[Pkg-owncloud-commits] [owncloud] 01/02: Fix security issues not backported by upstream to 7.0

David Prévot taffit at moszumanska.debian.org
Wed Jan 6 02:40:30 UTC 2016


This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository owncloud.

commit f2828178aa082e988512046d6ef13457e7256877
Author: David Prévot <taffit at debian.org>
Date:   Tue Jan 5 22:16:42 2016 -0400

    Fix security issues not backported by upstream to 7.0
    
    - Information Exposure Through Directory Listing in the file scanner
      [oc-sa-2016-002]
    - Full installation path disclosure through error message
      [oc-sa-2016-004]
    
    Git-Dch: Full
---
 .../0012-Dont-output-paths-in-scan.php.patch       | 35 +++++++++++++++++++
 .../0013-Do-not-print-exception-message.patch      | 40 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 3 files changed, 77 insertions(+)

diff --git a/debian/patches/0012-Dont-output-paths-in-scan.php.patch b/debian/patches/0012-Dont-output-paths-in-scan.php.patch
new file mode 100644
index 0000000..572d3c3
--- /dev/null
+++ b/debian/patches/0012-Dont-output-paths-in-scan.php.patch
@@ -0,0 +1,35 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Wed, 25 Nov 2015 15:21:01 +0100
+Subject: Dont output paths in scan.php
+
+Origin: backport, https://github.com/owncloud/core/commit/fab59179f1661da4862336fb8ea450c80def26d4
+---
+ apps/files/ajax/scan.php | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php
+index d5d8848..e6cad5e 100644
+--- a/apps/files/ajax/scan.php
++++ b/apps/files/ajax/scan.php
+@@ -21,7 +21,6 @@ $listener = new ScanListener($eventSource);
+ foreach ($users as $user) {
+ 	$eventSource->send('user', $user);
+ 	$scanner = new \OC\Files\Utils\Scanner($user);
+-	$scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', array($listener, 'file'));
+ 	$scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', array($listener, 'folder'));
+ 	if ($force) {
+ 		$scanner->scan($dir);
+@@ -50,13 +49,6 @@ class ScanListener {
+ 		$this->eventSource = $eventSource;
+ 	}
+ 
+-	/**
+-	 * @param string $path
+-	 */
+-	public function folder($path) {
+-		$this->eventSource->send('folder', $path);
+-	}
+-
+ 	public function file() {
+ 		$this->fileCount++;
+ 		if ($this->fileCount > $this->lastCount + 20) { //send a count update every 20 files
diff --git a/debian/patches/0013-Do-not-print-exception-message.patch b/debian/patches/0013-Do-not-print-exception-message.patch
new file mode 100644
index 0000000..b692dd3
--- /dev/null
+++ b/debian/patches/0013-Do-not-print-exception-message.patch
@@ -0,0 +1,40 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Sun, 25 Oct 2015 19:05:28 +0100
+Subject: Do not print exception message
+
+Origin: upstream, https://github.com/owncloud/core/commit/6897cbebc05fb4daa6b81daaac9b181120fcf529
+---
+ core/avatar/controller.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/avatar/controller.php b/core/avatar/controller.php
+index ca055f5..6076084 100644
+--- a/core/avatar/controller.php
++++ b/core/avatar/controller.php
+@@ -92,7 +92,7 @@ class Controller {
+ 				}
+ 			}
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin." )));
+ 		}
+ 	}
+ 
+@@ -107,7 +107,7 @@ class Controller {
+ 			$avatar->remove();
+ 			\OC_JSON::success();
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ 		}
+ 	}
+ 
+@@ -158,7 +158,7 @@ class Controller {
+ 			\OC\Cache::remove('tmpavatar');
+ 			\OC_JSON::success();
+ 		} catch (\Exception $e) {
+-			\OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++			\OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ 		}
+ 	}
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 6cd84a2..9f6c54b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,5 @@ path/0008-Adapt-google-api-php-client-path.patch
 path/0009-Adapt-Dropbox-path.patch
 0010-Replace-_method-requirement-by-g-s-etMethods.patch
 0011-check-if-the-user-is-trying-to-scan-a-valid-path.patch
+0012-Dont-output-paths-in-scan.php.patch
+0013-Do-not-print-exception-message.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git



More information about the Pkg-owncloud-commits mailing list