[glpi/f21] add security fix https://forge.indepnet.net/issues/5218

Tue Mar 24 09:45:36 UTC 2015

commit facea57d576dda9f4f2e01ec5065f38301b957b5
Author: Remi Collet <remi at fedoraproject.org>
Date:   Tue Mar 24 10:44:47 2015 +0100

    add security fix https://forge.indepnet.net/issues/5218

 .gitignore              | 20 ++------------------
 glpi-0.84-bug5218.patch | 15 +++++++++++++++
 glpi.spec               | 11 ++++++++---
 3 files changed, 25 insertions(+), 21 deletions(-)
---

diff --git a/.gitignore b/.gitignore
index 554734d..3072915 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,22 +1,6 @@
-*~
 clog
-glpi-0.72.4-11497.tar.gz
-/glpi-0.78.5.tar.gz
-/glpi-0.78-14966.tar.gz
-/glpi-0.80.5.tar.gz
-/glpi-0.80.6.tar.gz
-/glpi-0.80.61.tar.gz
-/glpi-0.80.7.tar.gz
-/glpi-0.83.1.tar.gz
-/glpi-0.83.2.tar.gz
-/glpi-0.83.31.tar.gz
-/glpi-0.83.4.tar.gz
-/glpi-0.83.5.tar.gz
-/glpi-0.83.6.tar.gz
-/glpi-0.83.7.tar.gz
-/glpi-0.83.8.tar.gz
-/glpi-0.83.9.tar.gz
-/glpi-0.83.91.tar.gz
+glpi-0.83*.tar.gz
+glpi-0.85*.tar.gz
 /glpi-0.84.2.tar.gz
 /glpi-0.84.3.tar.gz
 /glpi-0.84.4.tar.gz
diff --git a/glpi-0.84-bug5218.patch b/glpi-0.84-bug5218.patch
new file mode 100644
index 0000000..062b68d
--- /dev/null
+++ b/glpi-0.84-bug5218.patch
@@ -0,0 +1,15 @@
+Index: branches/0.84-bugfixes/inc/user.class.php
+===================================================================
+--- branches/0.84-bugfixes/inc/user.class.php	(révision 23406)
++++ branches/0.84-bugfixes/inc/user.class.php	(révision 23407)
+@@ -556,7 +556,9 @@
+       // Add default profile
+       if (!$rulesplayed) {
+          $affectation = array();
+-         if (isset($this->input['_profiles_id']) && $this->input['_profiles_id']) {
++         if (isset($this->input['_profiles_id']) && $this->input['_profiles_id']
++            && Profile::currentUserHaveMoreRightThan(array($this->input['_profiles_id']))
++            ) {
+             $profile                   = $this->input['_profiles_id'];
+             // Choosen in form, so not dynamic
+             $affectation['is_dynamic'] = 0;
diff --git a/glpi.spec b/glpi.spec
index ee952cc..ad58c75 100644
--- a/glpi.spec
+++ b/glpi.spec
@@ -1,8 +1,8 @@
 # spec file for glpi
 #
-# Copyright (c) 2007-2014 Remi Collet
+# Copyright (c) 2007-2015 Remi Collet
 # License: CC-BY-SA
-# http://creativecommons.org/licenses/by-sa/3.0/
+# http://creativecommons.org/licenses/by-sa/4.0/
 #
 # Please, preserve the changelog entries
 #
@@ -28,7 +28,7 @@
 
 Name:           glpi
 Version:        0.84.8
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Free IT asset management software
 Summary(fr):    Gestion Libre de Parc Informatique
 
@@ -46,6 +46,7 @@ Source4:        glpi-nginx.conf
 Patch0:         glpi-0.84-cron.patch
 # Upstream security patch
 Patch1:         glpi-0.84-CVE-2014-9258.patch
+Patch2:         glpi-0.84-bug5218.patch
 
 BuildArch:      noarch
 BuildRequires:  gettext
@@ -123,6 +124,7 @@ techniciens grâce à une maintenance plus cohérente.
 
 %patch0 -p0
 %patch1 -p2
+%patch2 -p2
 
 find . -name \*.orig -exec rm {} \; -print
 
@@ -293,6 +295,9 @@ fi
 
 
 %changelog
+* Tue Mar 24 2015 Remi Collet <remi at fedoraproject.org> - 0.84.8-4
+- add security fix https://forge.indepnet.net/issues/5218
+
 * Mon Dec 22 2014 Remi Collet <remi at fedoraproject.org> - 0.84.8-3
 - fix SQL Injection CVE-2014-9258
 
