From f3e9106864421d902cb3751fdd0004f84b369938 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 28 Nov 2015 12:19:58 +0100 Subject: [PATCH] Don't trust update server In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff. While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start. --- core/templates/layout.user.php | 2 +- lib/private/templatelayout.php | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index 5e13d9329f..714525cf87 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -4,7 +4,7 @@ - data-update-version="" data-update-link="" + data-update-version="" data-update-link="" > diff --git a/lib/private/templatelayout.php b/lib/private/templatelayout.php index 7d16823d2a..f5974128b7 100644 --- a/lib/private/templatelayout.php +++ b/lib/private/templatelayout.php @@ -85,7 +85,9 @@ class OC_TemplateLayout extends OC_Template { if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) { $this->assign('updateAvailable', true); $this->assign('updateVersion', $data['versionstring']); - $this->assign('updateLink', $data['web']); + if(substr($data['web'], 0, 8) === 'https://') { + $this->assign('updateLink', $data['web']); + } \OCP\Util::addScript('core', 'update-notification'); } else { $this->assign('updateAvailable', false); // No update available or not an admin user