oss-sec mailing list archives
Re: Possible data loss or data modification in ownCloud
From: Simon McVittie <smcv () debian org>
Date: Fri, 10 Aug 2012 23:52:25 +0100
On 10/08/12 10:25, Bruno Kleinert wrote:
if ($source) { + switch ($mode) { + case 'r+': + case 'rb+': ... + case 'a': + case 'ab': + if (!$this->is_writable($path)) { + return false; + }
I find this suspicious. Surely this should be enumerating the modes that are safe, rather than the modes that are not safe? With that patch, if a new value for $mode is added, it's assumed to be a read operation. It seems much safer to assume that unknown modes are writes: switch ($mode) { case 'r': case 'rb': break; default: if (!$this->is_writable($path)) { return false; } } Regards, S
Current thread:
- Possible data loss or data modification in ownCloud Bruno Kleinert (Aug 10)
- Re: Possible data loss or data modification in ownCloud Simon McVittie (Aug 10)
- ownCloud - matching CVEs to fix information and vice versa Kurt Seifried (Aug 10)
- Re: ownCloud - matching CVEs to fix information and vice versa Kurt Seifried (Aug 27)