Your message dated Mon, 23 Jan 2017 22:48:45 +0000 with message-id <[email protected]> and subject line Bug#703342: fixed in davical 1.1.5-1 has caused the Debian Bug report #703342, regarding davical: some fopens might fail due to tightened PHP settings and this is not handled to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 703342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703342 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: davical Version: 1.1.1-1 Severity: normal Tags: patch upstream Hi. I stumbled over some further minor problems with fopens, because I have hardened my php.ini as far as possible (more or less). Especially the use of open_basedir and allow_url_fopen is quite common to my knowledge. The davical source code has the following occurances of fopen(): 1) htdocs/setup.php: $version_file = @fopen($url, 'r'); This is the most visible one and actually the reason why I stumbled over all this. When allow_url_fopen = Off then the check for the current version in setup.php will fail more or less ungracefully. Attached is a patch to improve this. 2) htdocs/caldav.php: $fh = @fopen($matches[1],'r'); See also #703294, where I suggest to remove that code section alltogether for security reasons. But apart from that... no handling for open_basedir... and the users would need to add at least their DOCUMENT_ROOT to open_basedir... but this is even too lax... they should rather add DOCUMENT_ROOT/<path(s) where the served files are> instead of the _whole_ DOCUMENT_ROOT. 3) inc/caldav-PUT-vcalendar.php: $fh = fopen('/tmp/PUT.txt','w'); inc/CalDAVRequest.php: $fh = fopen('/tmp/encoded_data.'.$encoding,'w'); inc/caldav-REPORT.php: $fh = fopen('/tmp/REPORT.txt','w'); inc/caldav-PUT-default.php: $fh = fopen('/tmp/PUT.txt','w'); inc/caldav-MOVE.php: $fh = fopen('/tmp/MOVE.txt','w'); inc/caldav-POST.php: $fh = fopen('/tmp/POST.txt','w'); inc/caldav-ACL.php: $fh = fopen('/tmp/MOVE.txt','w'); inc/caldav-PUT-vcard.php: $fh = fopen('/tmp/PUT.txt','w'); inc/caldav-PUT-functions.php: $fh = fopen('/tmp/PUT-2.txt','w'); /tmp might be forbidden by open_basedir Nevertheless... that isn't used by default (and it even checks for open_basedir) and the option to enable it is not even documented, AFAIK. So that should be OK... but if that was ever made "public" to the end users, on should add information that the need to add /tmp to open_basedir... or even better write it to /var/log/davical/debug or so (a patch for this would be attached). 4) inc/log_caldav_action.php: $logfile = fopen( $c->action_log_name, "a+" ); AFAICS, this is neither documented nor used anywhere by default. So that seems to be fine But analogous to (3)... if that should ever be made public... it shoudl be added to the docs that open_basedir must be set. There is no check on open_basedir... so write would fail ungracefully. Cheers, Chris.Index: davical/inc/CalDAVRequest.php =================================================================== --- davical.orig/inc/CalDAVRequest.php 2012-07-08 14:53:01.000000000 +0200 +++ davical/inc/CalDAVRequest.php 2013-03-18 17:49:30.327718315 +0100 @@ -183,7 +183,7 @@ @dbg_error_log('caldav', 'Content-Encoding: %s', $encoding ); $encoding = preg_replace('{[^a-z0-9-]}i','',$encoding); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['caldav'])) ) { - $fh = fopen('/tmp/encoded_data.'.$encoding,'w'); + $fh = fopen('/var/log/davical/debug/encoded_data.'.$encoding,'w'); if ( $fh ) { fwrite($fh,$c->raw_post); fclose($fh); Index: davical/inc/caldav-ACL.php =================================================================== --- davical.orig/inc/caldav-ACL.php 2012-05-19 09:00:53.000000000 +0200 +++ davical/inc/caldav-ACL.php 2013-03-18 17:49:58.759179104 +0100 @@ -15,7 +15,7 @@ $request->NeedPrivilege('DAV::write-acl'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) { - $fh = fopen('/tmp/MOVE.txt','w'); + $fh = fopen('/var/log/davical/debug/MOVE.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-MOVE.php =================================================================== --- davical.orig/inc/caldav-MOVE.php 2011-11-22 11:45:19.000000000 +0100 +++ davical/inc/caldav-MOVE.php 2013-03-18 17:49:48.863366780 +0100 @@ -15,7 +15,7 @@ $request->NeedPrivilege('DAV::unbind'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['move']) && $c->dbg['move'])) ) { - $fh = fopen('/tmp/MOVE.txt','w'); + $fh = fopen('/var/log/davical/debug/MOVE.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-POST.php =================================================================== --- davical.orig/inc/caldav-POST.php 2012-03-19 03:09:50.000000000 +0100 +++ davical/inc/caldav-POST.php 2013-03-18 17:49:53.331282045 +0100 @@ -16,7 +16,7 @@ include_once('iSchedule.php'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['post'])) ) { - $fh = fopen('/tmp/POST.txt','w'); + $fh = fopen('/var/log/davical/debug/POST.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-PUT-default.php =================================================================== --- davical.orig/inc/caldav-PUT-default.php 2012-04-04 04:36:07.000000000 +0200 +++ davical/inc/caldav-PUT-default.php 2013-03-18 17:49:43.499468509 +0100 @@ -13,7 +13,7 @@ require_once('DAVResource.php'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) { - $fh = fopen('/tmp/PUT.txt','w'); + $fh = fopen('/var/log/davical/debug/PUT.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-PUT-functions.php =================================================================== --- davical.orig/inc/caldav-PUT-functions.php 2012-06-30 02:48:19.000000000 +0200 +++ davical/inc/caldav-PUT-functions.php 2013-03-18 17:50:10.950947882 +0100 @@ -647,7 +647,7 @@ global $c; if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || isset($c->dbg['put'])) ) { - $fh = fopen('/tmp/PUT-2.txt','w'); + $fh = fopen('/var/log/davical/debug/PUT-2.txt','w'); if ( $fh ) { fwrite($fh,$import_content); fclose($fh); Index: davical/inc/caldav-PUT-vcalendar.php =================================================================== --- davical.orig/inc/caldav-PUT-vcalendar.php 2012-04-04 04:35:25.000000000 +0200 +++ davical/inc/caldav-PUT-vcalendar.php 2013-03-18 17:49:20.803898938 +0100 @@ -45,7 +45,7 @@ } if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) { - $fh = fopen('/tmp/PUT.txt','w'); + $fh = fopen('/var/log/davical/debug/PUT.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-PUT-vcard.php =================================================================== --- davical.orig/inc/caldav-PUT-vcard.php 2012-04-30 03:27:34.000000000 +0200 +++ davical/inc/caldav-PUT-vcard.php 2013-03-18 17:50:04.795064631 +0100 @@ -13,7 +13,7 @@ require_once('DAVResource.php'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) { - $fh = fopen('/tmp/PUT.txt','w'); + $fh = fopen('/var/log/davical/debug/PUT.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh); Index: davical/inc/caldav-REPORT.php =================================================================== --- davical.orig/inc/caldav-REPORT.php 2012-07-08 13:38:51.000000000 +0200 +++ davical/inc/caldav-REPORT.php 2013-03-18 17:49:37.287586320 +0100 @@ -16,7 +16,7 @@ require_once('RRule-v2.php'); if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['report']) && $c->dbg['report'])) ) { - $fh = fopen('/tmp/REPORT.txt','w'); + $fh = fopen('/var/log/davical/debug/REPORT.txt','w'); if ( $fh ) { fwrite($fh,$request->raw_post); fclose($fh);--- davical.orig/htdocs/setup.php 2013-03-18 17:30:17.889574716 +0100 +++ davical/htdocs/setup.php 2013-03-18 17:41:29.416838960 +0100 @@ -249,6 +249,8 @@ function check_davical_version() { global $c; + if ( ! ini_get('allow_url_fopen') ) + return new CheckResult( false, translate("Cannot determine upstream version, because PHP has set “<a href=\"http://php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen\";><code>allow_url_fopen</code></a>” to “<code>FALSE</code>”."), 'dep_warning' ); $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string; $version_file = @fopen($url, 'r'); if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
--- End Message ---
--- Begin Message ---Source: davical Source-Version: 1.1.5-1 We believe that the bug you reported is fixed in the latest version of davical, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Florian Schlichting <[email protected]> (supplier of updated davical package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Jan 2017 23:04:30 +0100 Source: davical Binary: davical davical-doc Architecture: source all Version: 1.1.5-1 Distribution: unstable Urgency: medium Maintainer: Davical Development Team <[email protected]> Changed-By: Florian Schlichting <[email protected]> Description: davical - PHP CalDAV and CardDAV Server davical-doc - PHP CalDAV and CardDAV Server - technical documentation Closes: 703130 703138 703342 Changes: davical (1.1.5-1) unstable; urgency=medium . * New upstream release (closes: #703130, #703138, #703342) * Separate rebuild-translations and building locale/*po files. This should make davical builds reproducible. * Ship davical-cli in /usr/share/davical/scripts * Use secure URIs where possible * Bump years on debian/copyright * Bump dependency on libawl-php to 0.57 * Make extra sure that the orig-source tarball does not contain any cruft * Install example configs as /etc/davical/config.php and /etc/apache2/sites-available/davical.conf * Use jdupes to remove duplicate files in davical-doc * Mark davical-doc "Multi-Arch: foreign" as suggested by the Multiarch hinter * Override erroneous lintian errors Checksums-Sha1: 8b5b2c09463120f0cc6e67cde6aabd73d9500a19 2076 davical_1.1.5-1.dsc 357706817c857d8ab8216254a5458e1535d775b1 1319316 davical_1.1.5.orig.tar.xz 98c6fe7cc17ad13cdb057f06fb6398fd99999f55 12228 davical_1.1.5-1.debian.tar.xz 0adbfe2750ba72858bdd3577f8db92e2978ce8ff 1169006 davical-doc_1.1.5-1_all.deb f94ce532b5144edd8a43f36789727247aef44ff9 391924 davical_1.1.5-1_all.deb b106541b44efd8cfd39a06829c5e93b7dce76ad3 6553 davical_1.1.5-1_amd64.buildinfo Checksums-Sha256: d120f820b24c301f20456aeb276d7d3e3fec39ddf1dfb88d19bb4655ff402d61 2076 davical_1.1.5-1.dsc 667583fb345612b8c9bd67ebfc1ef5e154fb5494a75d67ec347842c1257f238f 1319316 davical_1.1.5.orig.tar.xz 02f70ee7d7e4409c82743551697f0995f1eaa346c1845b3d80bf38ce3b2ca840 12228 davical_1.1.5-1.debian.tar.xz 3559accddbc9b897e9a8e4e9ba289ac08ba15eb1efa5820c2a0f912a34fc58df 1169006 davical-doc_1.1.5-1_all.deb ff3787676d329ae390cc31aff5bbdc2b3d77627807b01509c00687e1efe6ed11 391924 davical_1.1.5-1_all.deb 559fc050f77d48ebc32a46e25e99f38e06ff11dad27ad0afe7539a8a7157eb38 6553 davical_1.1.5-1_amd64.buildinfo Files: 09aa6cd95a843dceee2f77a87c338895 2076 web extra davical_1.1.5-1.dsc 7ad2418159cb205457db16326116bef0 1319316 web extra davical_1.1.5.orig.tar.xz ea1e388e5b1070920ed8eb4e5fe815a7 12228 web extra davical_1.1.5-1.debian.tar.xz c5abf739c85b93b5a421f9ffdf9d7834 1169006 doc extra davical-doc_1.1.5-1_all.deb fb76a90418d4d6603f329c349246b360 391924 web extra davical_1.1.5-1_all.deb 92480b1a93d239b1f281f0d05ba247a8 6553 web extra davical_1.1.5-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAliGhOQACgkQEpc7bnLc B7XRkQ//cO06MBK7J96Dm6IkGqfgS9zYzNlEInUtC5Cbn5ikjZDTgGKDvMerpF66 J9XvYtvVVjYtPSpd/wKRVLZvzD8FqYYHAnw6WKf/FI4N5zlLeoCBh74h63wG6LEV 9TDt+35Medi4NziXOphII1Cag2L5G/kGPl5rfyh6uGO+xzVmjf36d8oTGirRNW4i NKqcig+WyxLDMgEnVjUiBCtAs6N7CuDvgQTjTn/SBqinfuQzHu8FJeSSYxbsBTXH OQWD1dJCWqVUR0RBZS2o8/xipk7bmfJroDSlvSRBcKqEeKQryWS/pAOABzQCA7Cw A7HrWPN/ft+iezR/I1LrIFXgAbDYE1F2Hf5NYJxSC7ZYQqkDWf4hbcSBpsCZMIrh /U6hTJxb5T/yKwQ/sU5hlw25KBrYNOmBLDAbRvF2NN3VN9YbVjyzq9ataPG2/HkM z0bpzEdzW3qW6LGguzl54wVHiV54/sS1tx5pNxQNyemhtNgGdkkrIo5ClPOzZpJD F1xjB+xrCqgFIJScEqClULUX2Rg3o+GcVva3BtsJP12r5BOOLJBhmRFK3KJz2j66 dNPvzfvK64fIi/kTt29hgvb7IinEYhaI9qtQL7t4fxYJV8ahKpnR+oqi16c3buvF 7aBxrBGNHBS6uhD93Di1pPrXIzYRjVpGCKAWl6bVTgO/WVcDMAY= =WhGp -----END PGP SIGNATURE-----
--- End Message ---
