commit: 2ad56745900b2993f9f0c0ebdc55fa64933f4599 Author: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org> AuthorDate: Fri Jun 4 07:40:47 2021 +0000 Commit: Bernard Cafarelli <voyageur <AT> gentoo <DOT> org> CommitDate: Fri Jun 4 09:28:38 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ad56745
www-apps/owncloud: 10.7.0 bump, with security fix backport Add https://github.com/owncloud/core/pull/38689 that fixes senstitive exception data exposure Bug: https://bugs.gentoo.org/794091 Package-Manager: Portage-3.0.19, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur <AT> gentoo.org> www-apps/owncloud/Manifest | 1 + .../owncloud-10.7.0-share_data_exposure.patch | 78 ++++++++++++++++++++++ www-apps/owncloud/owncloud-10.7.0.ebuild | 49 ++++++++++++++ 3 files changed, 128 insertions(+) diff --git a/www-apps/owncloud/Manifest b/www-apps/owncloud/Manifest index aee01f865f8..f0efc62ecd5 100644 --- a/www-apps/owncloud/Manifest +++ b/www-apps/owncloud/Manifest @@ -1,2 +1,3 @@ DIST owncloud-10.5.0.tar.bz2 23471398 BLAKE2B 6566df51474a22d36da868ab45a7cb679528aecc9a95e0ad20f06adda587563e16c98ee1e942a5fef62e633b132469a6a775d5893754f553aea8a33043daafc3 SHA512 b77183146ee27c97a7f472e1debaec6f5dad168f204a243a65f431cade28ed0551d0db88ff799776bfd26db60357a2216a35cd1b4af6e7e98fc933f325e4336c DIST owncloud-10.6.0.tar.bz2 24569416 BLAKE2B f20890262551f2996d39566f63f79439921f41bfa3a82cecc5fdf771be93e403f5a273e76498421ec7e29a03f00326844003c3adb3f927f2c1c8fc82c26c23de SHA512 ec4de23b4cd0dc08dde66802285a00c817cc8ccc79237e4ae454af5fecba102fdc892ed24e62b246deebba536728d312f43dcfea9f2f490ba8847a54ac962885 +DIST owncloud-10.7.0.tar.bz2 24129028 BLAKE2B 47ce3584f8123cc0a315c7d88847df5844c951e354fcecd7a876ca01f0fa24823a86bdd950dd885f3bbb46f60d8a39271e31d43ac6dac8f3df506d6cdc531231 SHA512 ebb636b8ffd06d4ceb1dd0d50c15ab393b8c7bf2f0e23c61ba957add6ac4d4ba4cdefb9cda2c703f337c82a295e2c40a467a602227728e9506f9a150c9f2fd3c diff --git a/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch new file mode 100644 index 00000000000..bab6ffed11e --- /dev/null +++ b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch @@ -0,0 +1,78 @@ +From b552f84eedb5d2a113028d7859e82352699fb427 Mon Sep 17 00:00:00 2001 +From: JanAckermann <jackerm...@owncloud.com> +Date: Tue, 4 May 2021 11:51:29 +0200 +Subject: [PATCH 1/3] Throw generic exception to overcome, senstitive exception + data exposure + +--- + .../lib/Controllers/ShareController.php | 26 ++++++++++++------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/apps/files_sharing/lib/Controllers/ShareController.php b/apps/files_sharing/lib/Controllers/ShareController.php +index da9832e105b..02bd3553067 100644 +--- a/apps/files_sharing/lib/Controllers/ShareController.php ++++ b/apps/files_sharing/lib/Controllers/ShareController.php +@@ -400,6 +400,7 @@ public function showShare($token, $path = '') { + * @param string $path + * @param string $downloadStartSecret + * @return NotFoundResponse|RedirectResponse|void ++ * @throws \Exception + */ + public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') { + \OC_User::setIncognitoMode(true); +@@ -530,16 +531,21 @@ public function downloadShare($token, $files = null, $path = '', $downloadStartS + } + + // download selected files +- if ($files !== null && $files !== '') { +- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well +- // after dispatching the request which results in a "Cannot modify header information" notice. +- OC_Files::get($originalSharePath, $files_list, $server_params); +- exit(); +- } else { +- // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well +- // after dispatching the request which results in a "Cannot modify header information" notice. +- OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params); +- exit(); ++ ++ try { ++ if ($files !== null && $files !== '') { ++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well ++ // after dispatching the request which results in a "Cannot modify header information" notice. ++ OC_Files::get($originalSharePath, $files_list, $server_params); ++ exit(); ++ } else { ++ // FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well ++ // after dispatching the request which results in a "Cannot modify header information" notice. ++ OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params); ++ exit(); ++ } ++ } catch (\Exception $e) { ++ throw new \Exception(); + } + } + } + +From a94f67a4857447e36e205043c55f29737a0bc57d Mon Sep 17 00:00:00 2001 +From: JanAckermann <jackerm...@owncloud.com> +Date: Tue, 4 May 2021 12:01:17 +0200 +Subject: [PATCH 2/3] enhanche if statement + +--- + lib/private/Files/Storage/Local.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php +index d5ae0e3794b..d499079da98 100644 +--- a/lib/private/Files/Storage/Local.php ++++ b/lib/private/Files/Storage/Local.php +@@ -384,7 +384,7 @@ public function getSourcePath($path) { + } + $pathToResolve = $fullPath; + $realPath = \realpath($pathToResolve); +- while ($realPath === false) { // for non existing files check the parent directory ++ while (!\is_string($realPath)) { // for non existing files check the parent directory + $pathToResolve = \dirname($pathToResolve); + $realPath = \realpath($pathToResolve); + } + diff --git a/www-apps/owncloud/owncloud-10.7.0.ebuild b/www-apps/owncloud/owncloud-10.7.0.ebuild new file mode 100644 index 00000000000..0b560a4d0fe --- /dev/null +++ b/www-apps/owncloud/owncloud-10.7.0.ebuild @@ -0,0 +1,49 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit webapp + +DESCRIPTION="Web-based storage application where all your data is under your own control" +HOMEPAGE="https://owncloud.org"; +SRC_URI="https://download.owncloud.org/community/${P}.tar.bz2"; +LICENSE="AGPL-3" + +KEYWORDS="~amd64 ~arm ~x86" +IUSE="+curl mysql postgres +sqlite" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +DEPEND="" +RDEPEND=">=dev-lang/php-7.0[curl?,filter,gd,hash(+),intl,json,mysql?,pdo,posix,postgres?,session,simplexml,sqlite?,xmlreader,xmlwriter,zip] + virtual/httpd-php" + +PATCHES=( "${FILESDIR}"/${P}-share_data_exposure.patch ) + +S=${WORKDIR}/${PN} + +pkg_setup() { + webapp_pkg_setup +} + +src_install() { + webapp_src_preinst + + insinto "${MY_HTDOCSDIR}" + doins -r . + dodir "${MY_HTDOCSDIR}"/data + + webapp_serverowned -R "${MY_HTDOCSDIR}"/apps + webapp_serverowned -R "${MY_HTDOCSDIR}"/data + webapp_serverowned -R "${MY_HTDOCSDIR}"/config + webapp_configfile "${MY_HTDOCSDIR}"/.htaccess + + webapp_src_install +} + +pkg_postinst() { + elog "Additional applications (calendar, ...) are no longer provided by default." + elog "You can install them after login via the applications management page" + elog "(check the recommended tab). No application data is lost." + webapp_pkg_postinst +}
