[php-sabredav-Sabre_DAV] Update fixing browser plugin security

[Joseph Marrero]

commit 09bf74fd1a1c7b0edb2466bfd03fd293f5f367f5
Author: jmarrero <jmarrero at fedoraproject.org>
Date:   Sun Apr 28 20:16:46 2013 -0400

    Update fixing browser plugin security

 php-sabredav-Sabre_DAV.spec     |    9 +++++++--
 sabreDav_BrowserPluginFix.patch |   23 +++++++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/php-sabredav-Sabre_DAV.spec b/php-sabredav-Sabre_DAV.spec
index 8448c60..18b9708 100644
--- a/php-sabredav-Sabre_DAV.spec
+++ b/php-sabredav-Sabre_DAV.spec
@@ -4,12 +4,13 @@
 
 Name:           php-sabredav-Sabre_DAV
 Version:        1.6.5
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Sabre_DAV is a WebDAV framework for PHP
 
 License:        BSD
 URL:            http://code.google.com/p/sabredav
 Source0:        http://pear.sabredav.org/get/%{pear_name}-%{version}.tgz
+Patch1:         sabreDav_BrowserPluginFix.patch 
 
 BuildArch:      noarch
 BuildRequires:  php-pear(PEAR)
@@ -37,6 +38,7 @@ is meant to cover the entire standard.
 
 %prep
 %setup -q -c
+%patch1 -p0
 [ -f package2.xml ] || mv package.xml package2.xml
 mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
 
@@ -47,7 +49,7 @@ mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
 
 %install
 cd %{pear_name}-%{version}
-%{__pear} install --nodeps --packagingroot $RPM_BUILD_ROOT %{pear_name}.xml
+%{__pear} install --nodeps --ignore-errors --packagingroot $RPM_BUILD_ROOT %{pear_name}.xml
 
 # Clean up unnecessary files
 %if 0%{?rhel}
@@ -79,6 +81,9 @@ fi
 
 
 %changelog
+* Sun Apr 28 2013 Joseph Marrero <jmarrero at fedoraproject.org> - 1.6.5-4
+- added security patch that fixes bugs 951568 951569 951562
+- added --ignore-erros flag to pear install macro to accept the patch
 * Sat Mar 02 2013 Joseph Marrero <jmarrero at fedoraproject.org> - 1.6.5-3
 - Fix cleanup in rhel6 and f19
 * Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.6.5-2
diff --git a/sabreDav_BrowserPluginFix.patch b/sabreDav_BrowserPluginFix.patch
new file mode 100644
index 0000000..449283f
--- /dev/null
+++ b/sabreDav_BrowserPluginFix.patch
@@ -0,0 +1,23 @@
+--- Sabre_DAV-1.6.5/Sabre/DAV/Browser/Plugin.php	2012-10-04 08:02:37.000000000 -0400
++++ SabreDAV/lib/Sabre/DAV/Browser/Plugin.php	2013-04-11 14:29:08.000000000 -0400
+@@ -439,14 +439,14 @@
+      */
+     protected function getLocalAssetPath($assetName) {
+ 
++        $assetDir = __DIR__ . '/assets/';
++        $path = $assetDir . $assetName;
++
+         // Making sure people aren't trying to escape from the base path.
+-        $assetSplit = explode('/', $assetName);
+-        if (in_array('..',$assetSplit)) {
+-            throw new Sabre_DAV_Exception('Incorrect asset path');
++        if (strpos(realpath($path), realpath($assetDir)) === 0) {
++            return $path;
+         }
+-        $path = __DIR__ . '/assets/' . $assetName;
+-        return $path;
+-
++        throw new Sabre_DAV_Exception_Forbidden('Path does not exist, or escaping from the base path was detected');
+     }
+ 
+     /**