Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi,
On Wed, Dec 12, 2012 at 09:20:38PM +0100, Julien Cristau wrote:
On Wed, Dec 12, 2012 at 19:44:38 +, Adam D. Barratt wrote:
On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote:
On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote:
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Attached is a new candidate debdiff.
Assuming this is tested, go ahead.
+Index: owncloud-4.0.4debian2/core/js/js.js
[...]
++function escapeHTML(s) {
[...]
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
[...]
+- span class='fc-event-title' +
event.title + /span +
++ span class='fc-event-title' +
htmlEscape(event.title) + /span +
Should the htmlEscape() call in that last hunk be escapeHTML()?
iirc fullcalendar has its own preexisting escape function, with a
different name.
Yes:
mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$ grep -r htmlEscape * | head -1
3rdparty/fullcalendar/js/fullcalendar.js:function htmlEscape(s) {
mba@hartree:~/debian/bsp/owncloud-4.0.4debian2$
Cheers,
Michael
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Control: tags -1 + moreinfo
On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote:
On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote:
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Attached is a new candidate debdiff.
Assuming this is tested, go ahead.
+Index: owncloud-4.0.4debian2/core/js/js.js
[...]
++function escapeHTML(s) {
[...]
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
[...]
+- span class='fc-event-title' + event.title +
/span +
++ span class='fc-event-title' +
htmlEscape(event.title) + /span +
Should the htmlEscape() call in that last hunk be escapeHTML()?
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Wed, Dec 12, 2012 at 19:44:38 +, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Mon, 2012-12-10 at 20:14 +0100, Julien Cristau wrote:
On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote:
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Attached is a new candidate debdiff.
Assuming this is tested, go ahead.
+Index: owncloud-4.0.4debian2/core/js/js.js
[...]
++function escapeHTML(s) {
[...]
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
[...]
+- span class='fc-event-title' + event.title
+ /span +
++ span class='fc-event-title' +
htmlEscape(event.title) + /span +
Should the htmlEscape() call in that last hunk be escapeHTML()?
iirc fullcalendar has its own preexisting escape function, with a
different name.
Cheers,
Julien
signature.asc
Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Wed, Dec 5, 2012 at 22:18:54 +0100, Michael Banck wrote: Hi, On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote: As far as I can tell this escapeHTML function is not defined in the current version? Upstream git has it in core/js/js.js. Attached is a new candidate debdiff. Assuming this is tested, go ahead. Cheers, Julien signature.asc Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
On Tue, Dec 4, 2012 at 23:45:19 +0100, Michael Banck wrote:
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04
22:47:26.810080751 +0100
owncloud-4.0.4debian2/apps/files/js/filelist.js 2012-12-04
22:47:26.874081078 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='td class=filename
style=background-image:url('+img+')input type=checkbox /';
+-html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+name+'span class=nametext'+basename
++html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename);
+ if(extension){
+-html+='span class=extension'+extension+'/span';
++html+='span
class=extension'+escapeHTML(extension)+'/span';
+ }
+ html+='/span/a/td';
+ if(size!='Pending'){
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Cheers,
Julien
signature.asc
Description: Digital signature
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi,
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
On Tue, Dec 4, 2012 at 23:45:19 +0100, Michael Banck wrote:
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04
22:47:26.810080751 +0100
owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-04
22:47:26.874081078 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='td class=filename
style=background-image:url('+img+')input type=checkbox /';
+- html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+name+'span class=nametext'+basename
++ html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+escapeHTML(name)+'span
class=nametext'+escapeHTML(basename);
+ if(extension){
+- html+='span class=extension'+extension+'/span';
++ html+='span
class=extension'+escapeHTML(extension)+'/span';
+ }
+ html+='/span/a/td';
+ if(size!='Pending'){
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Good catch, this was added in 4.0.9, but not mentioned in the security
advisories AFAICT - so I have to fixup unstable as well :-/
Michael
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi,
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
As far as I can tell this escapeHTML function is not defined in the
current version? Upstream git has it in core/js/js.js.
Attached is a new candidate debdiff.
Cheers,
Michael
diff -Nru owncloud-4.0.4debian2/debian/changelog
owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.0
+0200
+++ owncloud-4.0.4debian2/debian/changelog 2012-12-05 22:12:11.0
+0100
@@ -1,3 +1,17 @@
+owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload, fixes several security issues (Closes: #693990).
+ * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+ * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+ * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+ * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+filesystem.php.
+ * debian/patches/07_oc-sa-2012-002.patch: Backport generate_random_bytes()
+function from 4.0.8 release.
+ * debian/patches/06_oc-sa-2012-001.patch: Include escapeHTML() function.
+
+ -- Michael Banck mba...@debian.org Wed, 05 Dec 2012 21:25:00 +0100
+
owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high
* debian/patches:
diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
1970-01-01 01:00:00.0 +0100
+++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
2012-12-05 21:24:39.0 +0100
@@ -0,0 +1,69 @@
+Index: owncloud-4.0.4debian2/core/js/js.js
+===
+--- owncloud-4.0.4debian2.orig/core/js/js.js 2012-06-26 21:54:07.0
+0200
owncloud-4.0.4debian2/core/js/js.js2012-12-05 21:24:29.624785142
+0100
+@@ -29,6 +29,15 @@
+ }
+ t.cache={};
+
++/*
++* Sanitizes a HTML string
++* @param string
++* @return Sanitized string
++*/
++function escapeHTML(s) {
++ return
s.toString().split('').join('amp;').split('').join('lt;').split('').join('quot;');
++}
++
+ OC={
+ webroot:oc_webroot,
+ appswebroot:oc_appswebroot,
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
+===
+--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-04 22:43:43.296931413 +0100
owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-05 21:24:29.624785142 +0100
+@@ -4662,7 +4662,7 @@
+ /span;
+ }
+ html +=
+- span class='fc-event-title' + event.title +
/span +
++ span class='fc-event-title' +
htmlEscape(event.title) + /span +
+ /div;
+ if (seg.isEnd isEventResizable(event)) {
+ html +=
+@@ -5220,5 +5220,5 @@
+ };
+
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-05
21:24:29.348783708 +0100
owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-05
21:24:29.628785159 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='td class=filename
style=background-image:url('+img+')input type=checkbox /';
+- html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+name+'span class=nametext'+basename
++ html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename);
+ if(extension){
+- html+='span class=extension'+extension+'/span';
++ html+='span
class=extension'+escapeHTML(extension)+'/span';
+ }
+ html+='/span/a/td';
+ if(size!='Pending'){
+Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js
2012-12-04 22:43:43.296931413 +0100
owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-05
21:24:29.628785159 +0100
+@@ -36,7 +36,7 @@
+
+ var historyUrl = OC.linkTo('files_versions', 'history.php') +
'?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/'
)+'/'+encodeURIComponent( filename );
+
+- var html = 'div id=dropdown class=drop data-file='+files+'';
++ var html = 'div
Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi,
I would like to ask pre-approval to upload owncloud 4.0.4debian2-3.1 to
testing-proposed-updates. It fixes bug #693990 (multiple security
issues). The debdiff is attached.
This bug has been fixed in unstable with a similar patch in version
4.0.8debian-1.1. I had to adopt 07_oc-sa-2012-002.patch and backport a
helper function from the unstable upstream version.
Cheers,
Michael
diff -Nru owncloud-4.0.4debian2/debian/changelog
owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.0
+0200
+++ owncloud-4.0.4debian2/debian/changelog 2012-12-04 22:45:50.0
+0100
@@ -1,3 +1,16 @@
+owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload, fixes several security issues (Closes: #693990).
+ * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+ * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+ * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+ * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+filesystem.php.
+ * debian/pathes/07_oc-sa-2012-002.patch: Backport generate_random_bytes()
+function from 4.0.8 release.
+
+ -- Michael Banck mba...@debian.org Tue, 04 Dec 2012 22:22:39 +0100
+
owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high
* debian/patches:
diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
1970-01-01 01:00:00.0 +0100
+++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
2012-12-04 22:47:34.0 +0100
@@ -0,0 +1,49 @@
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
+===
+--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-04 22:43:43.296931413 +0100
owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-04 22:47:26.874081078 +0100
+@@ -4662,7 +4662,7 @@
+ /span;
+ }
+ html +=
+- span class='fc-event-title' + event.title +
/span +
++ span class='fc-event-title' +
htmlEscape(event.title) + /span +
+ /div;
+ if (seg.isEnd isEventResizable(event)) {
+ html +=
+@@ -5220,5 +5220,5 @@
+ };
+
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04
22:47:26.810080751 +0100
owncloud-4.0.4debian2/apps/files/js/filelist.js2012-12-04
22:47:26.874081078 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='td class=filename
style=background-image:url('+img+')input type=checkbox /';
+- html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+name+'span class=nametext'+basename
++ html+='a class=name
href=download.php?file='+$('#dir').val().replace(//, 'lt;').replace(//,
'gt;')+'/'+escapeHTML(name)+'span class=nametext'+escapeHTML(basename);
+ if(extension){
+- html+='span class=extension'+extension+'/span';
++ html+='span
class=extension'+escapeHTML(extension)+'/span';
+ }
+ html+='/span/a/td';
+ if(size!='Pending'){
+Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js
+===
+--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js
2012-12-04 22:43:43.296931413 +0100
owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-04
22:47:26.874081078 +0100
+@@ -36,7 +36,7 @@
+
+ var historyUrl = OC.linkTo('files_versions', 'history.php') +
'?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/'
)+'/'+encodeURIComponent( filename );
+
+- var html = 'div id=dropdown class=drop data-file='+files+'';
++ var html = 'div id=dropdown class=drop
data-file='+escapeHTML(files)+'';
+ html += 'div id=private';
+ html += 'select data-placeholder=Saved versions id=found_versions
class=chzen-select style=width:16em;';
+ html += 'option value=/option';
diff -Nru owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
1970-01-01
