summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--php-sabredav-Sabre_DAV.spec16
-rw-r--r--sabreDav_BrowserPluginFix.patch23
2 files changed, 36 insertions, 3 deletions
diff --git a/php-sabredav-Sabre_DAV.spec b/php-sabredav-Sabre_DAV.spec
index 32ce1a1..48b4806 100644
--- a/php-sabredav-Sabre_DAV.spec
+++ b/php-sabredav-Sabre_DAV.spec
@@ -4,13 +4,14 @@
Name: php-sabredav-Sabre_DAV
Version: 1.6.5
-Release: 1%{?dist}
+Release: 4%{?dist}
Summary: Sabre_DAV is a WebDAV framework for PHP
Group: Development/Libraries
License: BSD
URL: http://code.google.com/p/sabredav
Source0: http://pear.sabredav.org/get/%{pear_name}-%{version}.tgz
+Patch1: sabreDav_BrowserPluginFix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -39,8 +40,10 @@ is meant to cover the entire standard.
%prep
%setup -q -c
-[ -f package2.xml ] || mv package.xml package2.xml
-mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
+%patch1 -p0
+
+sed -e '/Plugin.php/s/md5sum.*name/name/' \
+ package.xml > %{pear_name}-%{version}/%{pear_name}.xml
%build
@@ -78,6 +81,13 @@ fi
%changelog
+* Wed May 1 2013 Remi Collet <RPMS@FamilleCollet.com> 1.6.5-4
+- sync with rawhide, backport for remi repo
+
+* Sun Apr 28 2013 Joseph Marrero <jmarrero@fedoraproject.org> - 1.6.5-4
+- added security patch that fixes bugs 951568 951569 951562
+- added --ignore-errors flag to pear install macro to accept the patch
+
* Mon Nov 12 2012 Remi Collet <RPMS@FamilleCollet.com> 1.6.5-1
- backport for remi repo
diff --git a/sabreDav_BrowserPluginFix.patch b/sabreDav_BrowserPluginFix.patch
new file mode 100644
index 0000000..449283f
--- /dev/null
+++ b/sabreDav_BrowserPluginFix.patch
@@ -0,0 +1,23 @@
+--- Sabre_DAV-1.6.5/Sabre/DAV/Browser/Plugin.php 2012-10-04 08:02:37.000000000 -0400
++++ SabreDAV/lib/Sabre/DAV/Browser/Plugin.php 2013-04-11 14:29:08.000000000 -0400
+@@ -439,14 +439,14 @@
+ */
+ protected function getLocalAssetPath($assetName) {
+
++ $assetDir = __DIR__ . '/assets/';
++ $path = $assetDir . $assetName;
++
+ // Making sure people aren't trying to escape from the base path.
+- $assetSplit = explode('/', $assetName);
+- if (in_array('..',$assetSplit)) {
+- throw new Sabre_DAV_Exception('Incorrect asset path');
++ if (strpos(realpath($path), realpath($assetDir)) === 0) {
++ return $path;
+ }
+- $path = __DIR__ . '/assets/' . $assetName;
+- return $path;
+-
++ throw new Sabre_DAV_Exception_Forbidden('Path does not exist, or escaping from the base path was detected');
+ }
+
+ /**