1 |
commit: 2ad56745900b2993f9f0c0ebdc55fa64933f4599 |
2 |
Author: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Jun 4 07:40:47 2021 +0000 |
4 |
Commit: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jun 4 09:28:38 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad56745 |
7 |
|
8 |
www-apps/owncloud: 10.7.0 bump, with security fix backport |
9 |
|
10 |
Add https://github.com/owncloud/core/pull/38689 that fixes senstitive |
11 |
exception data exposure |
12 |
|
13 |
Bug: https://bugs.gentoo.org/794091 |
14 |
Package-Manager: Portage-3.0.19, Repoman-3.0.3 |
15 |
Signed-off-by: Bernard Cafarelli <voyageur <AT> gentoo.org> |
16 |
|
17 |
www-apps/owncloud/Manifest | 1 + |
18 |
.../owncloud-10.7.0-share_data_exposure.patch | 78 ++++++++++++++++++++++ |
19 |
www-apps/owncloud/owncloud-10.7.0.ebuild | 49 ++++++++++++++ |
20 |
3 files changed, 128 insertions(+) |
21 |
|
22 |
diff --git a/www-apps/owncloud/Manifest b/www-apps/owncloud/Manifest |
23 |
index aee01f865f8..f0efc62ecd5 100644 |
24 |
--- a/www-apps/owncloud/Manifest |
25 |
+++ b/www-apps/owncloud/Manifest |
26 |
@@ -1,2 +1,3 @@ |
27 |
DIST owncloud-10.5.0.tar.bz2 23471398 BLAKE2B 6566df51474a22d36da868ab45a7cb679528aecc9a95e0ad20f06adda587563e16c98ee1e942a5fef62e633b132469a6a775d5893754f553aea8a33043daafc3 SHA512 b77183146ee27c97a7f472e1debaec6f5dad168f204a243a65f431cade28ed0551d0db88ff799776bfd26db60357a2216a35cd1b4af6e7e98fc933f325e4336c |
28 |
DIST owncloud-10.6.0.tar.bz2 24569416 BLAKE2B f20890262551f2996d39566f63f79439921f41bfa3a82cecc5fdf771be93e403f5a273e76498421ec7e29a03f00326844003c3adb3f927f2c1c8fc82c26c23de SHA512 ec4de23b4cd0dc08dde66802285a00c817cc8ccc79237e4ae454af5fecba102fdc892ed24e62b246deebba536728d312f43dcfea9f2f490ba8847a54ac962885 |
29 |
+DIST owncloud-10.7.0.tar.bz2 24129028 BLAKE2B 47ce3584f8123cc0a315c7d88847df5844c951e354fcecd7a876ca01f0fa24823a86bdd950dd885f3bbb46f60d8a39271e31d43ac6dac8f3df506d6cdc531231 SHA512 ebb636b8ffd06d4ceb1dd0d50c15ab393b8c7bf2f0e23c61ba957add6ac4d4ba4cdefb9cda2c703f337c82a295e2c40a467a602227728e9506f9a150c9f2fd3c |
30 |
|
31 |
diff --git a/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch |
32 |
new file mode 100644 |
33 |
index 00000000000..bab6ffed11e |
34 |
--- /dev/null |
35 |
+++ b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch |
36 |
@@ -0,0 +1,78 @@ |
37 |
+From b552f84eedb5d2a113028d7859e82352699fb427 Mon Sep 17 00:00:00 2001 |
38 |
+From: JanAckermann <jackermann@××××××××.com> |
39 |
+Date: Tue, 4 May 2021 11:51:29 +0200 |
40 |
+Subject: [PATCH 1/3] Throw generic exception to overcome, senstitive exception |
41 |
+ data exposure |
42 |
+ |
43 |
+--- |
44 |
+ .../lib/Controllers/ShareController.php | 26 ++++++++++++------- |
45 |
+ 1 file changed, 16 insertions(+), 10 deletions(-) |
46 |
+ |
47 |
+diff --git a/apps/files_sharing/lib/Controllers/ShareController.php b/apps/files_sharing/lib/Controllers/ShareController.php |
48 |
+index da9832e105b..02bd3553067 100644 |
49 |
+--- a/apps/files_sharing/lib/Controllers/ShareController.php |
50 |
++++ b/apps/files_sharing/lib/Controllers/ShareController.php |
51 |
+@@ -400,6 +400,7 @@ public function showShare($token, $path = '') { |
52 |
+ * @param string $path |
53 |
+ * @param string $downloadStartSecret |
54 |
+ * @return NotFoundResponse|RedirectResponse|void |
55 |
++ * @throws \Exception |
56 |
+ */ |
57 |
+ public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') { |
58 |
+ \OC_User::setIncognitoMode(true); |
59 |
+@@ -530,16 +531,21 @@ public function downloadShare($token, $files = null, $path = '', $downloadStartS |
60 |
+ } |
61 |
+ |
62 |
+ // download selected files |
63 |
+- if ($files !== null && $files !== '') { |
64 |
+- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well |
65 |
+- // after dispatching the request which results in a "Cannot modify header information" notice. |
66 |
+- OC_Files::get($originalSharePath, $files_list, $server_params); |
67 |
+- exit(); |
68 |
+- } else { |
69 |
+- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well |
70 |
+- // after dispatching the request which results in a "Cannot modify header information" notice. |
71 |
+- OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params); |
72 |
+- exit(); |
73 |
++ |
74 |
++ try { |
75 |
++ if ($files !== null && $files !== '') { |
76 |
++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well |
77 |
++ // after dispatching the request which results in a "Cannot modify header information" notice. |
78 |
++ OC_Files::get($originalSharePath, $files_list, $server_params); |
79 |
++ exit(); |
80 |
++ } else { |
81 |
++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well |
82 |
++ // after dispatching the request which results in a "Cannot modify header information" notice. |
83 |
++ OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params); |
84 |
++ exit(); |
85 |
++ } |
86 |
++ } catch (\Exception $e) { |
87 |
++ throw new \Exception(); |
88 |
+ } |
89 |
+ } |
90 |
+ } |
91 |
+ |
92 |
+From a94f67a4857447e36e205043c55f29737a0bc57d Mon Sep 17 00:00:00 2001 |
93 |
+From: JanAckermann <jackermann@××××××××.com> |
94 |
+Date: Tue, 4 May 2021 12:01:17 +0200 |
95 |
+Subject: [PATCH 2/3] enhanche if statement |
96 |
+ |
97 |
+--- |
98 |
+ lib/private/Files/Storage/Local.php | 2 +- |
99 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
100 |
+ |
101 |
+diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php |
102 |
+index d5ae0e3794b..d499079da98 100644 |
103 |
+--- a/lib/private/Files/Storage/Local.php |
104 |
++++ b/lib/private/Files/Storage/Local.php |
105 |
+@@ -384,7 +384,7 @@ public function getSourcePath($path) { |
106 |
+ } |
107 |
+ $pathToResolve = $fullPath; |
108 |
+ $realPath = \realpath($pathToResolve); |
109 |
+- while ($realPath === false) { // for non existing files check the parent directory |
110 |
++ while (!\is_string($realPath)) { // for non existing files check the parent directory |
111 |
+ $pathToResolve = \dirname($pathToResolve); |
112 |
+ $realPath = \realpath($pathToResolve); |
113 |
+ } |
114 |
+ |
115 |
|
116 |
diff --git a/www-apps/owncloud/owncloud-10.7.0.ebuild b/www-apps/owncloud/owncloud-10.7.0.ebuild |
117 |
new file mode 100644 |
118 |
index 00000000000..0b560a4d0fe |
119 |
--- /dev/null |
120 |
+++ b/www-apps/owncloud/owncloud-10.7.0.ebuild |
121 |
@@ -0,0 +1,49 @@ |
122 |
+# Copyright 1999-2021 Gentoo Authors |
123 |
+# Distributed under the terms of the GNU General Public License v2 |
124 |
+ |
125 |
+EAPI=7 |
126 |
+ |
127 |
+inherit webapp |
128 |
+ |
129 |
+DESCRIPTION="Web-based storage application where all your data is under your own control" |
130 |
+HOMEPAGE="https://owncloud.org" |
131 |
+SRC_URI="https://download.owncloud.org/community/${P}.tar.bz2" |
132 |
+LICENSE="AGPL-3" |
133 |
+ |
134 |
+KEYWORDS="~amd64 ~arm ~x86" |
135 |
+IUSE="+curl mysql postgres +sqlite" |
136 |
+REQUIRED_USE="|| ( mysql postgres sqlite )" |
137 |
+ |
138 |
+DEPEND="" |
139 |
+RDEPEND=">=dev-lang/php-7.0[curl?,filter,gd,hash(+),intl,json,mysql?,pdo,posix,postgres?,session,simplexml,sqlite?,xmlreader,xmlwriter,zip] |
140 |
+ virtual/httpd-php" |
141 |
+ |
142 |
+PATCHES=( "${FILESDIR}"/${P}-share_data_exposure.patch ) |
143 |
+ |
144 |
+S=${WORKDIR}/${PN} |
145 |
+ |
146 |
+pkg_setup() { |
147 |
+ webapp_pkg_setup |
148 |
+} |
149 |
+ |
150 |
+src_install() { |
151 |
+ webapp_src_preinst |
152 |
+ |
153 |
+ insinto "${MY_HTDOCSDIR}" |
154 |
+ doins -r . |
155 |
+ dodir "${MY_HTDOCSDIR}"/data |
156 |
+ |
157 |
+ webapp_serverowned -R "${MY_HTDOCSDIR}"/apps |
158 |
+ webapp_serverowned -R "${MY_HTDOCSDIR}"/data |
159 |
+ webapp_serverowned -R "${MY_HTDOCSDIR}"/config |
160 |
+ webapp_configfile "${MY_HTDOCSDIR}"/.htaccess |
161 |
+ |
162 |
+ webapp_src_install |
163 |
+} |
164 |
+ |
165 |
+pkg_postinst() { |
166 |
+ elog "Additional applications (calendar, ...) are no longer provided by default." |
167 |
+ elog "You can install them after login via the applications management page" |
168 |
+ elog "(check the recommended tab). No application data is lost." |
169 |
+ webapp_pkg_postinst |
170 |
+} |