Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi,
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
> As far as I can tell this escapeHTML function is not defined in the
> current version? Upstream git has it in core/js/js.js.
Attached is a new candidate debdiff.
Cheers,
Michael
diff -Nru owncloud-4.0.4debian2/debian/changelog owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.000000000 +0200
+++ owncloud-4.0.4debian2/debian/changelog 2012-12-05 22:12:11.000000000 +0100
@@ -1,3 +1,17 @@
+owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload, fixes several security issues (Closes: #693990).
+ * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+ * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+ * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+ * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+ filesystem.php.
+ * debian/patches/07_oc-sa-2012-002.patch: Backport generate_random_bytes()
+ function from 4.0.8 release.
+ * debian/patches/06_oc-sa-2012-001.patch: Include escapeHTML() function.
+
+ -- Michael Banck <mbanck@debian.org> Wed, 05 Dec 2012 21:25:00 +0100
+
owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high
* debian/patches:
diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch 2012-12-05 21:24:39.000000000 +0100
@@ -0,0 +1,69 @@
+Index: owncloud-4.0.4debian2/core/js/js.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/js/js.js 2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.4debian2/core/js/js.js 2012-12-05 21:24:29.624785142 +0100
+@@ -29,6 +29,15 @@
+ }
+ t.cache={};
+
++/*
++* Sanitizes a HTML string
++* @param string
++* @return Sanitized string
++*/
++function escapeHTML(s) {
++ return s.toString().split('&').join('&').split('<').join('<').split('"').join('"');
++}
++
+ OC={
+ webroot:oc_webroot,
+ appswebroot:oc_appswebroot,
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js 2012-12-05 21:24:29.624785142 +0100
+@@ -4662,7 +4662,7 @@
+ "</span>";
+ }
+ html +=
+- "<span class='fc-event-title'>" + event.title + "</span>" +
++ "<span class='fc-event-title'>" + htmlEscape(event.title) + "</span>" +
+ "</div>";
+ if (seg.isEnd && isEventResizable(event)) {
+ html +=
+@@ -5220,5 +5220,5 @@
+ };
+
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-05 21:24:29.348783708 +0100
++++ owncloud-4.0.4debian2/apps/files/js/filelist.js 2012-12-05 21:24:29.628785159 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
+- html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename
++ html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
+ if(extension){
+- html+='<span class="extension">'+extension+'</span>';
++ html+='<span class="extension">'+escapeHTML(extension)+'</span>';
+ }
+ html+='</span></a></td>';
+ if(size!='Pending'){
+Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js 2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-05 21:24:29.628785159 +0100
+@@ -36,7 +36,7 @@
+
+ var historyUrl = OC.linkTo('files_versions', 'history.php') + '?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/' )+'/'+encodeURIComponent( filename );
+
+- var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
++ var html = '<div id="dropdown" class="drop" data-file="'+escapeHTML(files)+'">';
+ html += '<div id="private">';
+ html += '<select data-placeholder="Saved versions" id="found_versions" class="chzen-select" style="width:16em;">';
+ html += '<option value=""></option>';
diff -Nru owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch 2012-12-04 22:47:37.000000000 +0100
@@ -0,0 +1,65 @@
+Index: owncloud-4.0.4debian2/core/lostpassword/resetpassword.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/resetpassword.php 2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/resetpassword.php 2012-12-04 22:47:36.618131274 +0100
+@@ -10,7 +10,7 @@
+ require_once('../../lib/base.php');
+
+ // Someone wants to reset their password:
+-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
++if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
+ if (isset($_POST['password'])) {
+ if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
+ OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
+Index: owncloud-4.0.4debian2/lib/util.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/util.php 2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/lib/util.php 2012-12-04 22:47:36.622131291 +0100
+@@ -459,8 +459,31 @@
+
+ }
+
+-
++ /*
++ * @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl
++ * Inspired by gorgo on php.net
++ * @param Int with the length of the random
++ * @return String with the random bytes
++ */
++ public static function generate_random_bytes($length = 30) {
++ if(function_exists('openssl_random_pseudo_bytes')) {
++ $pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong));
++ if($strong == TRUE) {
++ return substr($pseudo_byte, 0, $length); // Truncate it to match the length
++ }
++ }
+
++ // fallback to mt_rand()
++ $characters = '0123456789';
++ $characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
++ $charactersLength = strlen($characters)-1;
++ $pseudo_byte = "";
+
++ // Select some random characters
++ for ($i = 0; $i < $length; $i++) {
++ $pseudo_byte .= $characters[mt_rand(0, $charactersLength)];
++ }
++ return $pseudo_byte;
++ }
+ }
+
+Index: owncloud-4.0.4debian2/core/lostpassword/index.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/index.php 2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/index.php 2012-12-04 22:47:36.622131291 +0100
+@@ -13,8 +13,8 @@
+ // Someone lost their password:
+ if (isset($_POST['user'])) {
+ if (OC_User::userExists($_POST['user'])) {
+- $token = sha1($_POST['user'].md5(uniqid(rand(), true)));
+- OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
++ $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
++ OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
+ $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
+ if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
+ $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
diff -Nru owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
--- owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch 2012-12-04 22:19:55.000000000 +0100
@@ -0,0 +1,91 @@
+Index: owncloud-4.0.4debian2/lib/migrate.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/migrate.php 2012-12-04 21:56:35.000000000 +0100
++++ owncloud-4.0.4debian2/lib/migrate.php 2012-12-04 22:19:42.125448119 +0100
+@@ -205,8 +205,8 @@
+ // Get export_info.json
+ $scan = scandir( $extractpath );
+ // Check for export_info.json
+- if( !in_array( 'export_info.json', $scan ) ){
+- OC_Log::write( 'migration', 'Invalid import file, export_info.json note found', OC_Log::ERROR );
++ if( !in_array( 'export_info.json', $scan ) ) {
++ OC_Log::write( 'migration', 'Invalid import file, export_info.json not found', OC_Log::ERROR );
+ return json_encode( array( 'success' => false ) );
+ }
+ $json = json_decode( file_get_contents( $extractpath . 'export_info.json' ) );
+@@ -241,12 +241,19 @@
+ return json_encode( array( 'success' => false ) );
+ }
+ // Copy data
+- if( !self::copy_r( $extractpath . $json->exporteduser, $datadir . '/' . self::$uid ) ){
+- return json_encode( array( 'success' => false ) );
++ $userfolder = $extractpath . $json->exporteduser;
++ $newuserfolder = $datadir . '/' . self::$uid;
++ foreach(scandir($userfolder) as $file){
++ if($file !== '.' && $file !== '..' && is_dir($file)){
++ // Then copy the folder over
++ OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
++ }
+ }
+ // Import user app data
+- if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
+- return json_encode( array( 'success' => false ) );
++ if(file_exists($extractpath . $json->exporteduser . '/migration.db')){
++ if( !$appsimported = self::importAppData( $extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ) {
++ return json_encode( array( 'success' => false ) );
++ }
+ }
+ // All done!
+ if( !self::unlink_r( $extractpath ) ){
+@@ -311,37 +318,6 @@
+ }
+
+ /**
+- * @brief copies recursively
+- * @param $path string path to source folder
+- * @param $dest string path to destination
+- * @return bool
+- */
+- private static function copy_r( $path, $dest ){
+- if( is_dir($path) ){
+- @mkdir( $dest );
+- $objects = scandir( $path );
+- if( sizeof( $objects ) > 0 ){
+- foreach( $objects as $file ){
+- if( $file == "." || $file == ".." || $file == ".htaccess")
+- continue;
+- // go on
+- if( is_dir( $path . '/' . $file ) ){
+- self::copy_r( $path .'/' . $file, $dest . '/' . $file );
+- } else {
+- copy( $path . '/' . $file, $dest . '/' . $file );
+- }
+- }
+- }
+- return true;
+- }
+- elseif( is_file( $path ) ){
+- return copy( $path, $dest );
+- } else {
+- return false;
+- }
+- }
+-
+- /**
+ * @brief tries to extract the import zip
+ * @param $path string path to the zip
+ * @return string path to extract location (with a trailing slash) or false on failure
+Index: owncloud-4.0.4debian2/lib/helper.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/helper.php 2012-06-26 21:54:07.000000000 +0200
++++ owncloud-4.0.4debian2/lib/helper.php 2012-12-04 22:19:42.125448119 +0100
+@@ -309,7 +309,8 @@
+ self::copyr("$src/$file", "$dest/$file");
+ }
+ }
+- }elseif(file_exists($src)){
++
++ }elseif(file_exists($src) && !OC_Filesystem::isFileBlacklisted($src)) {
+ copy($src, $dest);
+ }
+ }
diff -Nru owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
--- owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch 1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch 2012-12-04 22:19:51.000000000 +0100
@@ -0,0 +1,52 @@
+Index: owncloud-4.0.4debian2/lib/filesystem.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/filesystem.php 2012-12-04 21:56:35.000000000 +0100
++++ owncloud-4.0.4debian2/lib/filesystem.php 2012-12-04 22:19:45.133463687 +0100
+@@ -361,12 +361,16 @@
+ * @return bool
+ */
+ static public function isValidPath($path){
++ $path = str_replace('\\', '/', $path);
+ if(!$path || $path[0]!=='/'){
+ $path='/'.$path;
+ }
+ if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
+ return false;
+ }
++ if(self::isFileBlacklisted($path)){
++ return false;
++ }
+ return true;
+ }
+
+@@ -375,21 +379,23 @@
+ * Listens to write and rename hooks
+ * @param array $data from hook
+ */
+- static public function isBlacklisted($data){
+- $blacklist = array('.htaccess');
++ static public function isBlacklisted($data) {
+ if (isset($data['path'])) {
+ $path = $data['path'];
+ } else if (isset($data['newpath'])) {
+ $path = $data['newpath'];
+ }
+ if (isset($path)) {
+- $filename = strtolower(basename($path));
+- if (in_array($filename, $blacklist)) {
+- $data['run'] = false;
+- }
++ $data['run'] = !self::isFileBlacklisted($path);
+ }
+ }
+-
++
++ static public function isFileBlacklisted($path){
++ $blacklist = array('.htaccess');
++ $filename = strtolower(basename($path));
++ return in_array($filename, $blacklist);
++ }
++
+ /**
+ * following functions are equivilent to their php buildin equivilents for arguments/return values.
+ */
diff -Nru owncloud-4.0.4debian2/debian/patches/series owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series 2012-09-22 16:03:47.000000000 +0200
+++ owncloud-4.0.4debian2/debian/patches/series 2012-12-04 22:43:34.000000000 +0100
@@ -15,4 +15,7 @@
remove_unused_unsecure_files.diff
BTS688394.diff
backported_security_fixes.diff
-
+06_oc-sa-2012-001.patch
+07_oc-sa-2012-002.patch
+08_oc-sa-2012-004.patch
+09_oc-sa-2012-005.patch
Reply to: