[Pkg-owncloud-commits] [owncloud] 01/02: Backport security fixes from 7.0.12, 8.0.10, and 8.0.9
David Prévot
taffit at moszumanska.debian.org
Wed Jan 6 21:29:13 UTC 2016
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch jessie
in repository owncloud.
commit 3ccc1369de9c42517f8e77e92c0fd791cbc1e80b
Author: David Prévot <taffit at debian.org>
Date: Tue Jan 5 22:22:30 2016 -0400
Backport security fixes from 7.0.12, 8.0.10, and 8.0.9
- Reflected XSS in OCS provider discovery
[oc-sa-2016-001] [CVE-2016-1498]
- Disclosure of files that begin with \".v\" due to unchecked return
value [oc-sa-2016-003] [CVE-2016-1500]
- Information Exposure Through Directory Listing in the file scanner
[oc-sa-2016-002] [CVE-2016-1499]
- Full installation path disclosure through error message
[oc-sa-2016-004] [CVE-2016-1501]
Git-Dch: Full
---
.../0027-Use-XMLWriter-to-generate-response.patch | 62 ++++++++++++++++++++++
...le-non-existing-files-in-version-previews.patch | 39 ++++++++++++++
.../0029-Dont-output-paths-in-scan.php.patch | 35 ++++++++++++
.../0030-Do-not-print-exception-message.patch | 40 ++++++++++++++
debian/patches/series | 4 ++
5 files changed, 180 insertions(+)
diff --git a/debian/patches/0027-Use-XMLWriter-to-generate-response.patch b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
new file mode 100644
index 0000000..c022c44
--- /dev/null
+++ b/debian/patches/0027-Use-XMLWriter-to-generate-response.patch
@@ -0,0 +1,62 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Mon, 30 Nov 2015 15:40:10 +0100
+Subject: Use XMLWriter to generate response
+
+Gets rid of manual XML generation.
+
+Origin: upstream, https://github.com/owncloud/core/commit/85e068a723c09d0f01ab3e10aa6a3f6a8c4c3227
+---
+ ocs/providers.php | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/ocs/providers.php b/ocs/providers.php
+index 2c62f76..769d210 100644
+--- a/ocs/providers.php
++++ b/ocs/providers.php
+@@ -27,20 +27,29 @@ header('Content-type: application/xml');
+
+ $url=OCP\Util::getServerProtocol().'://'.substr(OCP\Util::getServerHost().OCP\Util::getRequestUri(), 0, -17).'ocs/v1.php/';
+
+-echo('
+-<providers>
+-<provider>
+- <id>ownCloud</id>
+- <location>'.$url.'</location>
+- <name>ownCloud</name>
+- <icon></icon>
+- <termsofuse></termsofuse>
+- <register></register>
+- <services>
+- <config ocsversion="1.7" />
+- <activity ocsversion="1.7" />
+- <cloud ocsversion="1.7" />
+- </services>
+-</provider>
+-</providers>
+-');
++$writer = new XMLWriter();
++$writer->openURI('php://output');
++$writer->startDocument('1.0','UTF-8');
++$writer->setIndent(4);
++$writer->startElement('providers');
++$writer->startElement('provider');
++$writer->writeElement('id', 'ownCloud');
++$writer->writeElement('location', $url);
++$writer->writeElement('name', 'ownCloud');
++$writer->writeElement('icon', '');
++$writer->writeElement('termsofuse', '');
++$writer->writeElement('register', '');
++$writer->startElement('services');
++$writer->startElement('config');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('activity');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->startElement('cloud');
++$writer->writeAttribute('ocsversion', '1.7');
++$writer->endElement();
++$writer->endElement();
++$writer->endElement();
++$writer->endDocument();
++$writer->flush();
diff --git a/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
new file mode 100644
index 0000000..ec6da15
--- /dev/null
+++ b/debian/patches/0028-Handle-non-existing-files-in-version-previews.patch
@@ -0,0 +1,39 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Mon, 14 Dec 2015 15:59:36 +0100
+Subject: Handle non existing files in version previews
+
+Origin: upstream, https://github.com/owncloud/core/commit/f746100e13dcadf8a2b6d311422a1c66c959565c
+---
+ apps/files_versions/ajax/preview.php | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/apps/files_versions/ajax/preview.php b/apps/files_versions/ajax/preview.php
+index bd9b736..1056169 100644
+--- a/apps/files_versions/ajax/preview.php
++++ b/apps/files_versions/ajax/preview.php
+@@ -31,14 +31,18 @@ if($maxX === 0 || $maxY === 0) {
+
+ try {
+ list($user, $file) = \OCA\Files_Versions\Storage::getUidAndFilename($file);
+- $preview = new \OC\Preview($user, 'files_versions', $file.'.v'.$version);
+- $mimetype = \OC_Helper::getFileNameMimeType($file);
+- $preview->setMimetype($mimetype);
+- $preview->setMaxX($maxX);
+- $preview->setMaxY($maxY);
+- $preview->setScalingUp($scalingUp);
++ if (is_null($file)) {
++ \OC_Response::setStatus(404);
++ } else {
++ $preview = new \OC\Preview($user, 'files_versions', $file . '.v' . $version);
++ $mimetype = \OC_Helper::getFileNameMimeType($file);
++ $preview->setMimetype($mimetype);
++ $preview->setMaxX($maxX);
++ $preview->setMaxY($maxY);
++ $preview->setScalingUp($scalingUp);
+
+- $preview->showPreview();
++ $preview->showPreview();
++ }
+ }catch(\Exception $e) {
+ \OC_Response::setStatus(500);
+ \OC_Log::write('core', $e->getmessage(), \OC_Log::DEBUG);
diff --git a/debian/patches/0029-Dont-output-paths-in-scan.php.patch b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
new file mode 100644
index 0000000..572d3c3
--- /dev/null
+++ b/debian/patches/0029-Dont-output-paths-in-scan.php.patch
@@ -0,0 +1,35 @@
+From: Robin Appelman <icewind at owncloud.com>
+Date: Wed, 25 Nov 2015 15:21:01 +0100
+Subject: Dont output paths in scan.php
+
+Origin: backport, https://github.com/owncloud/core/commit/fab59179f1661da4862336fb8ea450c80def26d4
+---
+ apps/files/ajax/scan.php | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php
+index d5d8848..e6cad5e 100644
+--- a/apps/files/ajax/scan.php
++++ b/apps/files/ajax/scan.php
+@@ -21,7 +21,6 @@ $listener = new ScanListener($eventSource);
+ foreach ($users as $user) {
+ $eventSource->send('user', $user);
+ $scanner = new \OC\Files\Utils\Scanner($user);
+- $scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', array($listener, 'file'));
+ $scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', array($listener, 'folder'));
+ if ($force) {
+ $scanner->scan($dir);
+@@ -50,13 +49,6 @@ class ScanListener {
+ $this->eventSource = $eventSource;
+ }
+
+- /**
+- * @param string $path
+- */
+- public function folder($path) {
+- $this->eventSource->send('folder', $path);
+- }
+-
+ public function file() {
+ $this->fileCount++;
+ if ($this->fileCount > $this->lastCount + 20) { //send a count update every 20 files
diff --git a/debian/patches/0030-Do-not-print-exception-message.patch b/debian/patches/0030-Do-not-print-exception-message.patch
new file mode 100644
index 0000000..b692dd3
--- /dev/null
+++ b/debian/patches/0030-Do-not-print-exception-message.patch
@@ -0,0 +1,40 @@
+From: Lukas Reschke <lukas at owncloud.com>
+Date: Sun, 25 Oct 2015 19:05:28 +0100
+Subject: Do not print exception message
+
+Origin: upstream, https://github.com/owncloud/core/commit/6897cbebc05fb4daa6b81daaac9b181120fcf529
+---
+ core/avatar/controller.php | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/avatar/controller.php b/core/avatar/controller.php
+index ca055f5..6076084 100644
+--- a/core/avatar/controller.php
++++ b/core/avatar/controller.php
+@@ -92,7 +92,7 @@ class Controller {
+ }
+ }
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin." )));
+ }
+ }
+
+@@ -107,7 +107,7 @@ class Controller {
+ $avatar->remove();
+ \OC_JSON::success();
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ }
+ }
+
+@@ -158,7 +158,7 @@ class Controller {
+ \OC\Cache::remove('tmpavatar');
+ \OC_JSON::success();
+ } catch (\Exception $e) {
+- \OC_JSON::error(array("data" => array("message" => $e->getMessage()) ));
++ \OC_JSON::error(array("data" => array("message" => "An error occurred. Please contact your admin.") ));
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 561ad88..618364d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,7 @@ path/0009-Adapt-Dropbox-path.patch
0024-Verify-if-path-exists.patch
0025-Verify-if-path-exists-before-processing.patch
0026-Prevent-objectstore-being-set-from-client-side.patch
+0027-Use-XMLWriter-to-generate-response.patch
+0028-Handle-non-existing-files-in-version-previews.patch
+0029-Dont-output-paths-in-scan.php.patch
+0030-Do-not-print-exception-message.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list