[Pkg-owncloud-commits] [owncloud] 01/05: Fix information exposure through directory listing [CVE-2015-6500]

David Prévot taffit at moszumanska.debian.org
Sun Oct 4 19:15:23 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch jessie
in repository owncloud.

commit 2255555090810df3dfd45ac6a7619f68f9db106b
Author: David Prévot <taffit at debian.org>
Date:   Sun Sep 27 12:50:53 2015 -0400

    Fix information exposure through directory listing [CVE-2015-6500]
    
    Closes: #800126
    https://owncloud.org/security/advisory?id=oc-sa-2015-014
---
 ...f-the-user-is-trying-to-scan-a-valid-path.patch | 24 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 25 insertions(+)

diff --git a/debian/patches/0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch b/debian/patches/0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch
new file mode 100644
index 0000000..b9d9091
--- /dev/null
+++ b/debian/patches/0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch
@@ -0,0 +1,24 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Sun, 26 Jul 2015 19:13:31 +0200
+Subject: check if the user is trying to scan a valid path
+
+Origin: upstream, https://github.com/owncloud/core/commit/9f8c0a3a8d14f1c127b2034faa14d8d309f962e9
+Bug-Debian: https://bugs.debian.org/800126
+---
+ lib/private/files/utils/scanner.php | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/private/files/utils/scanner.php b/lib/private/files/utils/scanner.php
+index c2fabf5..15024b5 100644
+--- a/lib/private/files/utils/scanner.php
++++ b/lib/private/files/utils/scanner.php
+@@ -108,6 +108,9 @@ class Scanner extends PublicEmitter {
+ 	 * @throws \OC\ForbiddenException
+ 	 */
+ 	public function scan($dir) {
++		if (!Filesystem::isValidPath($dir)) {
++			throw new \InvalidArgumentException('Invalid path to scan');
++		}
+ 		$mounts = $this->getMounts($dir);
+ 		foreach ($mounts as $mount) {
+ 			if (is_null($mount->getStorage())) {
diff --git a/debian/patches/series b/debian/patches/series
index 42ca44e..c452aeb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ path/0009-Adapt-Dropbox-path.patch
 0014-Ensure-that-passed-argument-is-always-a-string.patch
 0015-Disallow-semicolons-in-passed-commands.patch
 0016-Clarify-permission-checks.patch
+0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list