[Pkg-owncloud-commits] [owncloud] 03/05: Fix disclosure of users files when deleting parent folders of shared files [CVE-2015-5954]

David Prévot taffit at moszumanska.debian.org
Sun Oct 4 19:15:23 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch jessie
in repository owncloud.

commit e0114a412dfb5387b1590ef5ce058966c957b2b6
Author: David Prévot <taffit at debian.org>
Date:   Sun Sep 27 17:57:39 2015 -0400

    Fix disclosure of users files when deleting parent folders of shared files [CVE-2015-5954]
    
    https://owncloud.org/security/advisory/?id=oc-sa-2015-011
---
 .../0020-resolve-reshares-in-public-webdav.patch   | 27 ++++++++++
 .../0021-fix-subfolder-reshares-over-webdav.patch  | 24 +++++++++
 debian/patches/0022-Verify-if-path-exists.patch    | 27 ++++++++++
 ...023-Throw-nicer-error-message-instead-500.patch | 24 +++++++++
 debian/patches/0024-Verify-if-path-exists.patch    | 26 ++++++++++
 ...5-Verify-if-path-exists-before-processing.patch | 57 ++++++++++++++++++++++
 debian/patches/series                              |  6 +++
 7 files changed, 191 insertions(+)

diff --git a/debian/patches/0020-resolve-reshares-in-public-webdav.patch b/debian/patches/0020-resolve-reshares-in-public-webdav.patch
new file mode 100644
index 0000000..0f44a73
--- /dev/null
+++ b/debian/patches/0020-resolve-reshares-in-public-webdav.patch
@@ -0,0 +1,27 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Wed, 22 Apr 2015 16:19:52 +0200
+Subject: resolve reshares in public webdav
+
+Origin, upstream: https://github.com/owncloud/core/commit/2c10e31c8f660e93859a5117b02075ab29996941
+---
+ apps/files_sharing/publicwebdav.php | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/apps/files_sharing/publicwebdav.php b/apps/files_sharing/publicwebdav.php
+index 03e4396..3e00053 100644
+--- a/apps/files_sharing/publicwebdav.php
++++ b/apps/files_sharing/publicwebdav.php
+@@ -40,9 +40,10 @@ $server->addPlugin(new OC_Connector_Sabre_ExceptionLoggerPlugin('webdav'));
+ // wait with registering these until auth is handled and the filesystem is setup
+ $server->subscribeEvent('beforeMethod', function () use ($server, $objectTree, $authBackend) {
+ 	$share = $authBackend->getShare();
+-	$owner = $share['uid_owner'];
+-	$isWritable = $share['permissions'] & (\OCP\PERMISSION_UPDATE | \OCP\PERMISSION_CREATE);
+-	$fileId = $share['file_source'];
++	$rootShare = \OCP\Share::resolveReShare($share);
++	$owner = $rootShare['uid_owner'];
++	$isWritable = $rootShare['permissions'] & (\OCP\PERMISSION_UPDATE | \OCP\PERMISSION_CREATE);
++	$fileId = $rootShare['file_source'];
+ 
+ 	if (!$isWritable) {
+ 		\OC\Files\Filesystem::addStorageWrapper('readonly', function ($mountPoint, $storage) {
diff --git a/debian/patches/0021-fix-subfolder-reshares-over-webdav.patch b/debian/patches/0021-fix-subfolder-reshares-over-webdav.patch
new file mode 100644
index 0000000..faf3357
--- /dev/null
+++ b/debian/patches/0021-fix-subfolder-reshares-over-webdav.patch
@@ -0,0 +1,24 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Thu, 23 Apr 2015 13:42:51 +0200
+Subject: fix subfolder reshares over webdav
+
+Origin: upstream, https://github.com/owncloud/core/commit/38644cffd40221857c9addfe5f517ec4f5868cdf
+---
+ apps/files_sharing/publicwebdav.php | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/files_sharing/publicwebdav.php b/apps/files_sharing/publicwebdav.php
+index 3e00053..1dcb2b3 100644
+--- a/apps/files_sharing/publicwebdav.php
++++ b/apps/files_sharing/publicwebdav.php
+@@ -42,8 +42,8 @@ $server->subscribeEvent('beforeMethod', function () use ($server, $objectTree, $
+ 	$share = $authBackend->getShare();
+ 	$rootShare = \OCP\Share::resolveReShare($share);
+ 	$owner = $rootShare['uid_owner'];
+-	$isWritable = $rootShare['permissions'] & (\OCP\PERMISSION_UPDATE | \OCP\PERMISSION_CREATE);
+-	$fileId = $rootShare['file_source'];
++	$isWritable = $share['permissions'] & (\OCP\PERMISSION_UPDATE | \OCP\PERMISSION_CREATE);
++	$fileId = $share['file_source'];
+ 
+ 	if (!$isWritable) {
+ 		\OC\Files\Filesystem::addStorageWrapper('readonly', function ($mountPoint, $storage) {
diff --git a/debian/patches/0022-Verify-if-path-exists.patch b/debian/patches/0022-Verify-if-path-exists.patch
new file mode 100644
index 0000000..aded544
--- /dev/null
+++ b/debian/patches/0022-Verify-if-path-exists.patch
@@ -0,0 +1,27 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Wed, 17 Jun 2015 15:06:50 +0200
+Subject: Verify if path exists
+
+We need to verify if the specified path exists to gracefully prevent errors.
+
+Origin: upstream, https://github.com/owncloud/core/commit/f4bc29a1e77cee3fdaf913a20b55fabc14675e26
+---
+ apps/files_sharing/ajax/publicpreview.php | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/apps/files_sharing/ajax/publicpreview.php b/apps/files_sharing/ajax/publicpreview.php
+index f5343a7..833bd1b 100644
+--- a/apps/files_sharing/ajax/publicpreview.php
++++ b/apps/files_sharing/ajax/publicpreview.php
+@@ -46,6 +46,11 @@ $view = new \OC\Files\View('/' . $userId . '/files');
+ 
+ $pathId = $linkedItem['file_source'];
+ $path = $view->getPath($pathId);
++
++if($path === null) {
++	throw new \OCP\Files\NotFoundException();
++}
++
+ $pathInfo = $view->getFileInfo($path);
+ $sharedFile = null;
+ 
diff --git a/debian/patches/0023-Throw-nicer-error-message-instead-500.patch b/debian/patches/0023-Throw-nicer-error-message-instead-500.patch
new file mode 100644
index 0000000..74954c9
--- /dev/null
+++ b/debian/patches/0023-Throw-nicer-error-message-instead-500.patch
@@ -0,0 +1,24 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Wed, 17 Jun 2015 15:36:54 +0200
+Subject: Throw nicer error message instead 500
+
+Origin: upstream, https://github.com/owncloud/core/commit/1fc8afef1e92c6ba5ecf28d5d06df16b876ba0cd
+---
+ apps/files_sharing/ajax/publicpreview.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/apps/files_sharing/ajax/publicpreview.php b/apps/files_sharing/ajax/publicpreview.php
+index 833bd1b..bf30f7f 100644
+--- a/apps/files_sharing/ajax/publicpreview.php
++++ b/apps/files_sharing/ajax/publicpreview.php
+@@ -48,7 +48,9 @@ $pathId = $linkedItem['file_source'];
+ $path = $view->getPath($pathId);
+ 
+ if($path === null) {
+-	throw new \OCP\Files\NotFoundException();
++	\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
++	\OC_Log::write('core-preview', 'Could not resolve file for shared item', OC_Log::WARN);
++	exit;
+ }
+ 
+ $pathInfo = $view->getFileInfo($path);
diff --git a/debian/patches/0024-Verify-if-path-exists.patch b/debian/patches/0024-Verify-if-path-exists.patch
new file mode 100644
index 0000000..0244c34
--- /dev/null
+++ b/debian/patches/0024-Verify-if-path-exists.patch
@@ -0,0 +1,26 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Thu, 18 Jun 2015 16:48:32 +0200
+Subject: Verify if path exists
+
+We need to check if the path exists and throw an error instead of handling this situation ungraciously.
+
+Origin: upstream, https://github.com/owncloud/core/commit/ff2de8439a05e2bcd14b2e2bd57e3c96e39bf774
+---
+ apps/files/ajax/upload.php | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
+index b737d5f..6e190b0 100644
+--- a/apps/files/ajax/upload.php
++++ b/apps/files/ajax/upload.php
+@@ -49,6 +49,10 @@ if (empty($_POST['dirToken'])) {
+ 
+ 		// The token defines the target directory (security reasons)
+ 		$path = \OC\Files\Filesystem::getPath($linkItem['file_source']);
++		if($path === null) {
++			OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.')))));
++			die();
++		}
+ 		$dir = sprintf(
+ 			"/%s/%s",
+ 			$path,
diff --git a/debian/patches/0025-Verify-if-path-exists-before-processing.patch b/debian/patches/0025-Verify-if-path-exists-before-processing.patch
new file mode 100644
index 0000000..5e311ea
--- /dev/null
+++ b/debian/patches/0025-Verify-if-path-exists-before-processing.patch
@@ -0,0 +1,57 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Fri, 19 Jun 2015 14:12:12 +0200
+Subject: Verify if path exists before processing
+
+We need to verify if the specified path exists to prevent errors. To test this please ensure that in all legitim cases the public preview (i.e. the one you see when you have public shared galleries) does still work.
+
+While exit() is here not the cleanest solution this is also what is used in other parts of the AJAX gallery code for error handling and I consider this thus a feasible solution for now.
+
+Origin: upstream, https://github.com/owncloud/gallery/commit/2c39713bea28305c40d454cf087eaf8ec9d68532
+---
+ apps/gallery/ajax/getimages.php | 3 +++
+ apps/gallery/ajax/image.php     | 3 +++
+ apps/gallery/ajax/thumbnail.php | 3 +++
+ 3 files changed, 9 insertions(+)
+
+diff --git a/apps/gallery/ajax/getimages.php b/apps/gallery/ajax/getimages.php
+index 10da494..745a694 100644
+--- a/apps/gallery/ajax/getimages.php
++++ b/apps/gallery/ajax/getimages.php
+@@ -27,6 +27,9 @@ if (isset($_GET['token'])) {
+ 
+ 		// The token defines the target directory (security reasons)
+ 		$path = \OC\Files\Filesystem::getPath($linkItem['file_source']);
++		if($path === null) {
++			exit();
++		}
+ 
+ 		$view = new \OC\Files\View(\OC\Files\Filesystem::getView()->getAbsolutePath($path));
+ 		$images = $view->searchByMime('image');
+diff --git a/apps/gallery/ajax/image.php b/apps/gallery/ajax/image.php
+index 3317477..0b404ca 100644
+--- a/apps/gallery/ajax/image.php
++++ b/apps/gallery/ajax/image.php
+@@ -22,6 +22,9 @@ if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
+ 	OC_User::setIncognitoMode(true);
+ 
+ 	$fullPath = \OC\Files\Filesystem::getPath($linkItem['file_source']);
++	if($fullPath === null) {
++		exit();
++	}
+ 	$img = trim($fullPath . '/' . $img);
+ } else {
+ 	OCP\JSON::checkLoggedIn();
+diff --git a/apps/gallery/ajax/thumbnail.php b/apps/gallery/ajax/thumbnail.php
+index a4c18c1..bb1ee2d 100644
+--- a/apps/gallery/ajax/thumbnail.php
++++ b/apps/gallery/ajax/thumbnail.php
+@@ -22,6 +22,9 @@ if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
+ 	OC_Util::setupFS($user);
+ 
+ 	$fullPath = \OC\Files\Filesystem::getPath($linkItem['file_source']);
++	if($fullPath === null) {
++		exit();
++	}
+ 	$img = trim($fullPath . '/' . $img);
+ } else {
+ 	OCP\JSON::checkLoggedIn();
diff --git a/debian/patches/series b/debian/patches/series
index 2869d04..022c912 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,9 @@ path/0009-Adapt-Dropbox-path.patch
 0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch
 0018-Allow-extensions-to-specify-the-list-of-special-para.patch
 0019-Always-prepare-parameters-for-extensions.patch
+0020-resolve-reshares-in-public-webdav.patch
+0021-fix-subfolder-reshares-over-webdav.patch
+0022-Verify-if-path-exists.patch
+0023-Throw-nicer-error-message-instead-500.patch
+0024-Verify-if-path-exists.patch
+0025-Verify-if-path-exists-before-processing.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list