[Pkg-owncloud-commits] [php-sabredav] 10/29: Fix insecure default ACL rule.

David Prévot taffit at moszumanska.debian.org
Fri Jul 8 00:24:02 UTC 2016 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository php-sabredav.

commit 7bca1f252c6bd6edfc9279371c369e4aec704f63
Author: Evert Pot <me at evertpot.com>
Date:   Sat May 21 01:29:29 2016 -0400

    Fix insecure default ACL rule.
---
 CHANGELOG.md          | 11 +++++++++++
 lib/DAV/Version.php   |  2 +-
 lib/DAVACL/Plugin.php |  5 -----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0796509..6212ec6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,23 @@
 ChangeLog
 =========
 
+3.2.0-beta2 (????-??-??)
+------------------------
+
+* The default ACL rules allow an unauthenticated user to read information
+  about nodes that don't have their own ACL defined. This was a security
+  problem.
+
+
 3.2.0-beta1 (2016-05-20)
 ------------------------
 
 * #833: Calendars throw exceptions when the sharing plugin is not enabled.
 * #834: Return vCards exactly as they were stored if we don't need to convert
   in between versions.
+* The zip release ships with [sabre/vobject 4.1.0][vobj],
+  [sabre/http 4.2.1][http], [sabre/event 3.0.0][evnt],
+  [sabre/uri 1.1.0][uri] and [sabre/xml 1.4.2][xml].
 
 
 3.2.0-alpha1 (2016-05-09)
diff --git a/lib/DAV/Version.php b/lib/DAV/Version.php
index 5430b96..d63c4b7 100644
--- a/lib/DAV/Version.php
+++ b/lib/DAV/Version.php
@@ -14,6 +14,6 @@ class Version {
     /**
      * Full version number
      */
-    const VERSION = '3.2.0-beta1';
+    const VERSION = '3.2.0-beta2';
 
 }
diff --git a/lib/DAVACL/Plugin.php b/lib/DAVACL/Plugin.php
index 59a7b09..8e91230 100644
--- a/lib/DAVACL/Plugin.php
+++ b/lib/DAVACL/Plugin.php
@@ -307,11 +307,6 @@ class Plugin extends DAV\ServerPlugin {
             'protected' => true,
             'privilege' => '{DAV:}all',
         ],
-        [
-            'principal' => '{DAV:}unauthenticated',
-            'protected' => true,
-            'privilege' => '{DAV:}read',
-        ],
     ];
 
     /**

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-php/php-sabredav.git

More information about the Pkg-owncloud-commits mailing list