[Pkg-owncloud-commits] [owncloud] 04/05: Fix PHP arbitrary class instantiation in "files_external"

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch jessie
in repository owncloud.

commit 49c105b57b14efd8163441531bc9d7b50507d9cd
Author: David Prévot <taffit at debian.org>
Date:   Wed Sep 30 19:20:32 2015 -0400

    Fix PHP arbitrary class instantiation in "files_external"
    
    https://owncloud.org/security/advisory/?id=oc-sa-2015-018
---
 ...nt-objectstore-being-set-from-client-side.patch | 39 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 40 insertions(+)

diff --git a/debian/patches/0026-Prevent-objectstore-being-set-from-client-side.patch b/debian/patches/0026-Prevent-objectstore-being-set-from-client-side.patch
new file mode 100644
index 0000000..5afdb73
--- /dev/null
+++ b/debian/patches/0026-Prevent-objectstore-being-set-from-client-side.patch
@@ -0,0 +1,39 @@
+From: Robin McCorkell <rmccorkell at owncloud.com>
+Date: Tue, 25 Aug 2015 16:27:50 +0100
+Subject: Prevent objectstore being set from client side
+
+Origin: upstream, https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f
+---
+ apps/files_external/lib/config.php | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/apps/files_external/lib/config.php b/apps/files_external/lib/config.php
+index 717426c..b3ec25b 100644
+--- a/apps/files_external/lib/config.php
++++ b/apps/files_external/lib/config.php
+@@ -489,6 +489,11 @@ class OC_Mount_Config {
+ 			return false;
+ 		}
+ 
++		if (isset($classOptions['objectstore'])) {
++			// objectstore cannot be set by client side
++			return false;
++		}
++
+ 		if (!isset($backends[$class])) {
+ 			// invalid backend
+ 			return false;
+@@ -875,6 +880,13 @@ class OC_Mount_Config {
+ 					$mountPoint[$applicable][$mountPath]['priority']
+ 						= $data[$mountType][$applicable][$mountPath]['priority'];
+ 				}
++				// Persistent objectstore
++				if (isset($data[$mountType][$applicable][$mountPath])
++					&& isset($data[$mountType][$applicable][$mountPath]['objectstore'])
++				) {
++					$mountPoint[$applicable][$mountPath]['objectstore']
++						= $data[$mountType][$applicable][$mountPath]['objectstore'];
++				}
+ 				$data[$mountType][$applicable]
+ 					= array_merge($data[$mountType][$applicable], $mountPoint[$applicable]);
+ 			} else {
diff --git a/debian/patches/series b/debian/patches/series
index 022c912..561ad88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ path/0009-Adapt-Dropbox-path.patch
 0023-Throw-nicer-error-message-instead-500.patch
 0024-Verify-if-path-exists.patch
 0025-Verify-if-path-exists-before-processing.patch
+0026-Prevent-objectstore-being-set-from-client-side.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git