[glpi] - add security fix https://forge.indepnet.net/issues/5218 - add fix for temporary directory relocati
Remi Collet
remi at fedoraproject.org
Fri Feb 27 09:44:00 UTC 2015
commit d34c543e87c4f8ea0a869ea6884c4f975776eedf
Author: Remi Collet <remi at fedoraproject.org>
Date: Fri Feb 27 10:43:37 2015 +0100
- add security fix https://forge.indepnet.net/issues/5218
- add fix for temporary directory relocation
glpi-0.85-bug5218.patch | 15 +++++++++++++++
glpi-0.85-upload.patch | 24 ++++++++++++++++++++++++
glpi.spec | 12 +++++++++++-
3 files changed, 50 insertions(+), 1 deletion(-)
---
diff --git a/glpi-0.85-bug5218.patch b/glpi-0.85-bug5218.patch
new file mode 100644
index 0000000..0da9fe6
--- /dev/null
+++ b/glpi-0.85-bug5218.patch
@@ -0,0 +1,15 @@
+Index: trunk/inc/user.class.php
+===================================================================
+--- trunk/inc/user.class.php (révision 23364)
++++ trunk/inc/user.class.php (révision 23365)
+@@ -602,7 +602,9 @@
+ // Add default profile
+ if (!$rulesplayed) {
+ $affectation = array();
+- if (isset($this->input['_profiles_id']) && $this->input['_profiles_id']) {
++ if (isset($this->input['_profiles_id']) && $this->input['_profiles_id']
++ && Profile::currentUserHaveMoreRightThan(array($this->input['_profiles_id']))
++ ) {
+ $profile = $this->input['_profiles_id'];
+ // Choosen in form, so not dynamic
+ $affectation['is_dynamic'] = 0;
diff --git a/glpi-0.85-upload.patch b/glpi-0.85-upload.patch
new file mode 100644
index 0000000..128b6f4
--- /dev/null
+++ b/glpi-0.85-upload.patch
@@ -0,0 +1,24 @@
+diff -up ./front/fileupload.php.old ./front/fileupload.php
+--- ./front/fileupload.php.old 2015-02-27 10:03:26.350805386 +0100
++++ ./front/fileupload.php 2015-02-27 10:04:09.149972196 +0100
+@@ -66,7 +66,7 @@ $errors = array(
+ 'min_height' => __('Image requires a minimum height')
+ );
+
+-$upload_handler = new UploadHandler(array('upload_dir' => GLPI_ROOT.'/files/_tmp/',
++$upload_handler = new UploadHandler(array('upload_dir' => GLPI_TMP_DIR.'/',
+ 'param_name' => $_GET['name'],
+ 'orient_image' => false,
+ 'image_versions' => array()),
+diff -up ./inc/html.class.php.old ./inc/html.class.php
+--- ./inc/html.class.php.old 2015-02-27 10:03:34.849838511 +0100
++++ ./inc/html.class.php 2015-02-27 10:04:27.798044878 +0100
+@@ -5118,7 +5118,7 @@ class Html {
+ && is_array($p['values']['filename']) && count($p['values']['filename'])) {
+ foreach ($p['values']['filename'] as $key => $name) {
+ if (isset($p['values']['tag'][$key])) {
+- $file = GLPI_ROOT.'/files/_tmp/'.$p['values']['filename'][$key];
++ $file = GLPI_TMP_DIR.'/'.$p['values']['filename'][$key];
+ if (file_exists($file)) {
+ $display = sprintf('%1$s %2$s', $p['values']['filename'][$key],
+ Toolbox::getSize(filesize($file)));
diff --git a/glpi.spec b/glpi.spec
index c119c24..e94e0b0 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -28,7 +28,7 @@
Name: glpi
Version: 0.85.2
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Free IT asset management software
Summary(fr): Gestion Libre de Parc Informatique
@@ -44,6 +44,10 @@ Source4: glpi-nginx.conf
# Switch all internal cron tasks to system
Patch0: glpi-0.85-cron.patch
+# See https://forge.indepnet.net/projects/glpi/repository/revisions/23370
+Patch1: glpi-0.85-upload.patch
+# See https://forge.indepnet.net/projects/glpi/repository/revisions/23365
+Patch2: glpi-0.85-bug5218.patch
BuildArch: noarch
BuildRequires: gettext
@@ -120,6 +124,8 @@ techniciens grâce à une maintenance plus cohérente.
%setup -q -n glpi
%patch0 -p0
+%patch1 -p1
+%patch2 -p1
find . -name \*.orig -exec rm {} \; -print
@@ -289,6 +295,10 @@ fi
%changelog
+* Fri Feb 27 2015 Remi Collet <remi at fedoraproject.org> - 0.85.2-2
+- add security fix https://forge.indepnet.net/issues/5218
+- add fix for temporary directory relocation
+
* Wed Jan 21 2015 Remi Collet <remi at fedoraproject.org> - 0.85.2-1
- update to 0.85.2
https://forge.indepnet.net/versions/1110
More information about the scm-commits
mailing list