[Pkg-owncloud-commits] [owncloud] 01/02: Backport security fixes from 7.0.6 and 7.0.8

David Prévot taffit at moszumanska.debian.org
Mon Sep 14 01:09:12 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch jessie
in repository owncloud.

commit a401fd74761487d801e67e8676c3295081878887
Author: David Prévot <taffit at debian.org>
Date:   Thu Sep 3 19:32:28 2015 -0400

    Backport security fixes from 7.0.6 and 7.0.8
    
    - Local file inclusion on MS Windows Platform
      [OC-SA-2015-006] [CVE-2015-4716]
    - Resource Exthaustion when sanitizing filenames
      [OC-SA-2015-007] [CVE-2015-4717]
    - Command injection when using external SMB storage
      [OC-SA-2015-008] [CVE-2015-4718]
    - Calendar export: Authorization Bypass Through User-Controlled Key
      [OC-SA-2015-015] [CVE-2015-6670]
    
    Git-Dch: Full
---
 ...-application-identifier-before-processing.patch | 22 ++++++++++
 ...e-that-passed-argument-is-always-a-string.patch | 50 ++++++++++++++++++++++
 ...15-Disallow-semicolons-in-passed-commands.patch | 25 +++++++++++
 .../patches/0016-Clarify-permission-checks.patch   | 25 +++++++++++
 debian/patches/series                              |  4 ++
 5 files changed, 126 insertions(+)

diff --git a/debian/patches/0013-Clean-application-identifier-before-processing.patch b/debian/patches/0013-Clean-application-identifier-before-processing.patch
new file mode 100644
index 0000000..925066d
--- /dev/null
+++ b/debian/patches/0013-Clean-application-identifier-before-processing.patch
@@ -0,0 +1,22 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Tue, 31 Mar 2015 14:58:24 +0200
+Subject: Clean application identifier before processing
+
+Origin: upstream, https://github.com/owncloud/core/commit/a15710afad054953cc348f2dd719c73b60985bce
+---
+ lib/private/route/router.php | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/private/route/router.php b/lib/private/route/router.php
+index 9c973d7..a6ff51b 100644
+--- a/lib/private/route/router.php
++++ b/lib/private/route/router.php
+@@ -204,6 +204,8 @@ class Router implements IRouter {
+ 		if (substr($url, 0, 6) === '/apps/') {
+ 			// empty string / 'apps' / $app / rest of the route
+ 			list(, , $app,) = explode('/', $url, 4);
++
++			$app = \OC_App::cleanAppId($app);
+ 			\OC::$REQUESTEDAPP = $app;
+ 			$this->loadRoutes($app);
+ 		} else if (substr($url, 0, 6) === '/core/' or substr($url, 0, 10) === '/settings/') {
diff --git a/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
new file mode 100644
index 0000000..b9b252d
--- /dev/null
+++ b/debian/patches/0014-Ensure-that-passed-argument-is-always-a-string.patch
@@ -0,0 +1,50 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Fri, 13 Feb 2015 12:49:34 +0100
+Subject: Ensure that passed argument is always a string
+
+Some code paths called the `normalizePath` functionality with types other than a string which resulted in unexpected behaviour.
+
+Thus the function is now manually casting the type to a string and I corrected the usage in list.php as well.
+
+Origin: upstream, https://github.com/owncloud/core/commit/5fa749cd9656ca6eab30bac0ef4e7625b8a8be2e
+---
+ apps/files/ajax/list.php         | 2 +-
+ lib/private/files/filesystem.php | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php
+index 4908016..21c88e2 100644
+--- a/apps/files/ajax/list.php
++++ b/apps/files/ajax/list.php
+@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn();
+ $l = OC_L10N::get('files');
+ 
+ // Load the files
+-$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
++$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
+ $dir = \OC\Files\Filesystem::normalizePath($dir);
+ 
+ try {
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 492d9f1..a4d361d 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -694,9 +694,18 @@ class Filesystem {
+ 	 * Fix common problems with a file path
+ 	 * @param string $path
+ 	 * @param bool $stripTrailingSlash
++	 * @param bool $isAbsolutePath
+ 	 * @return string
+ 	 */
+ 	public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false) {
++		/**
++		 * FIXME: This is a workaround for existing classes and files which call
++		 *        this function with another type than a valid string. This
++		 *        conversion should get removed as soon as all existing
++		 *        function calls have been fixed.
++		 */
++		$path = (string)$path;
++
+ 		if ($path == '') {
+ 			return '/';
+ 		}
diff --git a/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
new file mode 100644
index 0000000..6fd2127
--- /dev/null
+++ b/debian/patches/0015-Disallow-semicolons-in-passed-commands.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Mon, 30 Mar 2015 21:51:57 +0200
+Subject: Disallow semicolons in passed commands
+
+Origin: upstream, https://github.com/owncloud/core/commit/200e9d949783efbd57f39acedebc03924c1dfff4
+---
+ apps/files_external/3rdparty/smb4php/smb.php | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apps/files_external/3rdparty/smb4php/smb.php b/apps/files_external/3rdparty/smb4php/smb.php
+index e325506..7ffdb42 100644
+--- a/apps/files_external/3rdparty/smb4php/smb.php
++++ b/apps/files_external/3rdparty/smb4php/smb.php
+@@ -112,6 +112,11 @@ class smb {
+ 
+ 
+ 	function execute ($command, $purl, $regexp = NULL) {
++		if (strpos($command,';') !== false) {
++			trigger_error('Semicolon not supported in commands');
++			exit();
++		}
++
+ 		return smb::client ('-d 0 '
+ 				. escapeshellarg ('//' . $purl['host'] . '/' . $purl['share'])
+ 				. ' -c ' . escapeshellarg ($command), $purl, $regexp
diff --git a/debian/patches/0016-Clarify-permission-checks.patch b/debian/patches/0016-Clarify-permission-checks.patch
new file mode 100644
index 0000000..9c4e1a3
--- /dev/null
+++ b/debian/patches/0016-Clarify-permission-checks.patch
@@ -0,0 +1,25 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Tue, 21 Jul 2015 14:44:03 +0200
+Subject: Clarify permission checks
+
+Origin: upstream, https://github.com/owncloud/calendar/commit/4e0306adb13b19919e90857eaf7681303cd45414
+---
+ apps/calendar/lib/app.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php
+index 8af0ff3..62e7e22 100644
+--- a/apps/calendar/lib/app.php
++++ b/apps/calendar/lib/app.php
+@@ -50,8 +50,10 @@ class OC_Calendar_App{
+ 			}
+ 		}
+ 		if($security === true && $shared === true) {
+-			if(OCP\Share::getItemSharedWithBySource('calendar', $id)) {
++			if(OCP\User::getUser() === $calendar['userid'] || OCP\Share::getItemSharedWithBySource('calendar', $id)) {
+ 				return $calendar;
++			} else {
++				return false;
+ 			}
+ 		}
+ 		return $calendar;
diff --git a/debian/patches/series b/debian/patches/series
index ab6e650..42ca44e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,7 @@ path/0009-Adapt-Dropbox-path.patch
 0010-Fix-encoding-in-3rdparty-lib.patch
 0011-Apply-some-upstream-patches.patch
 0012-Normalize-before-processing.patch
+0013-Clean-application-identifier-before-processing.patch
+0014-Ensure-that-passed-argument-is-always-a-string.patch
+0015-Disallow-semicolons-in-passed-commands.patch
+0016-Clarify-permission-checks.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list