From a6792003a40a9daa6f9eb29b103d521740ccbe3d Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Wed, 1 May 2013 18:31:24 +0200
Subject: php-sabredav-Sabre_DAV: add patch from rawhide (but well applied)

---
 php-sabredav-Sabre_DAV.spec     | 16 +++++++++++++---
 sabreDav_BrowserPluginFix.patch | 23 +++++++++++++++++++++++
 2 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 sabreDav_BrowserPluginFix.patch

diff --git a/php-sabredav-Sabre_DAV.spec b/php-sabredav-Sabre_DAV.spec
index 32ce1a1..48b4806 100644
--- a/php-sabredav-Sabre_DAV.spec
+++ b/php-sabredav-Sabre_DAV.spec
@@ -4,13 +4,14 @@
 
 Name:           php-sabredav-Sabre_DAV
 Version:        1.6.5
-Release:        1%{?dist}
+Release:        4%{?dist}
 Summary:        Sabre_DAV is a WebDAV framework for PHP
 
 Group:          Development/Libraries
 License:        BSD
 URL:            http://code.google.com/p/sabredav
 Source0:        http://pear.sabredav.org/get/%{pear_name}-%{version}.tgz
+Patch1:         sabreDav_BrowserPluginFix.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
@@ -39,8 +40,10 @@ is meant to cover the entire standard.
 
 %prep
 %setup -q -c
-[ -f package2.xml ] || mv package.xml package2.xml
-mv package2.xml %{pear_name}-%{version}/%{pear_name}.xml
+%patch1 -p0
+
+sed -e '/Plugin.php/s/md5sum.*name/name/' \
+  package.xml > %{pear_name}-%{version}/%{pear_name}.xml
 
 
 %build
@@ -78,6 +81,13 @@ fi
 
 
 %changelog
+* Wed May  1 2013 Remi Collet <RPMS@FamilleCollet.com> 1.6.5-4
+- sync with rawhide, backport for remi repo
+
+* Sun Apr 28 2013 Joseph Marrero <jmarrero@fedoraproject.org> - 1.6.5-4
+- added security patch that fixes bugs 951568 951569 951562
+- added --ignore-errors flag to pear install macro to accept the patch
+
 * Mon Nov 12 2012 Remi Collet <RPMS@FamilleCollet.com> 1.6.5-1
 - backport for remi repo
 
diff --git a/sabreDav_BrowserPluginFix.patch b/sabreDav_BrowserPluginFix.patch
new file mode 100644
index 0000000..449283f
--- /dev/null
+++ b/sabreDav_BrowserPluginFix.patch
@@ -0,0 +1,23 @@
+--- Sabre_DAV-1.6.5/Sabre/DAV/Browser/Plugin.php	2012-10-04 08:02:37.000000000 -0400
++++ SabreDAV/lib/Sabre/DAV/Browser/Plugin.php	2013-04-11 14:29:08.000000000 -0400
+@@ -439,14 +439,14 @@
+      */
+     protected function getLocalAssetPath($assetName) {
+ 
++        $assetDir = __DIR__ . '/assets/';
++        $path = $assetDir . $assetName;
++
+         // Making sure people aren't trying to escape from the base path.
+-        $assetSplit = explode('/', $assetName);
+-        if (in_array('..',$assetSplit)) {
+-            throw new Sabre_DAV_Exception('Incorrect asset path');
++        if (strpos(realpath($path), realpath($assetDir)) === 0) {
++            return $path;
+         }
+-        $path = __DIR__ . '/assets/' . $assetName;
+-        return $path;
+-
++        throw new Sabre_DAV_Exception_Forbidden('Path does not exist, or escaping from the base path was detected');
+     }
+ 
+     /**
-- 
cgit