[Pkg-owncloud-commits] [owncloud] 02/05: Fix stored XSS in "activity" application [CVE-2015-5953]
David Prévot
taffit at moszumanska.debian.org
Sun Oct 4 19:15:23 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch jessie
in repository owncloud.
commit 0670960f71e134e7fc08be7fba8d89053b381676
Author: David Prévot <taffit at debian.org>
Date: Sun Sep 27 13:53:15 2015 -0400
Fix stored XSS in "activity" application [CVE-2015-5953]
https://owncloud.org/security/advisory/?id=oc-sa-2015-010
---
...sions-to-specify-the-list-of-special-para.patch | 83 ++++++++++++++++++++++
...-Always-prepare-parameters-for-extensions.patch | 47 ++++++++++++
debian/patches/series | 2 +
3 files changed, 132 insertions(+)
diff --git a/debian/patches/0018-Allow-extensions-to-specify-the-list-of-special-para.patch b/debian/patches/0018-Allow-extensions-to-specify-the-list-of-special-para.patch
new file mode 100644
index 0000000..0fea9e2
--- /dev/null
+++ b/debian/patches/0018-Allow-extensions-to-specify-the-list-of-special-para.patch
@@ -0,0 +1,83 @@
+From: Joas Schilling <nickvergessen at gmx.de>
+Date: Thu, 11 Dec 2014 14:54:50 +0100
+Subject: Allow extensions to specify the list of special parameters
+
+Origin: upstream, https://github.com/owncloud/core/commit/1b18554aa7e0af7e13ba8c088375750ea2f53d6c
+---
+ lib/private/activitymanager.php | 19 +++++++++++++++++++
+ lib/public/activity/iextension.php | 13 +++++++++++++
+ lib/public/activity/imanager.php | 7 +++++++
+ 3 files changed, 39 insertions(+)
+
+diff --git a/lib/private/activitymanager.php b/lib/private/activitymanager.php
+index f31b121..76391ee 100644
+--- a/lib/private/activitymanager.php
++++ b/lib/private/activitymanager.php
+@@ -168,6 +168,25 @@ class ActivityManager implements IManager {
+ }
+
+ /**
++ * @param string $app
++ * @param string $text
++ * @return array|false
++ */
++ function getSpecialParameterList($app, $text) {
++ foreach($this->extensions as $extension) {
++ $c = $extension();
++ if ($c instanceof IExtension) {
++ $specialParameter = $c->getSpecialParameterList($app, $text);
++ if (is_array($specialParameter)) {
++ return $specialParameter;
++ }
++ }
++ }
++
++ return false;
++ }
++
++ /**
+ * @param string $type
+ * @return string
+ */
+diff --git a/lib/public/activity/iextension.php b/lib/public/activity/iextension.php
+index 6bb403a..22a5438 100644
+--- a/lib/public/activity/iextension.php
++++ b/lib/public/activity/iextension.php
+@@ -73,6 +73,19 @@ interface IExtension {
+ public function translate($app, $text, $params, $stripPath, $highlightParams, $languageCode);
+
+ /**
++ * The extension can define the type of parameters for translation
++ *
++ * Currently known types are:
++ * * file => will strip away the path of the file and add a tooltip with it
++ * * username => will add the avatar of the user
++ *
++ * @param string $app
++ * @param string $text
++ * @return array|false
++ */
++ function getSpecialParameterList($app, $text);
++
++ /**
+ * A string naming the css class for the icon to be used can be returned.
+ * If no icon is known for the given type false is to be returned.
+ *
+diff --git a/lib/public/activity/imanager.php b/lib/public/activity/imanager.php
+index 0a49fdf..a08670b 100644
+--- a/lib/public/activity/imanager.php
++++ b/lib/public/activity/imanager.php
+@@ -100,6 +100,13 @@ interface IManager {
+ function translate($app, $text, $params, $stripPath, $highlightParams, $languageCode);
+
+ /**
++ * @param string $app
++ * @param string $text
++ * @return array|false
++ */
++ function getSpecialParameterList($app, $text);
++
++ /**
+ * @param string $type
+ * @return string
+ */
diff --git a/debian/patches/0019-Always-prepare-parameters-for-extensions.patch b/debian/patches/0019-Always-prepare-parameters-for-extensions.patch
new file mode 100644
index 0000000..1e1cfee
--- /dev/null
+++ b/debian/patches/0019-Always-prepare-parameters-for-extensions.patch
@@ -0,0 +1,47 @@
+From: Joas Schilling <nickvergessen at gmx.de>
+Date: Thu, 11 Dec 2014 15:34:04 +0100
+Subject: Always prepare parameters for extensions
+
+Origin: upstream, https://github.com/owncloud/activity/commit/35ae9ac153e4611f67ce926ac545fa5b2c1f1da3
+---
+ apps/activity/lib/datahelper.php | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/apps/activity/lib/datahelper.php b/apps/activity/lib/datahelper.php
+index 6e03cbb..5b87d99 100644
+--- a/apps/activity/lib/datahelper.php
++++ b/apps/activity/lib/datahelper.php
+@@ -59,11 +59,12 @@ class DataHelper
+ return '';
+ }
+
++ $preparedParams = $this->parameterHelper->prepareParameters(
++ $params, $this->parameterHelper->getSpecialParameterList($app, $text),
++ $stripPath, $highlightParams
++ );
++
+ if ($app === 'files') {
+- $preparedParams = $this->parameterHelper->prepareParameters(
+- $params, $this->parameterHelper->getSpecialParameterList($app, $text),
+- $stripPath, $highlightParams
+- );
+ switch ($text) {
+ case 'created_self':
+ return $this->l->t('You created %1$s', $preparedParams);
+@@ -96,14 +97,14 @@ class DataHelper
+
+ // Allow other apps to correctly translate their activities
+ $translation = $this->activityManager->translate(
+- $app, $text, $params, $stripPath, $highlightParams, $this->l->getLanguageCode());
++ $app, $text, $preparedParams, $stripPath, $highlightParams, $this->l->getLanguageCode());
+
+ if ($translation !== false) {
+ return $translation;
+ }
+
+ $l = Util::getL10N($app);
+- return $l->t($text, $params);
++ return $l->t($text, $preparedParams);
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index c452aeb..2869d04 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,5 @@ path/0009-Adapt-Dropbox-path.patch
0015-Disallow-semicolons-in-passed-commands.patch
0016-Clarify-permission-checks.patch
0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch
+0018-Allow-extensions-to-specify-the-list-of-special-para.patch
+0019-Always-prepare-parameters-for-extensions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list