Hi Julien, Thanks for your reply.
On Sun, Apr 12, 2015 at 02:46:52PM +0200, Julien Cristau wrote: > On Thu, Mar 26, 2015 at 15:26:37 -0400, David Prévot wrote: > > > - the upgrade script should be run as the same user as the installed > > data, i.e., www-data by default, instead of root > Why use sudo? It doesn't sound like the right tool for this task... Right, I overlooked the ability of su to redefine the invoked shell, sorry. Here is a proposed change (oc_3-4.diff) on top of the previous one, and the filtered debdiff (oc_2-4.diff) against the version currently in Jessie (still stripping away the noop minified JavaScript change). Please let me know if that addresses your concerns, and I’ll follow up with an upload. Regards David
diff --git a/debian/changelog b/debian/changelog
index 0416dfa..009c9bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,19 @@
+owncloud (7.0.4+dfsg-4) unstable; urgency=medium
+
+ * Document CVE in previous changelog entry
+ * Simply use su instead of sudo in postinst
+
+ -- David Prévot <taf...@debian.org> Sun, 12 Apr 2015 11:57:04 -0400
+
owncloud (7.0.4+dfsg-3) unstable; urgency=medium
* Add gbp config file to follow the jessie branch
* Backport security fixes from 7.0.5:
- Multiple stored XSS in "contacts" application [OC-SA-2015-001]
+ [CVE-2015-3011]
- Multiple stored XSS in "documents" application [OC-SA-2015-002]
- - Bypass of file blacklist [OC-SA-2015-004]
+ [CVE-2015-3012]
+ - Bypass of file blacklist [OC-SA-2015-004] [CVE-2015-3013]
* Run upgrade script with sudo as www-data user
* Depend on php5-cli (it is actually used in postinst)
diff --git a/debian/control b/debian/control
index 8b79bb2..abfa45a 100644
--- a/debian/control
+++ b/debian/control
@@ -48,7 +48,6 @@ Depends: apache2 | httpd,
php5-gd,
php5-json,
php5-mysql | php5-pgsql | php5-sqlite,
- sudo,
zendframework,
${misc:Depends}
Recommends: exim4 | mail-transport-agent,
diff --git a/debian/postinst b/debian/postinst
index a554ebd..e3a663f 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -51,7 +51,7 @@ case "$1" in
# Update the database on upgrade
# Don’t let it fail, since it exits with 3 if no upgrade is necessary
if [ -e /etc/owncloud/config.php ] ; then
- sudo -u www-data occ upgrade || true
+ su -s /bin/sh -c "/usr/sbin/occ upgrade" www-data || true
fi
;;
diff --git a/debian/README.Debian b/debian/README.Debian
index 72af84d..10f60aa 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -84,8 +84,6 @@ Some apps, not enabled by default, need the following dependencies:
Improve performance: php5-apcu | php5-xcache
php5-intl (language translation)
-Command line interface: php5-cli
-
Suggested packages
~~~~~~~~~~~~~~~~~~
diff --git a/debian/changelog b/debian/changelog
index 61c2c40..009c9bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,24 @@
+owncloud (7.0.4+dfsg-4) unstable; urgency=medium
+
+ * Document CVE in previous changelog entry
+ * Simply use su instead of sudo in postinst
+
+ -- David Prévot <taf...@debian.org> Sun, 12 Apr 2015 11:57:04 -0400
+
+owncloud (7.0.4+dfsg-3) unstable; urgency=medium
+
+ * Add gbp config file to follow the jessie branch
+ * Backport security fixes from 7.0.5:
+ - Multiple stored XSS in "contacts" application [OC-SA-2015-001]
+ [CVE-2015-3011]
+ - Multiple stored XSS in "documents" application [OC-SA-2015-002]
+ [CVE-2015-3012]
+ - Bypass of file blacklist [OC-SA-2015-004] [CVE-2015-3013]
+ * Run upgrade script with sudo as www-data user
+ * Depend on php5-cli (it is actually used in postinst)
+
+ -- David Prévot <taf...@debian.org> Wed, 25 Mar 2015 16:20:32 -0400
+
owncloud (7.0.4+dfsg-2) unstable; urgency=medium
* Upload to unstable as agreed with the release team
diff --git a/debian/control b/debian/control
index 193fed7..abfa45a 100644
--- a/debian/control
+++ b/debian/control
@@ -44,6 +44,7 @@ Depends: apache2 | httpd,
php-symfony-console,
php-symfony-routing,
php5 (>= 5.3.8),
+ php5-cli,
php5-gd,
php5-json,
php5-mysql | php5-pgsql | php5-sqlite,
@@ -55,7 +56,6 @@ Recommends: exim4 | mail-transport-agent,
php-dropbox,
php-google-api-php-client (<< 1),
php5-apcu | php5-xcache,
- php5-cli,
php5-curl,
php5-intl,
php5-ldap,
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..4e78e26
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = jessie
+upstream-branch = upstream-jessie
diff --git a/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
new file mode 100644
index 0000000..537fa3f
--- /dev/null
+++ b/debian/patches/0010-Fix-encoding-in-3rdparty-lib.patch
@@ -0,0 +1,31 @@
+From: Lukas Reschke <lu...@owncloud.com>
+Date: Fri, 6 Feb 2015 15:12:43 +0100
+Subject: Fix encoding in 3rdparty lib
+
+Origin: upstream, https://github.com/owncloud/contacts/commit/72dcf24061b9639be75851e3746950b61495bc8f
+---
+ apps/contacts/js/contacts.js | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js
+index be551c9..f5d8879 100644
+--- a/apps/contacts/js/contacts.js
++++ b/apps/contacts/js/contacts.js
+@@ -1089,7 +1089,7 @@ OC.Contacts = OC.Contacts || {};
+ this.$fullelem.find('.groupscontainer').show();
+ //this.$groupSelect.find('option').remove();
+ $.each(availableGroups, function(idx, group) {
+- var $option = $('<option value="' + group.id + '">' + group.name + '</option>');
++ var $option = $('<option value="' + group.id + '">' + escapeHTML(group.name) + '</option>');
+ if(self.inGroup(group.name)) {
+ $option.attr('selected', 'selected');
+ }
+@@ -1575,7 +1575,7 @@ OC.Contacts = OC.Contacts || {};
+ var input = $editor.find('input').first();
+ var params = self.parametersFor(input, true);
+ $(this).find('.meta').html(params.TYPE.join('/'));
+- $(this).find('.adr').html(self.valueFor($editor.find('input').first()).clean('').join(', '));
++ $(this).find('.adr').text(self.valueFor($editor.find('input').first()).clean('').join(', '));
+ $(this).next('.listactions').css('display', 'inline-block');
+ $('body').unbind('click', bodyListener);
+ });
diff --git a/debian/patches/0011-Apply-some-upstream-patches.patch b/debian/patches/0011-Apply-some-upstream-patches.patch
new file mode 100644
index 0000000..f9540a4
--- /dev/null
+++ b/debian/patches/0011-Apply-some-upstream-patches.patch
@@ -0,0 +1,1745 @@
+From: Victor Dubiniuk <victor.dubin...@gmail.com>
+Date: Mon, 26 Jan 2015 23:51:28 +0300
+Subject: Apply some upstream patches
+
+Origin: upstream, https://github.com/owncloud/documents/commit/f67a6b11fe97afda9d906e7cfcb8736952b527d3
+---
+ .../3rdparty/webodf/editor/widgets/fontPicker.js | 9 +-
+ .../webodf/editor/widgets/paragraphStyles.js | 11 +-
+ apps/documents/js/3rdparty/webodf/webodf-debug.js | 8 +-
+ apps/documents/js/3rdparty/webodf/webodf.js | 1036 ++++++++++----------
+ 4 files changed, 536 insertions(+), 528 deletions(-)
+
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+index 039c21b..372df25 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/fontPicker.js
+@@ -36,9 +36,10 @@
+ */
+ /*global define,require,document */
+ define("webodf/editor/widgets/fontPicker", [
+- "dijit/form/Select"],
++ "dijit/form/Select",
++ "dojox/html/entities"],
+
+- function (Select) {
++ function (Select, htmlEntities) {
+ "use strict";
+
+ /**
+@@ -101,7 +102,7 @@ define("webodf/editor/widgets/fontPicker", [
+ name = documentFonts[i].name;
+ family = documentFonts[i].family || name;
+ selectionList.push({
+- label: '<span style="font-family: ' + family + ';">' + name + '</span>',
++ label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name) + '</span>',
+ value: name
+ });
+ }
+@@ -114,7 +115,7 @@ define("webodf/editor/widgets/fontPicker", [
+ // Lastly populate the fonts provided by the editor
+ for (i = 0; i < editorFonts.length; i += 1) {
+ selectionList.push({
+- label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
++ label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
+ value: editorFonts[i]
+ });
+ }
+diff --git a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+index 57acaac..0e1acec 100644
+--- a/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
++++ b/apps/documents/js/3rdparty/webodf/editor/widgets/paragraphStyles.js
+@@ -39,9 +39,12 @@
+ /*global define,require */
+
+ define("webodf/editor/widgets/paragraphStyles",
+- ["webodf/editor/EditorSession"],
++ [
++ "dojox/html/entities",
++ "webodf/editor/EditorSession"
++ ],
+
+- function (EditorSession) {
++ function (htmlEntities, EditorSession) {
+ "use strict";
+ /**
+ * @constructor
+@@ -99,7 +102,7 @@ define("webodf/editor/widgets/paragraphStyles",
+
+ for (i = 0; i < availableStyles.length; i += 1) {
+ selectionList.push({
+- label: availableStyles[i].displayName,
++ label: htmlEntities.encode(availableStyles[i].displayName),
+ value: availableStyles[i].name
+ });
+ }
+@@ -120,7 +123,7 @@ define("webodf/editor/widgets/paragraphStyles",
+ if (select) {
+ select.addOption({
+ value: styleInfo.name,
+- label: newStyleElement.getAttributeNS(stylens, 'display-name')
++ label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name'))
+ });
+ }
+
+diff --git a/apps/documents/js/3rdparty/webodf/webodf-debug.js b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+index ee718ae..a890800 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf-debug.js
++++ b/apps/documents/js/3rdparty/webodf/webodf-debug.js
+@@ -1,4 +1,4 @@
+-var webodf_version = "0.4.2-2050-g8d8fc02";
++var webodf_version = "0.4.2-2050-g8d8fc02-dirty";
+ function Runtime() {
+ }
+ Runtime.prototype.getVariable = function(name) {
+@@ -13549,7 +13549,11 @@ gui.HyperlinkClickHandler = function HyperlinkClickHandler(getRootNode) {
+ bookmarks[0].scrollIntoView(true)
+ }
+ }else {
+- runtime.getWindow().open(url)
++ if(/^\s*(javascript|data):/.test(url)) {
++ runtime.log("WARN:", "potentially malicious URL ignored")
++ }else {
++ runtime.getWindow().open(url)
++ }
+ }
+ if(e.preventDefault) {
+ e.preventDefault()
+diff --git a/apps/documents/js/3rdparty/webodf/webodf.js b/apps/documents/js/3rdparty/webodf/webodf.js
+index 40d0bda..bf9a4c5 100644
+--- a/apps/documents/js/3rdparty/webodf/webodf.js
++++ b/apps/documents/js/3rdparty/webodf/webodf.js
[ dropped longish noop changes. ]
diff --git a/debian/patches/0012-Normalize-before-processing.patch b/debian/patches/0012-Normalize-before-processing.patch
new file mode 100644
index 0000000..0269cba
--- /dev/null
+++ b/debian/patches/0012-Normalize-before-processing.patch
@@ -0,0 +1,73 @@
+From: Lukas Reschke <lu...@owncloud.com>
+Date: Fri, 6 Feb 2015 15:09:31 +0100
+Subject: Normalize before processing
+
+Conflicts:
+ tests/lib/files/filesystem.php
+ tests/lib/files/mapper.php
+
+Origin: upstream, https://github.com/owncloud/core/commit/cbf8dd439c5e56a56511e39180d014ce2ecd5221
+---
+ lib/private/files/filesystem.php | 9 +++++----
+ lib/private/files/mapper.php | 6 +++++-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
+index 1ebc790..492d9f1 100644
+--- a/lib/private/files/filesystem.php
++++ b/lib/private/files/filesystem.php
+@@ -524,9 +524,10 @@ class Filesystem {
+ * @return bool
+ */
+ static public function isFileBlacklisted($filename) {
++ $filename = self::normalizePath($filename);
+ $blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
+ $filename = strtolower(basename($filename));
+- return (in_array($filename, $blacklist));
++ return in_array($filename, $blacklist);
+ }
+
+ /**
+@@ -700,6 +701,9 @@ class Filesystem {
+ return '/';
+ }
+
++ //normalize unicode if possible
++ $path = \OC_Util::normalizeUnicode($path);
++
+ //no windows style slashes
+ $path = str_replace('\\', '/', $path);
+
+@@ -736,9 +740,6 @@ class Filesystem {
+ $path = substr($path, 0, -2);
+ }
+
+- //normalize unicode if possible
+- $path = \OC_Util::normalizeUnicode($path);
+-
+ return $windows_drive_letter . $path;
+ }
+
+diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php
+index 5e78ef0..a950d78 100644
+--- a/lib/private/files/mapper.php
++++ b/lib/private/files/mapper.php
+@@ -253,13 +253,17 @@ class Mapper
+ // trim ending dots (for security reasons and win compatibility)
+ $text = preg_replace('~\.+$~', '', $text);
+
+- if (empty($text)) {
++ if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
+ /**
+ * Item slug would be empty. Previously we used uniqid() here.
+ * However this means that the behaviour is not reproducible, so
+ * when uploading files into a "empty" folder, the folders name is
+ * different.
+ *
++ * The other case is, that the slugified name would be a blacklisted
++ * filename. In this case we just use the same workaround by
++ * returning the secure md5 hash of the original name.
++ *
+ * If there would be a md5() hash collision, the deduplicate check
+ * will spot this and append an index later, so this should not be
+ * a problem.
diff --git a/debian/patches/series b/debian/patches/series
index 230b514..ab6e650 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,6 @@ path/0006-Adapt-Crypt_Blowfish-path.patch
path/0007-Adapt-aws-sdk-path.patch
path/0008-Adapt-google-api-php-client-path.patch
path/0009-Adapt-Dropbox-path.patch
+0010-Fix-encoding-in-3rdparty-lib.patch
+0011-Apply-some-upstream-patches.patch
+0012-Normalize-before-processing.patch
diff --git a/debian/postinst b/debian/postinst
index f356c8d..e3a663f 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -51,7 +51,7 @@ case "$1" in
# Update the database on upgrade
# Don’t let it fail, since it exits with 3 if no upgrade is necessary
if [ -e /etc/owncloud/config.php ] ; then
- occ upgrade || true
+ su -s /bin/sh -c "/usr/sbin/occ upgrade" www-data || true
fi
;;
signature.asc
Description: Digital signature
