruux/sabre-http/pull/14 for the PR for sabre-http
+
+Origin: upstream, https://github.com/fruux/sabre-dav/commit/c8ca4c25ad98195b8d0f7a1e5c070f7c31a5537d
+---
+ lib/Sabre/DAV/Client.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/Sabre/DAV/Client.php b/lib/Sabre/DAV/Client.php
+index 705b321..ba5c472 100644
+--- a/lib/Sabre/DAV/Client.php
++++ b/lib/Sabre/DAV/Client.php
+@@ -322,6 +322,8 @@ class Client {
+             // Automatically follow redirects
+             CURLOPT_FOLLOWLOCATION => true,
+             CURLOPT_MAXREDIRS => 5,
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         );
+ 
+         if($this->verifyPeer !== null) {
diff --git a/debian/patches/0004-Fix-unit-test.patch b/debian/patches/0004-Fix-unit-test.patch
new file mode 100644
index 0000000..1d5d226
--- /dev/null
+++ b/debian/patches/0004-Fix-unit-test.patch
@@ -0,0 +1,102 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Thu, 11 Sep 2014 20:08:23 +0200
+Subject: Fix unit test
+
+Origin: upstream, https://github.com/fruux/sabre-dav/commit/d144fd877965dd61c72759614dbceb2c1fe11286
+---
+ tests/Sabre/DAV/ClientTest.php | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/tests/Sabre/DAV/ClientTest.php b/tests/Sabre/DAV/ClientTest.php
+index 9c3532a..ca67d35 100644
+--- a/tests/Sabre/DAV/ClientTest.php
++++ b/tests/Sabre/DAV/ClientTest.php
+@@ -57,6 +57,8 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_POSTFIELDS => 'sillybody',
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+         $this->assertEquals(array(
+@@ -107,6 +109,8 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
+             CURLOPT_PROXY => 'http://localhost:8000/',
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+         $this->assertEquals(array(
+@@ -156,6 +160,8 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_CAINFO => 'bla',
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+     }
+@@ -196,7 +202,9 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_POSTFIELDS => 'sillybody',
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
+-            CURLOPT_SSL_VERIFYPEER => true
++            CURLOPT_SSL_VERIFYPEER => true,
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+     }
+@@ -238,7 +246,9 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
+             CURLOPT_HTTPAUTH => CURLAUTH_BASIC | CURLAUTH_DIGEST,
+-            CURLOPT_USERPWD => 'user:password'
++            CURLOPT_USERPWD => 'user:password',
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+         $this->assertEquals(array(
+@@ -289,7 +299,9 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
+             CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
+-            CURLOPT_USERPWD => 'user:password'
++            CURLOPT_USERPWD => 'user:password',
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+         $this->assertEquals(array(
+@@ -340,7 +352,9 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
+             CURLOPT_HTTPAUTH => CURLAUTH_DIGEST,
+-            CURLOPT_USERPWD => 'user:password'
++            CURLOPT_USERPWD => 'user:password',
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+         $this->assertEquals(array(
+@@ -905,6 +919,8 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_HEADER => true,
+             CURLOPT_HTTPHEADER => array(),
+             CURLOPT_POSTFIELDS => null,
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+         ), $client->curlSettings);
+ 
+     }
+@@ -939,6 +955,8 @@ class ClientTest extends \PHPUnit_Framework_TestCase {
+             CURLOPT_RETURNTRANSFER => true,
+             CURLOPT_FOLLOWLOCATION => true,
+             CURLOPT_MAXREDIRS => 5,
++            CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
++            CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+             CURLOPT_CUSTOMREQUEST => "PUT",
+             CURLOPT_POSTFIELDS => 'newcontent',
+             CURLOPT_HEADER => true,
diff --git a/debian/patches/series b/debian/patches/series
index 05a084e..afb158f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
 0002-Skip-failing-tests-starting-with-PHP-5.5.10.patch
+0003-Only-accept-HTTP-and-HTTPS-as-protocol.patch
+0004-Fix-unit-test.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git

More information about the Pkg-owncloud-commits mailing list