[php-sabredav-Sabre_DAV] Update fixing browser plugin security
Joseph Marrero
jmarrero at fedoraproject.org
Mon Apr 29 00:17:08 UTC 2013
commit 09bf74fd1a1c7b0edb2466bfd03fd293f5f367f5
Author: jmarrero <jmarrero at fedoraproject.org>
Date: Sun Apr 28 20:16:46 2013 -0400
Update fixing browser plugin security
php-sabredav-Sabre_DAV.spec | 9 +++++++--
sabreDav_BrowserPluginFix.patch | 23 +++++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/php-sabredav-Sabre_DAV.spec b/php-sabredav-Sabre_DAV.spec
index 8448c60..18b9708 100644
--- a/php-sabredav-Sabre_DAV.spec
+++ b/php-sabredav-Sabre_DAV.spec
@@ -4,12 +4,13 @@
Name: php-sabredav-Sabre_DAV
Version: 1.6.5
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Sabre_DAV is a WebDAV framework for PHP
License: BSD
URL: http://code.google.com/p/sabredav
Source0: http://pear.sabredav.org/get/%{pear_name}-%{version}.tgz
+Patch1: sabreDav_BrowserPluginFix.patch
BuildArch: noarch
BuildRequires: php-pear(PEAR)
@@ -37,6 +38,7 @@ is meant to cover the entire standard.
%prep
%setup -q -c
+%patch1 -p0
[ -f package2.xml ] || mv package.xml package2.xml
mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
@@ -47,7 +49,7 @@ mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
%install
cd %{pear_name}-%{version}
-%{__pear} install --nodeps --packagingroot $RPM_BUILD_ROOT %{pear_name}.xml
+%{__pear} install --nodeps --ignore-errors --packagingroot $RPM_BUILD_ROOT %{pear_name}.xml
# Clean up unnecessary files
%if 0%{?rhel}
@@ -79,6 +81,9 @@ fi
%changelog
+* Sun Apr 28 2013 Joseph Marrero <jmarrero at fedoraproject.org> - 1.6.5-4
+- added security patch that fixes bugs 951568 951569 951562
+- added --ignore-erros flag to pear install macro to accept the patch
* Sat Mar 02 2013 Joseph Marrero <jmarrero at fedoraproject.org> - 1.6.5-3
- Fix cleanup in rhel6 and f19
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.6.5-2
diff --git a/sabreDav_BrowserPluginFix.patch b/sabreDav_BrowserPluginFix.patch
new file mode 100644
index 0000000..449283f
--- /dev/null
+++ b/sabreDav_BrowserPluginFix.patch
@@ -0,0 +1,23 @@
+--- Sabre_DAV-1.6.5/Sabre/DAV/Browser/Plugin.php 2012-10-04 08:02:37.000000000 -0400
++++ SabreDAV/lib/Sabre/DAV/Browser/Plugin.php 2013-04-11 14:29:08.000000000 -0400
+@@ -439,14 +439,14 @@
+ */
+ protected function getLocalAssetPath($assetName) {
+
++ $assetDir = __DIR__ . '/assets/';
++ $path = $assetDir . $assetName;
++
+ // Making sure people aren't trying to escape from the base path.
+- $assetSplit = explode('/', $assetName);
+- if (in_array('..',$assetSplit)) {
+- throw new Sabre_DAV_Exception('Incorrect asset path');
++ if (strpos(realpath($path), realpath($assetDir)) === 0) {
++ return $path;
+ }
+- $path = __DIR__ . '/assets/' . $assetName;
+- return $path;
+-
++ throw new Sabre_DAV_Exception_Forbidden('Path does not exist, or escaping from the base path was detected');
+ }
+
+ /**
More information about the scm-commits
mailing list