From e95055b2bdcd70568c4b4e21424800cab47a582b Mon Sep 17 00:00:00 2001
From: Frank Karlitschek <frank@owncloud.org>
Date: Thu, 21 Jun 2012 14:07:04 +0200
Subject: [PATCH 1/4] check if the data directory is accessible via http. Show
 a big security warning if yes

---
 lib/util.php                 | 53 +++++++++++++++++++++++++++++++-----
 settings/admin.php           |  2 ++
 settings/css/settings.css    |  5 +++-
 settings/templates/admin.php | 15 ++++++++++
 4 files changed, 67 insertions(+), 8 deletions(-)
 mode change 100644 => 100755 settings/admin.php
 mode change 100644 => 100755 settings/templates/admin.php

diff --git a/lib/util.php b/lib/util.php
index 7792f96d44..8a2d913109 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -420,18 +420,57 @@ class OC_Util {
 		}
 	}
 	
-	/**
-	 * @brief Public function to sanitize HTML
-	 *
+	/**
+	 * @brief Public function to sanitize HTML
+	 *
 	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
 	 * 
 	 * @param string or array of strings
-	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
 	 */
-	public static function sanitizeHTML( &$value ){
-		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
-		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+	public static function sanitizeHTML( &$value ){
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
 		return $value;
 	}
 
+
+        /**
+         * Check if the htaccess file is working buy creating a test file in the data directory and trying to access via http
+         */
+        public static function ishtaccessworking() {
+
+		// testdata
+		$filename='/htaccesstest.txt';
+		$testcontent='testcontent';
+
+		// creating a test file
+                $testfile = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ).'/'.$filename;
+                $fp = @fopen($testfile, 'w');
+                @fwrite($fp, $testcontent);
+                @fclose($fp);
+
+		// accessing the file via http
+                $url = OC_Helper::serverProtocol(). '://'  . OC_Helper::serverHost() . OC::$WEBROOT.'/data'.$filename;
+                $fp = @fopen($url, 'r');
+                $content=@fread($fp, 2048);
+                @fclose($fp);
+
+		// cleanup
+		@unlink($testfile);
+
+		// does it work ?
+		if($content==$testcontent) {
+			return(false);
+		}else{
+			return(true);
+
+		}
+
+        }
+
+
+
+
+
 }
diff --git a/settings/admin.php b/settings/admin.php
old mode 100644
new mode 100755
index a997bad4e3..8369ee64e0
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -15,6 +15,7 @@ OC_App::setActiveNavigationEntry( "admin" );
 
 $tmpl = new OC_Template( 'settings', 'admin', 'user');
 $forms=OC_App::getForms('admin');
+$htaccessworking=OC_Util::ishtaccessworking();
 
 $entries=OC_Log_Owncloud::getEntries(3);
 function compareEntries($a,$b){
@@ -24,6 +25,7 @@ usort($entries, 'compareEntries');
 
 $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
 $tmpl->assign('entries',$entries);
+$tmpl->assign('htaccessworking',$htaccessworking);
 $tmpl->assign('forms',array());
 foreach($forms as $form){
 	$tmpl->append('forms',$form);
diff --git a/settings/css/settings.css b/settings/css/settings.css
index df1e3cfd3c..80e96df5e6 100644
--- a/settings/css/settings.css
+++ b/settings/css/settings.css
@@ -48,5 +48,8 @@ li.active { color:#000; }
 small.externalapp { color:#FFF; background-color:#BBB; font-weight:bold; font-size:6pt; padding:4px; border-radius: 4px;}
 span.version { margin-left:3em; color:#ddd; }
 
-/* LOF */
+/* LOG */
 #log { white-space:normal; }
+
+/* ADMIN */
+span.securitywarning {color:#C33; font-weight:bold; }
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
old mode 100644
new mode 100755
index 38c6042c82..a9f727d676
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -6,6 +6,21 @@
 $levels=array('Debug','Info','Warning','Error','Fatal');
 ?>
 
+<?php
+
+if(!$_['htaccessworking']) {
+?>
+<fieldset class="personalblock">
+	<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+
+	<span class="securitywarning">Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.</span>
+	
+</fieldset>	
+<?php	
+}
+?>
+
+
 <?php foreach($_['forms'] as $form){
 	echo $form;
 };?>

From f5740a6f925ddcd78a563ab38db88f05d6a77317 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Thu, 21 Jun 2012 15:19:49 +0200
Subject: [PATCH 2/4] fix a PHP Notice

---
 apps/calendar/lib/app.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php
index 167382a5e7..8e13b13b8a 100644
--- a/apps/calendar/lib/app.php
+++ b/apps/calendar/lib/app.php
@@ -338,6 +338,9 @@ class OC_Calendar_App{
 			$singleevents = OC_Calendar_Share::allSharedwithuser(OCP\USER::getUser(), OC_Calendar_Share::EVENT, 1, ($_GET['calendar_id'] == 'shared_rw')?'rw':'r');
 			foreach($singleevents as $singleevent){
 				$event = OC_Calendar_Object::find($singleevent['eventid']);
+				if(!array_key_exists('summary', $event)){
+					$event['summary'] = self::$l10n->t('unnamed');
+				}
 				$event['summary'] .= ' (' . self::$l10n->t('by') .  ' ' . OC_Calendar_Object::getowner($event['id']) . ')';
 				$events[] =  $event;
 			}

From 7c3f6f61db5b93c3393ab4b3b99c3e6906ed27be Mon Sep 17 00:00:00 2001
From: Sam Tuke <samtuke@owncloud.com>
Date: Thu, 21 Jun 2012 14:53:58 +0100
Subject: [PATCH 3/4] Fixed missing jQuery event object - expire interface now
 works with Firefox

---
 apps/files_versions/js/settings-personal.js | 78 +++++++++------------
 1 file changed, 33 insertions(+), 45 deletions(-)

diff --git a/apps/files_versions/js/settings-personal.js b/apps/files_versions/js/settings-personal.js
index d9456f3f2a..6ea8c1a950 100644
--- a/apps/files_versions/js/settings-personal.js
+++ b/apps/files_versions/js/settings-personal.js
@@ -1,51 +1,39 @@
-// $(document).ready(function(){
-// 	$('#versions').change( function(){
-// 		OC.msg.startSaving('#calendar .msg')
-// 		// Serialize the data
-// 		var post = $( '#timezone' ).serialize();
-// 		$.post( OC.filePath('calendar', 'ajax/settings', 'settimezone.php'), post, function(data){
-// 			//OC.msg.finishedSaving('#calendar .msg', data);
-// 		});
-// 		return false;
-// 	});
-// });
+// TODO: allow the button to be clicked only once
 
-$(document).ready(function(){
+$( document ).ready(function(){
 	//
-	$('#expireAllBtn').click(function(){
+	$( '#expireAllBtn' ).click( 
 		
-		// Prevent page from reloading
-		event.preventDefault();
+		function( event ) {
 		
-		// Show loading gif
-		$('.expireAllLoading').show();
-	
-		$.getJSON(
-			OC.filePath('files_versions','ajax','expireAll.php'),
-			function(result){
-				if (result.status == 'success') {
-					$('.expireAllLoading').hide();
-					$('#expireAllBtn').html('Expiration successful');
-				} else {
-					
-					// Cancel loading
-					$('#expireAllBtn').html('Expiration failed');
-					
-					// Show Dialog
-					OC.dialogs.alert(
-						'Something went wrong, your files may not have been expired', 
-						'An error has occurred', 
-						function(){ 
-							$('#expireAllBtn').html(t('files_versions', 'Expire all versions')+'<img style="display: none;" class="loading" src="'+OC.filePath('core','img','loading.gif')+'" />'); 
-						}
-						
-					);
-					
-				}
- 			}
+			// Prevent page from reloading
+			event.preventDefault();
 			
-		);
-
-	});
-	
+			// Show loading gif
+			$('.expireAllLoading').show();
+		
+			$.getJSON(
+				OC.filePath('files_versions','ajax','expireAll.php'),
+				function(result){
+					if (result.status == 'success') {
+						$('.expireAllLoading').hide();
+						$('#expireAllBtn').html('Expiration successful');
+					} else {
+						
+						// Cancel loading
+						$('#expireAllBtn').html('Expiration failed');
+						
+						// Show Dialog
+						OC.dialogs.alert(
+							'Something went wrong, your files may not have been expired', 
+							'An error has occurred', 
+							function(){ 
+								$('#expireAllBtn').html(t('files_versions', 'Expire all versions')+'<img style="display: none;" class="loading" src="'+OC.filePath('core','img','loading.gif')+'" />'); 
+							}	
+						);		
+					}
+				}	
+			);
+		}
+	);
 });
\ No newline at end of file

From 49d9eb7acf8636eed2e25292df924694fc4ccd47 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Thu, 21 Jun 2012 16:23:13 +0200
Subject: [PATCH 4/4] fix calendar

---
 apps/calendar/ajax/events.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/calendar/ajax/events.php b/apps/calendar/ajax/events.php
index 7178358c7b..ae55cbc02d 100644
--- a/apps/calendar/ajax/events.php
+++ b/apps/calendar/ajax/events.php
@@ -22,7 +22,7 @@ $calendar_id = (is_null($calendar_id)?strip_tags($_GET['calendar_id']):$calendar
 
 $start = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['start']):new DateTime('@' . $_GET['start']);
 $end = (version_compare(PHP_VERSION, '5.3.0', '>='))?DateTime::createFromFormat('U', $_GET['end']):new DateTime('@' . $_GET['end']);
-$events = OC_Calendar_App::getrequestedEvents($calendar_id, $start, $end);
+$events = OC_Calendar_App::getrequestedEvents($_GET['calendar_id'], $start, $end);
 $output = array();
 foreach($events as $event){
 	$output = array_merge($output, OC_Calendar_App::generateEventOutput($event, $start, $end));