Bug#684426: [owncloud] Users can overwrite read-only shared files owned by other users via WebDAV

[Bruno Kleinert]

Package: owncloud
Version: 4.0.5debian2-1
Severity: grave
Tags: patch security
X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org

--- Please enter the report below this line. ---
Hi,

I stumbled over a security bug in owncloud with the result of data loss
or modification, depending on the configuration of owncloud.

It is possible for regular users of owncloud to overwrite files that are
shared by another owncloud user via WebDAV.

If version control is activated user1 could revert the file to its
previous state, but if it's not activated, user1's data is lost.

Find attached a patch that should fix the security flaw for owncloud
4.0.5debian2-1.

Cheers - Fuddl

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
  500 unstable        ftp.de.debian.org 
    1 experimental    ftp.de.debian.org 

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.




From 05648dac619942dfccc76180d30fcd79364355ec Mon Sep 17 00:00:00 2001
From: Michael Gapczynski <mt...@owncloud.com>
Date: Wed, 8 Aug 2012 11:25:24 -0400
Subject: [PATCH] Don't return file handle if the mode supports writing and
 the file is not writable

---
 apps/files_sharing/sharedstorage.php |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

Index: owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php
===================================================================
--- owncloud-4.0.5debian2.orig/apps/files_sharing/sharedstorage.php	2012-07-19 18:50:49.000000000 +0200
+++ owncloud-4.0.5debian2/apps/files_sharing/sharedstorage.php	2012-08-09 11:29:58.000000000 +0200
@@ -416,6 +416,25 @@
 	public function fopen($path, $mode) {
 		$source = $this->getSource($path);
 		if ($source) {
+                       switch ($mode) {
+                               case 'r+':
+                               case 'rb+':
+                               case 'w+':
+                               case 'wb+':
+                               case 'x+':
+                               case 'xb+':
+                               case 'a+':
+                               case 'ab+':
+                               case 'w':
+                               case 'wb':
+                               case 'x':
+                               case 'xb':
+                               case 'a':
+                               case 'ab':
+                                       if (!$this->is_writable($path)) {
+                                               return false;
+                                       }
+                       }
 			$storage = OC_Filesystem::getStorage($source);
 			return $storage->fopen($this->getInternalPath($source), $mode);
 		}

signature.asc
Description: This is a digitally signed message part