From 2ad56745900b2993f9f0c0ebdc55fa64933f4599 Mon Sep 17 00:00:00 2001
From: Bernard Cafarelli <voyageur@gentoo.org>
Date: Fri, 4 Jun 2021 09:40:47 +0200
Subject: www-apps/owncloud: 10.7.0 bump, with security fix backport

Add https://github.com/owncloud/core/pull/38689 that fixes senstitive
exception data exposure

Bug: https://bugs.gentoo.org/794091
Package-Manager: Portage-3.0.19, Repoman-3.0.3
Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>
---
 www-apps/owncloud/Manifest                         |  1 +
 .../owncloud-10.7.0-share_data_exposure.patch      | 78 ++++++++++++++++++++++
 www-apps/owncloud/owncloud-10.7.0.ebuild           | 49 ++++++++++++++
 3 files changed, 128 insertions(+)
 create mode 100644 www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch
 create mode 100644 www-apps/owncloud/owncloud-10.7.0.ebuild

diff --git a/www-apps/owncloud/Manifest b/www-apps/owncloud/Manifest
index aee01f865f8f..f0efc62ecd53 100644
--- a/www-apps/owncloud/Manifest
+++ b/www-apps/owncloud/Manifest
@@ -1,2 +1,3 @@
 DIST owncloud-10.5.0.tar.bz2 23471398 BLAKE2B 6566df51474a22d36da868ab45a7cb679528aecc9a95e0ad20f06adda587563e16c98ee1e942a5fef62e633b132469a6a775d5893754f553aea8a33043daafc3 SHA512 b77183146ee27c97a7f472e1debaec6f5dad168f204a243a65f431cade28ed0551d0db88ff799776bfd26db60357a2216a35cd1b4af6e7e98fc933f325e4336c
 DIST owncloud-10.6.0.tar.bz2 24569416 BLAKE2B f20890262551f2996d39566f63f79439921f41bfa3a82cecc5fdf771be93e403f5a273e76498421ec7e29a03f00326844003c3adb3f927f2c1c8fc82c26c23de SHA512 ec4de23b4cd0dc08dde66802285a00c817cc8ccc79237e4ae454af5fecba102fdc892ed24e62b246deebba536728d312f43dcfea9f2f490ba8847a54ac962885
+DIST owncloud-10.7.0.tar.bz2 24129028 BLAKE2B 47ce3584f8123cc0a315c7d88847df5844c951e354fcecd7a876ca01f0fa24823a86bdd950dd885f3bbb46f60d8a39271e31d43ac6dac8f3df506d6cdc531231 SHA512 ebb636b8ffd06d4ceb1dd0d50c15ab393b8c7bf2f0e23c61ba957add6ac4d4ba4cdefb9cda2c703f337c82a295e2c40a467a602227728e9506f9a150c9f2fd3c
diff --git a/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch
new file mode 100644
index 000000000000..bab6ffed11ed
--- /dev/null
+++ b/www-apps/owncloud/files/owncloud-10.7.0-share_data_exposure.patch
@@ -0,0 +1,78 @@
+From b552f84eedb5d2a113028d7859e82352699fb427 Mon Sep 17 00:00:00 2001
+From: JanAckermann <jackermann@owncloud.com>
+Date: Tue, 4 May 2021 11:51:29 +0200
+Subject: [PATCH 1/3] Throw generic exception to overcome, senstitive exception
+ data exposure
+
+---
+ .../lib/Controllers/ShareController.php       | 26 ++++++++++++-------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/apps/files_sharing/lib/Controllers/ShareController.php b/apps/files_sharing/lib/Controllers/ShareController.php
+index da9832e105b..02bd3553067 100644
+--- a/apps/files_sharing/lib/Controllers/ShareController.php
++++ b/apps/files_sharing/lib/Controllers/ShareController.php
+@@ -400,6 +400,7 @@ public function showShare($token, $path = '') {
+ 	 * @param string $path
+ 	 * @param string $downloadStartSecret
+ 	 * @return NotFoundResponse|RedirectResponse|void
++	 * @throws \Exception
+ 	 */
+ 	public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
+ 		\OC_User::setIncognitoMode(true);
+@@ -530,16 +531,21 @@ public function downloadShare($token, $files = null, $path = '', $downloadStartS
+ 		}
+ 
+ 		// download selected files
+-		if ($files !== null && $files !== '') {
+-			// FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
+-			// after dispatching the request which results in a "Cannot modify header information" notice.
+-			OC_Files::get($originalSharePath, $files_list, $server_params);
+-			exit();
+-		} else {
+-			// FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
+-			// after dispatching the request which results in a "Cannot modify header information" notice.
+-			OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params);
+-			exit();
++
++		try {
++			if ($files !== null && $files !== '') {
++				// FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
++				// after dispatching the request which results in a "Cannot modify header information" notice.
++				OC_Files::get($originalSharePath, $files_list, $server_params);
++				exit();
++			} else {
++				// FIXME: The exit is required here because otherwise the AppFramework is trying to add headers as well
++				// after dispatching the request which results in a "Cannot modify header information" notice.
++				OC_Files::get(\dirname($originalSharePath), \basename($originalSharePath), $server_params);
++				exit();
++			}
++		} catch (\Exception $e) {
++			throw new \Exception();
+ 		}
+ 	}
+ }
+
+From a94f67a4857447e36e205043c55f29737a0bc57d Mon Sep 17 00:00:00 2001
+From: JanAckermann <jackermann@owncloud.com>
+Date: Tue, 4 May 2021 12:01:17 +0200
+Subject: [PATCH 2/3] enhanche if statement
+
+---
+ lib/private/Files/Storage/Local.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
+index d5ae0e3794b..d499079da98 100644
+--- a/lib/private/Files/Storage/Local.php
++++ b/lib/private/Files/Storage/Local.php
+@@ -384,7 +384,7 @@ public function getSourcePath($path) {
+ 		}
+ 		$pathToResolve = $fullPath;
+ 		$realPath = \realpath($pathToResolve);
+-		while ($realPath === false) { // for non existing files check the parent directory
++		while (!\is_string($realPath)) { // for non existing files check the parent directory
+ 			$pathToResolve = \dirname($pathToResolve);
+ 			$realPath = \realpath($pathToResolve);
+ 		}
+
diff --git a/www-apps/owncloud/owncloud-10.7.0.ebuild b/www-apps/owncloud/owncloud-10.7.0.ebuild
new file mode 100644
index 000000000000..0b560a4d0fee
--- /dev/null
+++ b/www-apps/owncloud/owncloud-10.7.0.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit webapp
+
+DESCRIPTION="Web-based storage application where all your data is under your own control"
+HOMEPAGE="https://owncloud.org"
+SRC_URI="https://download.owncloud.org/community/${P}.tar.bz2"
+LICENSE="AGPL-3"
+
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="+curl mysql postgres +sqlite"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+DEPEND=""
+RDEPEND=">=dev-lang/php-7.0[curl?,filter,gd,hash(+),intl,json,mysql?,pdo,posix,postgres?,session,simplexml,sqlite?,xmlreader,xmlwriter,zip]
+	virtual/httpd-php"
+
+PATCHES=( "${FILESDIR}"/${P}-share_data_exposure.patch )
+
+S=${WORKDIR}/${PN}
+
+pkg_setup() {
+	webapp_pkg_setup
+}
+
+src_install() {
+	webapp_src_preinst
+
+	insinto "${MY_HTDOCSDIR}"
+	doins -r .
+	dodir "${MY_HTDOCSDIR}"/data
+
+	webapp_serverowned -R "${MY_HTDOCSDIR}"/apps
+	webapp_serverowned -R "${MY_HTDOCSDIR}"/data
+	webapp_serverowned -R "${MY_HTDOCSDIR}"/config
+	webapp_configfile "${MY_HTDOCSDIR}"/.htaccess
+
+	webapp_src_install
+}
+
+pkg_postinst() {
+	elog "Additional applications (calendar, ...) are no longer provided by default."
+	elog "You can install them after login via the applications management page"
+	elog "(check the recommended tab). No application data is lost."
+	webapp_pkg_postinst
+}
-- 
cgit v1.2.3-65-gdbad