Gentoo Archives: gentoo-commits

From: Bernard Cafarelli <voyageur@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: www-apps/owncloud/files/, www-apps/owncloud/
Date: Fri, 04 Jun 2021 09:28:53
Message-Id: 1622798918.2ad56745900b2993f9f0c0ebdc55fa64933f4599.voyageur@gentoo
1 commit: 2ad56745900b2993f9f0c0ebdc55fa64933f4599
2 Author: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org>
3 AuthorDate: Fri Jun 4 07:40:47 2021 +0000
4 Commit: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org>
5 CommitDate: Fri Jun 4 09:28:38 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad56745
7
8 www-apps/owncloud: 10.7.0 bump, with security fix backport
9
10 Add https://github.com/owncloud/core/pull/38689 that fixes senstitive
11 exception data exposure
12
13 Bug: https://bugs.gentoo.org/794091
14 Package-Manager: Portage-3.0.19, Repoman-3.0.3
15 Signed-off-by: Bernard Cafarelli <voyageur <AT> gentoo.org>
16
17 www-apps/owncloud/Manifest | 1 +
18 .../owncloud-10.7.0-share_data_exposure.patch | 78 ++++++++++++++++++++++
19 www-apps/owncloud/owncloud-10.7.0.ebuild | 49 ++++++++++++++
20 3 files changed, 128 insertions(+)
21
22 diff --git a/www-apps/owncloud/Manifest b/www-apps/owncloud/Manifest
23 index aee01f865f8..f0efc62ecd5 100644
24 --- a/www-apps/owncloud/Manifest
25 +++ b/www-apps/owncloud/Manifest
26 @@ -1,2 +1,3 @@
27 DIST owncloud-10.5.0.tar.bz2 23471398 BLAKE2B 6566df51474a22d36da868ab45a7cb679528aecc9a95e0ad20f06adda587563e16c98ee1e942a5fef62e633b132469a6a775d5893754f553aea8a33043daafc3 SHA512 b77183146ee27c97a7f472e1debaec6f5dad168f204a243a65f431cade28ed0551d0db88ff799776bfd26db60357a2216a35cd1b4af6e7e98fc933f325e4336c
28 DIST owncloud-10.6.0.tar.bz2 24569416 BLAKE2B f20890262551f2996d39566f63f79439921f41bfa3a82cecc5fdf771be93e403f5a273e76498421ec7e29a03f00326844003c3adb3f927f2c1c8fc82c26c23de SHA512 ec4de23b4cd0dc08dde66802285a00c817cc8ccc79237e4ae454af5fecba102fdc892ed24e62b246deebba536728d312f43dcfea9f2f490ba8847a54ac962885
29 +DIST owncloud-10.7.0.tar.bz2 24129028 BLAKE2B 47ce3584f8123cc0a315c7d88847df5844c951e354fcecd7a876ca01f0fa24823a86bdd950dd885f3bbb46f60d8a39271e31d43ac6dac8f3df506d6cdc531231 SHA512 ebb636b8ffd06d4ceb1dd0d50c15ab393b8c7bf2f0e23c61ba957add6ac4d4ba4cdefb9cda2c703f337c82a295e2c40a467a602227728e9506f9a150c9f2fd3c
30
31 diff --git a/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch
32 new file mode 100644
33 index 00000000000..bab6ffed11e
34 --- /dev/null
35 +++ b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch
36 @@ -0,0 +1,78 @@
37 +From b552f84eedb5d2a113028d7859e82352699fb427 Mon Sep 17 00:00:00 2001
38 +From: JanAckermann <jackermann@××××××××.com>
39 +Date: Tue, 4 May 2021 11:51:29 +0200
40 +Subject: [PATCH 1/3] Throw generic exception to overcome, senstitive exception
41 + data exposure
42 +
43 +---
44 + .../lib/Controllers/ShareController.php | 26 ++++++++++++-------
45 + 1 file changed, 16 insertions(+), 10 deletions(-)
46 +
47 +diff --git a/apps/files_sharing/lib/Controllers/ShareController.php b/apps/files_sharing/lib/Controllers/ShareController.php
48 +index da9832e105b..02bd3553067 100644
49 +--- a/apps/files_sharing/lib/Controllers/ShareController.php
50 ++++ b/apps/files_sharing/lib/Controllers/ShareController.php
51 +@@ -400,6 +400,7 @@ public function showShare($token, $path = '') {
52 + * @param string $path
53 + * @param string $downloadStartSecret
54 + * @return NotFoundResponse|RedirectResponse|void
55 ++ * @throws \Exception
56 + */
57 + public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
58 + \OC_User::setIncognitoMode(true);
59 +@@ -530,16 +531,21 @@ public function downloadShare($token, $files = null, $path = '', $downloadStartS
60 + }
61 +
62 + // download selected files
63 +- if ($files !== null && $files !== '') {
64 +- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
65 +- // after dispatching the request which results in a "Cannot modify header information" notice.
66 +- OC_Files::get($originalSharePath, $files_list, $server_params);
67 +- exit();
68 +- } else {
69 +- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
70 +- // after dispatching the request which results in a "Cannot modify header information" notice.
71 +- OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params);
72 +- exit();
73 ++
74 ++ try {
75 ++ if ($files !== null && $files !== '') {
76 ++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
77 ++ // after dispatching the request which results in a "Cannot modify header information" notice.
78 ++ OC_Files::get($originalSharePath, $files_list, $server_params);
79 ++ exit();
80 ++ } else {
81 ++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
82 ++ // after dispatching the request which results in a "Cannot modify header information" notice.
83 ++ OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params);
84 ++ exit();
85 ++ }
86 ++ } catch (\Exception $e) {
87 ++ throw new \Exception();
88 + }
89 + }
90 + }
91 +
92 +From a94f67a4857447e36e205043c55f29737a0bc57d Mon Sep 17 00:00:00 2001
93 +From: JanAckermann <jackermann@××××××××.com>
94 +Date: Tue, 4 May 2021 12:01:17 +0200
95 +Subject: [PATCH 2/3] enhanche if statement
96 +
97 +---
98 + lib/private/Files/Storage/Local.php | 2 +-
99 + 1 file changed, 1 insertion(+), 1 deletion(-)
100 +
101 +diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
102 +index d5ae0e3794b..d499079da98 100644
103 +--- a/lib/private/Files/Storage/Local.php
104 ++++ b/lib/private/Files/Storage/Local.php
105 +@@ -384,7 +384,7 @@ public function getSourcePath($path) {
106 + }
107 + $pathToResolve = $fullPath;
108 + $realPath = \realpath($pathToResolve);
109 +- while ($realPath === false) { // for non existing files check the parent directory
110 ++ while (!\is_string($realPath)) { // for non existing files check the parent directory
111 + $pathToResolve = \dirname($pathToResolve);
112 + $realPath = \realpath($pathToResolve);
113 + }
114 +
115
116 diff --git a/www-apps/owncloud/owncloud-10.7.0.ebuild b/www-apps/owncloud/owncloud-10.7.0.ebuild
117 new file mode 100644
118 index 00000000000..0b560a4d0fe
119 --- /dev/null
120 +++ b/www-apps/owncloud/owncloud-10.7.0.ebuild
121 @@ -0,0 +1,49 @@
122 +# Copyright 1999-2021 Gentoo Authors
123 +# Distributed under the terms of the GNU General Public License v2
124 +
125 +EAPI=7
126 +
127 +inherit webapp
128 +
129 +DESCRIPTION="Web-based storage application where all your data is under your own control"
130 +HOMEPAGE="https://owncloud.org"
131 +SRC_URI="https://download.owncloud.org/community/${P}.tar.bz2"
132 +LICENSE="AGPL-3"
133 +
134 +KEYWORDS="~amd64 ~arm ~x86"
135 +IUSE="+curl mysql postgres +sqlite"
136 +REQUIRED_USE="|| ( mysql postgres sqlite )"
137 +
138 +DEPEND=""
139 +RDEPEND=">=dev-lang/php-7.0[curl?,filter,gd,hash(+),intl,json,mysql?,pdo,posix,postgres?,session,simplexml,sqlite?,xmlreader,xmlwriter,zip]
140 + virtual/httpd-php"
141 +
142 +PATCHES=( "${FILESDIR}"/${P}-share_data_exposure.patch )
143 +
144 +S=${WORKDIR}/${PN}
145 +
146 +pkg_setup() {
147 + webapp_pkg_setup
148 +}
149 +
150 +src_install() {
151 + webapp_src_preinst
152 +
153 + insinto "${MY_HTDOCSDIR}"
154 + doins -r .
155 + dodir "${MY_HTDOCSDIR}"/data
156 +
157 + webapp_serverowned -R "${MY_HTDOCSDIR}"/apps
158 + webapp_serverowned -R "${MY_HTDOCSDIR}"/data
159 + webapp_serverowned -R "${MY_HTDOCSDIR}"/config
160 + webapp_configfile "${MY_HTDOCSDIR}"/.htaccess
161 +
162 + webapp_src_install
163 +}
164 +
165 +pkg_postinst() {
166 + elog "Additional applications (calendar, ...) are no longer provided by default."
167 + elog "You can install them after login via the applications management page"
168 + elog "(check the recommended tab). No application data is lost."
169 + webapp_pkg_postinst
170 +}