From 4c68e82fecb2ee4211b467462ab4a7adaa7fa963 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 27 Feb 2015 10:35:16 +0100 Subject: glpi: 0.85.2 with 2 upstream fix --- glpi-0.85-bug5218.patch | 15 +++++++++++++++ glpi-0.85-upload.patch | 24 ++++++++++++++++++++++++ glpi-dev.spec | 12 +++++++++++- 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 glpi-0.85-bug5218.patch create mode 100644 glpi-0.85-upload.patch diff --git a/glpi-0.85-bug5218.patch b/glpi-0.85-bug5218.patch new file mode 100644 index 0000000..0da9fe6 --- /dev/null +++ b/glpi-0.85-bug5218.patch @@ -0,0 +1,15 @@ +Index: trunk/inc/user.class.php +=================================================================== +--- trunk/inc/user.class.php (révision 23364) ++++ trunk/inc/user.class.php (révision 23365) +@@ -602,7 +602,9 @@ + // Add default profile + if (!$rulesplayed) { + $affectation = array(); +- if (isset($this->input['_profiles_id']) && $this->input['_profiles_id']) { ++ if (isset($this->input['_profiles_id']) && $this->input['_profiles_id'] ++ && Profile::currentUserHaveMoreRightThan(array($this->input['_profiles_id'])) ++ ) { + $profile = $this->input['_profiles_id']; + // Choosen in form, so not dynamic + $affectation['is_dynamic'] = 0; diff --git a/glpi-0.85-upload.patch b/glpi-0.85-upload.patch new file mode 100644 index 0000000..128b6f4 --- /dev/null +++ b/glpi-0.85-upload.patch @@ -0,0 +1,24 @@ +diff -up ./front/fileupload.php.old ./front/fileupload.php +--- ./front/fileupload.php.old 2015-02-27 10:03:26.350805386 +0100 ++++ ./front/fileupload.php 2015-02-27 10:04:09.149972196 +0100 +@@ -66,7 +66,7 @@ $errors = array( + 'min_height' => __('Image requires a minimum height') + ); + +-$upload_handler = new UploadHandler(array('upload_dir' => GLPI_ROOT.'/files/_tmp/', ++$upload_handler = new UploadHandler(array('upload_dir' => GLPI_TMP_DIR.'/', + 'param_name' => $_GET['name'], + 'orient_image' => false, + 'image_versions' => array()), +diff -up ./inc/html.class.php.old ./inc/html.class.php +--- ./inc/html.class.php.old 2015-02-27 10:03:34.849838511 +0100 ++++ ./inc/html.class.php 2015-02-27 10:04:27.798044878 +0100 +@@ -5118,7 +5118,7 @@ class Html { + && is_array($p['values']['filename']) && count($p['values']['filename'])) { + foreach ($p['values']['filename'] as $key => $name) { + if (isset($p['values']['tag'][$key])) { +- $file = GLPI_ROOT.'/files/_tmp/'.$p['values']['filename'][$key]; ++ $file = GLPI_TMP_DIR.'/'.$p['values']['filename'][$key]; + if (file_exists($file)) { + $display = sprintf('%1$s %2$s', $p['values']['filename'][$key], + Toolbox::getSize(filesize($file))); diff --git a/glpi-dev.spec b/glpi-dev.spec index 46da769..a7f364c 100644 --- a/glpi-dev.spec +++ b/glpi-dev.spec @@ -28,7 +28,7 @@ Name: glpi Version: 0.85.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Free IT asset management software Summary(fr): Gestion Libre de Parc Informatique @@ -44,6 +44,10 @@ Source4: glpi-nginx.conf # Switch all internal cron tasks to system Patch0: glpi-0.85-cron.patch +# See https://forge.indepnet.net/projects/glpi/repository/revisions/23370 +Patch1: glpi-0.85-upload.patch +# See https://forge.indepnet.net/projects/glpi/repository/revisions/23365 +Patch2: glpi-0.85-bug5218.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch @@ -125,6 +129,8 @@ techniciens grâce à une maintenance plus cohérente. %setup -q -n glpi %patch0 -p0 +%patch1 -p1 +%patch2 -p1 find . -name \*.orig -exec rm {} \; -print @@ -307,6 +313,10 @@ fi %changelog +* Fri Feb 27 2015 Remi Collet - 0.85.2-2 +- add security fix https://forge.indepnet.net/issues/5218 +- add fix for temporary directory relocation + * Wed Jan 21 2015 Remi Collet - 0.85.2-1 - update to 0.85.2 https://forge.indepnet.net/versions/1110 -- cgit