From e899c9989e39e0b542fe5489805e4721081c6624 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@owncloud.com>
Date: Fri, 3 Aug 2012 13:15:15 +0200
Subject: [PATCH 01/27] Show Login-Button when user+pw are autocompleted, fixes
 oc-1068

---
 core/js/js.js | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/core/js/js.js b/core/js/js.js
index 8a60f70e1dd3..dec6ea047c05 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -402,11 +402,7 @@ $(document).ready(function(){
 	//use infield labels
 	$("label.infield").inFieldLabels();
 
-	// hide log in button etc. when form fields not filled
-	$('#submit').hide();
-	$('#remember_login').hide();
-	$('#remember_login+label').hide();
-	$('input#user, input#password').keyup(function() {
+	checkShowCredentials = function() {
 		var empty = false;
 		$('input#user, input#password').each(function() {
 			if ($(this).val() == '') {
@@ -422,7 +418,10 @@ $(document).ready(function(){
 			$('#remember_login').show();
 			$('#remember_login+label').fadeIn();
 		}
-	});
+	}
+	// hide log in button etc. when form fields not filled
+	checkShowCredentials();
+	$('input#user, input#password').keyup(checkShowCredentials);
 
 	$('#settings #expand').keydown(function(event) {
 		if (event.which == 13 || event.which == 32) {

From 6b78ca1a5adaf8dcd73919f872fcb5014fd61ab2 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@owncloud.com>
Date: Fri, 3 Aug 2012 15:51:25 +0200
Subject: [PATCH 02/27] LDAP: sanitize base, user and group trees. fixes
 oc-1302

---
 apps/user_ldap/lib_ldap.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php
index 4bd0ff4bbfaf..731283c67e8d 100644
--- a/apps/user_ldap/lib_ldap.php
+++ b/apps/user_ldap/lib_ldap.php
@@ -666,9 +666,9 @@ static private function readConfiguration($force = false) {
 			self::$ldapPort              = OCP\Config::getAppValue('user_ldap', 'ldap_port', 389);
 			self::$ldapAgentName         = OCP\Config::getAppValue('user_ldap', 'ldap_dn','');
 			self::$ldapAgentPassword     = base64_decode(OCP\Config::getAppValue('user_ldap', 'ldap_agent_password',''));
-			self::$ldapBase              = OCP\Config::getAppValue('user_ldap', 'ldap_base', '');
-			self::$ldapBaseUsers         = OCP\Config::getAppValue('user_ldap', 'ldap_base_users',self::$ldapBase);
-			self::$ldapBaseGroups        = OCP\Config::getAppValue('user_ldap', 'ldap_base_groups', self::$ldapBase);
+			self::$ldapBase              = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base', ''));
+			self::$ldapBaseUsers         = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base_users',self::$ldapBase));
+			self::$ldapBaseGroups        = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base_groups', self::$ldapBase));
 			self::$ldapTLS               = OCP\Config::getAppValue('user_ldap', 'ldap_tls',0);
 			self::$ldapNoCase            = OCP\Config::getAppValue('user_ldap', 'ldap_nocase', 0);
 			self::$ldapUserDisplayName   = strtolower(OCP\Config::getAppValue('user_ldap', 'ldap_display_name', 'uid'));

From 0970a3c60edff5a1fca00116c5f66691c1b74e13 Mon Sep 17 00:00:00 2001
From: Bart Visscher <bartv@thisnet.nl>
Date: Fri, 3 Aug 2012 16:11:10 +0200
Subject: [PATCH 03/27] Contacts: Fix no active Addressbooks

---
 apps/contacts/lib/addressbook.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/contacts/lib/addressbook.php b/apps/contacts/lib/addressbook.php
index 634d59eb9bd2..f31f6ae73dcf 100644
--- a/apps/contacts/lib/addressbook.php
+++ b/apps/contacts/lib/addressbook.php
@@ -219,6 +219,7 @@ public static function active($uid){
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook:active:, exception: '.$e->getMessage(),OCP\Util::DEBUG);
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook:active, ids: '.join(',', $active),OCP\Util::DEBUG);
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook::active, SQL:'.$prep,OCP\Util::DEBUG);
+			return array();
 		}
 
 		return $addressbooks;

From 758ae42df0126f5d8ae8582b0525d7364e74f696 Mon Sep 17 00:00:00 2001
From: Bart Visscher <bartv@thisnet.nl>
Date: Fri, 3 Aug 2012 16:18:33 +0200
Subject: [PATCH 04/27] Calendar: remove double html encoding

---
 apps/calendar/lib/app.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/calendar/lib/app.php b/apps/calendar/lib/app.php
index 06f85d32250b..6c55bd19884f 100644
--- a/apps/calendar/lib/app.php
+++ b/apps/calendar/lib/app.php
@@ -383,8 +383,8 @@ public static function generateEventOutput($event, $start, $end){
 		$lastmodified = ($last_modified)?$last_modified->getDateTime()->format('U'):0;
 		
 		$output = array('id'=>(int)$event['id'],
-						'title' => htmlspecialchars(($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed')),
-						'description' => isset($vevent->DESCRIPTION)?htmlspecialchars($vevent->DESCRIPTION->value):'',
+						'title' => ($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed'),
+						'description' => isset($vevent->DESCRIPTION)?$vevent->DESCRIPTION->value:'',
 						'lastmodified'=>$lastmodified);
 		
 		$dtstart = $vevent->DTSTART;

From c32a99b14cd463f8e8b8625dc59279064b9bdb03 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Sat, 4 Aug 2012 18:50:05 +0200
Subject: [PATCH 05/27] fix label for versioning in admin settings

---
 apps/files_versions/templates/settings.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files_versions/templates/settings.php b/apps/files_versions/templates/settings.php
index c3a856bc196e..8682fc0f4996 100644
--- a/apps/files_versions/templates/settings.php
+++ b/apps/files_versions/templates/settings.php
@@ -1,4 +1,4 @@
-<form id="versions">
+<form id="versionssettings">
         <fieldset class="personalblock">
 	        <input type="checkbox" name="versions" id="versions" value="1" <?php if (OCP\Config::getSystemValue('versions', 'true')=='true') echo ' checked="checked"'; ?> /> <label for="versions"><?php echo $l->t('Enable Files Versioning'); ?></label> <br/>
         </fieldset>

From 2cfc7f7454fb29e1aba1420a8d3df5cdcb8ff852 Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Wed, 8 Aug 2012 11:47:23 +0200
Subject: [PATCH 06/27] fix for bug 879 - add parent directory to file cache if
 it does not exist yet. For example this can happen if the sync client is used
 before the user created the root directory (e.g. through web login).

---
 lib/filecache.php | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/lib/filecache.php b/lib/filecache.php
index 8d0f3c84f93d..7b7a2fac3ea0 100644
--- a/lib/filecache.php
+++ b/lib/filecache.php
@@ -84,19 +84,28 @@ public static function put($path,$data,$root=''){
 		if($root=='/'){
 			$root='';
 		}
-		$path=$root.$path;
-		$parent=self::getParentId($path);
-		$id=self::getFileId($path);
-		if(isset(OC_FileCache::$savedData[$path])){
-			$data=array_merge(OC_FileCache::$savedData[$path],$data);
-			unset(OC_FileCache::$savedData[$path]);
+		$fullpath=$root.$path;
+		$parent=self::getParentId($fullpath);
+		$id=self::getFileId($fullpath);
+		if(isset(OC_FileCache::$savedData[$fullpath])){
+			$data=array_merge(OC_FileCache::$savedData[$fullpath],$data);
+			unset(OC_FileCache::$savedData[$fullpath]);
+		}
+		
+		// add parent directory to the file cache if it does not exist yet.
+		if ($parent == -1 && $fullpath != $root) {
+			$parentDir = substr(dirname($path), 0, strrpos(dirname($path), DIRECTORY_SEPARATOR));
+			self::scanFile($parentDir);
+			$parent = self::getParentId($fullpath);
 		}
+		
 		if($id!=-1){
 			self::update($id,$data);
 			return;
 		}
+		
 		if(!isset($data['size']) or !isset($data['mtime'])){//save incomplete data for the next time we write it
-			self::$savedData[$path]=$data;
+			self::$savedData[$fullpath]=$data;
 			return;
 		}
 		if(!isset($data['encrypted'])){
@@ -113,9 +122,9 @@ public static function put($path,$data,$root=''){
 		$data['versioned']=(int)$data['versioned'];
 		$user=OC_User::getUser();
 		$query=OC_DB::prepare('INSERT INTO *PREFIX*fscache(parent, name, path, path_hash, size, mtime, ctime, mimetype, mimepart,`user`,writable,encrypted,versioned) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?)');
-		$result=$query->execute(array($parent,basename($path),$path,md5($path),$data['size'],$data['mtime'],$data['ctime'],$data['mimetype'],$mimePart,$user,$data['writable'],$data['encrypted'],$data['versioned']));
+		$result=$query->execute(array($parent,basename($fullpath),$fullpath,md5($fullpath),$data['size'],$data['mtime'],$data['ctime'],$data['mimetype'],$mimePart,$user,$data['writable'],$data['encrypted'],$data['versioned']));
 		if(OC_DB::isError($result)){
-			OC_Log::write('files','error while writing file('.$path.') to cache',OC_Log::ERROR);
+			OC_Log::write('files','error while writing file('.$fullpath.') to cache',OC_Log::ERROR);
 		}
 	}
 

From a366ba4c0c6cebb1e703bdc3777b71a4bb766281 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Thu, 9 Aug 2012 17:22:56 +0200
Subject: [PATCH 07/27] Fix for broken Mail App in OSX Mountain Lion.
 https://mail.kde.org/pipermail/owncloud/2012-August/004649.html

---
 3rdparty/Sabre/CardDAV/Plugin.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/3rdparty/Sabre/CardDAV/Plugin.php b/3rdparty/Sabre/CardDAV/Plugin.php
index 9ebec243eb0c..095769feddc3 100644
--- a/3rdparty/Sabre/CardDAV/Plugin.php
+++ b/3rdparty/Sabre/CardDAV/Plugin.php
@@ -153,6 +153,9 @@ public function beforeGetProperties($path, Sabre_DAV_INode $node, array &$reques
 
                 // Taking out \r to not screw up the xml output
                 $returnedProperties[200][$addressDataProp] = str_replace("\r","", $val);
+                // The stripping of \r breaks the Mail App in OSX Mountain Lion
+                // this is fixed in master, but not backported. /Tanghus
+                $returnedProperties[200][$addressDataProp] = $val;
 
             }
         }

From aae17d4ae87085a024d637bc836ba2bd226b32ce Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 9 Aug 2012 22:14:48 +0200
Subject: [PATCH 08/27] Sanitize user input

---
 apps/gallery/sharing.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/gallery/sharing.php b/apps/gallery/sharing.php
index 44fcd9c864b3..a9683c020673 100644
--- a/apps/gallery/sharing.php
+++ b/apps/gallery/sharing.php
@@ -37,7 +37,7 @@
     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
     <script src="js/sharing.js" type="text/javascript"></script>
     <script>
-      var TOKEN = '<?php echo $_GET['token']; ?>';
+      var TOKEN = '<?php htmlentities(echo $_GET['token']); ?>';
     </script>
   </head>
   <body>

From 7581d55428918ae97f31695ce98c2f0d2b86efb8 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 9 Aug 2012 22:17:52 +0200
Subject: [PATCH 09/27] Missed an "echo"

---
 apps/gallery/sharing.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/gallery/sharing.php b/apps/gallery/sharing.php
index a9683c020673..af3e553e4541 100644
--- a/apps/gallery/sharing.php
+++ b/apps/gallery/sharing.php
@@ -37,7 +37,7 @@
     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
     <script src="js/sharing.js" type="text/javascript"></script>
     <script>
-      var TOKEN = '<?php htmlentities(echo $_GET['token']); ?>';
+      var TOKEN = '<?php echo htmlentities($_GET['token']); ?>';
     </script>
   </head>
   <body>

From 5192eecce239a0b7ade1e60a6cf03075e5cfc188 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 10 Aug 2012 00:11:04 +0200
Subject: [PATCH 10/27] Added XSRF check

---
 core/ajax/appconfig.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php
index 84e0710c74a5..bf749be3e30d 100644
--- a/core/ajax/appconfig.php
+++ b/core/ajax/appconfig.php
@@ -7,6 +7,7 @@
 
 require_once ("../../lib/base.php");
 OC_Util::checkAdminUser();
+OCP\JSON::callCheck();
 
 $action=isset($_POST['action'])?$_POST['action']:$_GET['action'];
 $result=false;

From baab13ae134ff109c043371a7813df9b9bd4967b Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 10 Aug 2012 15:23:04 +0200
Subject: [PATCH 11/27] Validate cookie to prevent auth bypasses.

---
 index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.php b/index.php
index 3c38ff760f8e..89eaec7d21a9 100644
--- a/index.php
+++ b/index.php
@@ -77,7 +77,7 @@
 		}
 		// confirm credentials in cookie
 		if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username']) &&
-		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") == $_COOKIE['oc_token']) {
+		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") === $_COOKIE['oc_token']) {
 			OC_User::setUserId($_COOKIE['oc_username']);
 			OC_Util::redirectToDefaultPage();
 		}

From e9a63900dee88447efebeb66b3954fdaeffbe73a Mon Sep 17 00:00:00 2001
From: Michael Gapczynski <mtgap@owncloud.com>
Date: Wed, 8 Aug 2012 11:25:24 -0400
Subject: [PATCH 12/27] Don't return file handle if the mode supports writing
 and the file is not writable

Conflicts:
	apps/files_sharing/sharedstorage.php
---
 apps/files_sharing/sharedstorage.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/apps/files_sharing/sharedstorage.php b/apps/files_sharing/sharedstorage.php
index 41af077b5a93..7a905819ef9a 100644
--- a/apps/files_sharing/sharedstorage.php
+++ b/apps/files_sharing/sharedstorage.php
@@ -416,6 +416,25 @@ public function copy($path1, $path2) {
 	public function fopen($path, $mode) {
 		$source = $this->getSource($path);
 		if ($source) {
+			switch ($mode) {
+				case 'r+':
+				case 'rb+':
+				case 'w+':
+				case 'wb+':
+				case 'x+':
+				case 'xb+':
+				case 'a+':
+				case 'ab+':
+				case 'w':
+				case 'wb':
+				case 'x':
+				case 'xb':
+				case 'a':
+				case 'ab':
+					if (!$this->is_writable($path)) {
+						return false;
+					}
+			}
 			$storage = OC_Filesystem::getStorage($source);
 			return $storage->fopen($this->getInternalPath($source), $mode);
 		}

From 2871896d547be5a5f74b861b3de0fd19839863d0 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 10 Aug 2012 16:38:32 +0200
Subject: [PATCH 13/27] Check if webfinger is enabled

---
 apps/user_webfinger/host-meta.php | 4 ++++
 apps/user_webfinger/webfinger.php | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/user_webfinger/host-meta.php b/apps/user_webfinger/host-meta.php
index 32ffb512057f..a4f494ce8372 100644
--- a/apps/user_webfinger/host-meta.php
+++ b/apps/user_webfinger/host-meta.php
@@ -1,4 +1,8 @@
 <?php
+if (!OCP\App::isEnabled("user_webfinger")) {
+	return;
+}
+
 $hostMetaHeader = array(
 	'Access-Control-Allow-Origin' => '*',
 	'Content-Type' => 'application/xrd+json'
diff --git a/apps/user_webfinger/webfinger.php b/apps/user_webfinger/webfinger.php
index e75c546c2cb8..0f882a96cf85 100644
--- a/apps/user_webfinger/webfinger.php
+++ b/apps/user_webfinger/webfinger.php
@@ -1,4 +1,8 @@
 <?php
+if (!OCP\App::isEnabled("user_webfinger")) {
+	return;
+}
+
 header("Access-Control-Allow-Origin: *");
 header("Content-Type: application/xrd+json");
 
@@ -15,7 +19,7 @@
  * 	href="<?php echo WF_BASEURL; ?>/apps/myApp/profile.php?user=<?php echo WF_USER; ?>">
  * </Link>
  *
- '* but can also use complex database queries to generate the webfinger result
+ * but can also use complex database queries to generate the webfinger result
  **/
 // calculate the documentroot
 // modified version of the one in lib/base.php that takes the .well-known symlink into account

From 6d94455540781950b063b39385324ffe90f702c3 Mon Sep 17 00:00:00 2001
From: Jakob Sack <mail@jakobsack.de>
Date: Sun, 12 Aug 2012 09:06:46 +0200
Subject: [PATCH 14/27] Fix OC_Connector_Sabre_Locks for SQLite

---
 lib/connector/sabre/locks.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/connector/sabre/locks.php b/lib/connector/sabre/locks.php
index 94382e68a1a2..3fabfcf3399e 100644
--- a/lib/connector/sabre/locks.php
+++ b/lib/connector/sabre/locks.php
@@ -41,8 +41,10 @@ public function getLocks($uri, $returnChildLocks) {
 		// NOTE: the following 10 lines or so could be easily replaced by
 		// pure sql. MySQL's non-standard string concatination prevents us
 		// from doing this though.
-		$query = 'SELECT * FROM *PREFIX*locks WHERE userid = ? AND (created + timeout) > ? AND ((uri = ?)';
-		$params = array(OC_User::getUser(),time(),$uri);
+		// Fix: sqlite does not insert time() as a number but as text, making
+		// the equation returning false all the time
+		$query = 'SELECT * FROM *PREFIX*locks WHERE userid = ? AND (created + timeout) > '.time().' AND ((uri = ?)';
+		$params = array(OC_User::getUser(),$uri);
 
 		// We need to check locks for every part in the uri.
 		$uriParts = explode('/',$uri);

From 2024d424cdc8de836848db4acc7dee148d018bb5 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 13 Aug 2012 01:22:53 +0200
Subject: [PATCH 15/27] Disable listing of all users

---
 apps/calendar/appinfo/remote.php | 10 +++++++---
 apps/contacts/appinfo/remote.php |  9 ++++++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/apps/calendar/appinfo/remote.php b/apps/calendar/appinfo/remote.php
index 3bd8737ee974..93d57b2e40ca 100644
--- a/apps/calendar/appinfo/remote.php
+++ b/apps/calendar/appinfo/remote.php
@@ -21,10 +21,14 @@
 $caldavBackend    = new OC_Connector_Sabre_CalDAV();
 
 // Root nodes
-$nodes = array(
-	new Sabre_CalDAV_Principal_Collection($principalBackend),
+$collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$collection->disableListing = true; // Disable listening
+
+$nodes = array( 
+	$collection, 
 	new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend),
-);
+	);
+
 
 // Fire up server
 $server = new Sabre_DAV_Server($nodes);
diff --git a/apps/contacts/appinfo/remote.php b/apps/contacts/appinfo/remote.php
index ef50e4ad39ff..2a6a3bea2e1b 100644
--- a/apps/contacts/appinfo/remote.php
+++ b/apps/contacts/appinfo/remote.php
@@ -36,10 +36,13 @@
 $carddavBackend   = new OC_Connector_Sabre_CardDAV();
 
 // Root nodes
-$nodes = array(
-	new Sabre_CalDAV_Principal_Collection($principalBackend),
+$collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$collection->disableListing = true; // Disable listening
+
+$nodes = array( 
+	$collection, 
 	new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend),
-);
+	);
 
 // Fire up server
 $server = new Sabre_DAV_Server($nodes);

From 4fd069b47906ebcf83887970c732d464dbe7d37a Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 13 Aug 2012 01:26:28 +0200
Subject: [PATCH 16/27] Also check some other files

---
 lib/migrate.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/migrate.php b/lib/migrate.php
index 5939ba32e50d..d05c781f5556 100644
--- a/lib/migrate.php
+++ b/lib/migrate.php
@@ -322,7 +322,7 @@ private static function copy_r( $path, $dest ){
 			$objects = scandir( $path );
 			if( sizeof( $objects ) > 0 ){
 				foreach( $objects as $file ){
-					if( $file == "." || $file == ".." )
+					if( $file == "." || $file == ".." || $file == ".htaccess")
 					continue;
 					// go on
 					if( is_dir( $path . '/' . $file ) ){

From 95ef80e6dbcd6bed0e32eac6d7a7e1cb8d12553c Mon Sep 17 00:00:00 2001
From: Michael Gapczynski <mtgap@owncloud.com>
Date: Sat, 11 Aug 2012 11:04:04 -0400
Subject: [PATCH 17/27] Check blacklist when renaming files

---
 lib/base.php       |  1 +
 lib/filesystem.php | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/base.php b/lib/base.php
index 0e7e370cd6d7..67f8e7702fc3 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -434,6 +434,7 @@ public static function init(){
 		
 		// Check for blacklisted files
 		OC_Hook::connect('OC_Filesystem','write','OC_Filesystem','isBlacklisted');
+		OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
 
 		//make sure temporary files are cleaned up
 		register_shutdown_function(array('OC_Helper','cleanTmp'));
diff --git a/lib/filesystem.php b/lib/filesystem.php
index 2c7df5daa3cf..2a0c1cea93e6 100644
--- a/lib/filesystem.php
+++ b/lib/filesystem.php
@@ -372,13 +372,21 @@ static public function isValidPath($path){
 	
 	/**
 	 * checks if a file is blacklsited for storage in the filesystem
+	 * Listens to write and rename hooks
 	 * @param array $data from hook
 	 */
 	static public function isBlacklisted($data){
 		$blacklist = array('.htaccess');
-		$filename = strtolower(basename($data['path']));
-		if(in_array($filename,$blacklist)){
-			$data['run'] = false;	
+		if (isset($data['path'])) {
+			$path = $data['path'];
+		} else if (isset($data['newpath'])) {
+			$path = $data['newpath'];
+		}
+		if (isset($path)) {
+			$filename = strtolower(basename($path));
+			if (in_array($filename, $blacklist)) {
+				$data['run'] = false;
+			}
 		}
 	}
 	

From 4682846d3ecdad15c6a60126dda75eb7fa97c707 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 14 Aug 2012 17:19:20 +0200
Subject: [PATCH 18/27] Disable user enumeration

---
 apps/calendar/appinfo/remote.php | 11 +++++++----
 apps/contacts/appinfo/remote.php | 11 +++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/apps/calendar/appinfo/remote.php b/apps/calendar/appinfo/remote.php
index 93d57b2e40ca..d500ec1080aa 100644
--- a/apps/calendar/appinfo/remote.php
+++ b/apps/calendar/appinfo/remote.php
@@ -21,12 +21,15 @@
 $caldavBackend    = new OC_Connector_Sabre_CalDAV();
 
 // Root nodes
-$collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
-$collection->disableListing = true; // Disable listening
+$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
+
+$Sabre_CalDAV_CalendarRootNode = new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend); 
+$Sabre_CalDAV_CalendarRootNode->disableListing = true; // Disable listening
 
 $nodes = array( 
-	$collection, 
-	new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend),
+	$Sabre_CalDAV_Principal_Collection, 
+	$Sabre_CalDAV_CalendarRootNode,
 	);
 
 
diff --git a/apps/contacts/appinfo/remote.php b/apps/contacts/appinfo/remote.php
index 2a6a3bea2e1b..2810358e7f2a 100644
--- a/apps/contacts/appinfo/remote.php
+++ b/apps/contacts/appinfo/remote.php
@@ -36,12 +36,15 @@
 $carddavBackend   = new OC_Connector_Sabre_CardDAV();
 
 // Root nodes
-$collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
-$collection->disableListing = true; // Disable listening
+$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
+
+$Sabre_CardDAV_AddressBookRoot = new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend);
+$Sabre_CardDAV_AddressBookRoot->disableListing = true; // Disable listening
 
 $nodes = array( 
-	$collection, 
-	new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend),
+	$Sabre_CalDAV_Principal_Collection, 
+	$Sabre_CardDAV_AddressBookRoot,
 	);
 
 // Fire up server

From 526e704c9f04bc689094083d070745ea8c661ff9 Mon Sep 17 00:00:00 2001
From: Frank Karlitschek <frank@owncloud.org>
Date: Tue, 14 Aug 2012 20:07:58 +0200
Subject: [PATCH 19/27] 4.0.7 and remove some ^M while at it

---
 lib/util.php | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/lib/util.php b/lib/util.php
index b7ceee91b56d..010aa1f7f09b 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -83,7 +83,7 @@ public static function tearDownFS(){
 	 * @return array
 	 */
 	public static function getVersion(){
-		return array(4,00,6);
+		return array(4,00,7);
 	}
 
 	/**
@@ -91,7 +91,7 @@ public static function getVersion(){
 	 * @return string
 	 */
 	public static function getVersionString(){
-		return '4.0.6';
+		return '4.0.7';
 	}
 
         /**
@@ -408,18 +408,18 @@ public static function callCheck(){
 		}
 	}
 	
-	/**
-	 * @brief Public function to sanitize HTML
-	 *
-	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
-	 *
-	 * @param string or array of strings
-	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
-	 */
-	public static function sanitizeHTML( &$value ){
-		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
-		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
-		return $value;
+	/**
+	 * @brief Public function to sanitize HTML
+	 *
+	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
+	 *
+	 * @param string or array of strings
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 */
+	public static function sanitizeHTML( &$value ){
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+		return $value;
 	}
 
 

From f53dd22cd908e6a60c3ffe9eb89745028496a8b4 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Sat, 4 Aug 2012 17:38:31 +0200
Subject: [PATCH 20/27] backport 1bccc80996e270f928c207cdd3090f4284abaea5

---
 settings/admin.php           | 3 +++
 settings/ajax/getlog.php     | 2 +-
 settings/js/log.js           | 3 +++
 settings/templates/admin.php | 3 +++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/settings/admin.php b/settings/admin.php
index a6928bf82de5..5ef9daee18d3 100644
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -18,6 +18,8 @@
 $htaccessworking=OC_Util::ishtaccessworking();
 
 $entries=OC_Log_Owncloud::getEntries(3);
+$entriesremain=(count(OC_Log_Owncloud::getEntries(4)) > 3)?true:false;
+
 function compareEntries($a,$b){
 	return $b->time - $a->time;
 }
@@ -25,6 +27,7 @@ function compareEntries($a,$b){
 
 $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
 $tmpl->assign('entries',OC_Util::sanitizeHTML($entries));
+$tmpl->assign('entriesremain', $entriesremain);
 $tmpl->assign('htaccessworking',$htaccessworking);
 $tmpl->assign('forms',array());
 foreach($forms as $form){
diff --git a/settings/ajax/getlog.php b/settings/ajax/getlog.php
index d9e80de37bac..d5af22ac339f 100644
--- a/settings/ajax/getlog.php
+++ b/settings/ajax/getlog.php
@@ -14,4 +14,4 @@
 $offset=(isset($_GET['offset']))?$_GET['offset']:0;
 
 $entries=OC_Log_Owncloud::getEntries($count,$offset);
-OC_JSON::success(array("data" => OC_Util::sanitizeHTML($entries)));
+OC_JSON::success(array("data" => OC_Util::sanitizeHTML($entries), "remain"=>(count(OC_Log_Owncloud::getEntries(1,$offset + $offset)) != 0)?true:false));
diff --git a/settings/js/log.js b/settings/js/log.js
index fe2e92f7a867..04a7bf8b2881 100644
--- a/settings/js/log.js
+++ b/settings/js/log.js
@@ -23,6 +23,9 @@ OC.Log={
 			if(result.status=='success'){
 				OC.Log.addEntries(result.data);
 				$('html, body').animate({scrollTop: $(document).height()}, 800);
+				if(!result.remain){
+					$('#moreLog').css('display', 'none');
+				}
 			}
 		});
 	},
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index f8c515369e6b..82ee7e84838c 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -50,5 +50,8 @@
 		</tr>
 	<?php endforeach;?>
 </table>
+<?php if($_['entriesremain']): ?>
 <input id='moreLog' type='button' value='<?php echo $l->t('More');?>...'></input>
+<?php endif; ?>
+
 </fieldset>

From 45003593e12326ed2ac2f7330a6e3f1a42c6ca03 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 18 Aug 2012 09:24:35 +0200
Subject: [PATCH 21/27] Use SCRIPT_NAME instead of PHP_SELF which won't send
 the PATH_INFO, this prevents XSS in old browsers. Thanks to Nico Golde.

---
 apps/files/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files/index.php b/apps/files/index.php
index 60a3836cb591..077187fbc136 100644
--- a/apps/files/index.php
+++ b/apps/files/index.php
@@ -39,7 +39,7 @@
 $dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : '';
 // Redirect if directory does not exist
 if(!OC_Filesystem::is_dir($dir.'/')) {
-	header('Location: '.$_SERVER['PHP_SELF'].'');
+	header('Location: '.$_SERVER['SCRIPT_NAME'].'');
 }
 
 $files = array();

From 4984a72d0dc88d819c87855640e18368f98cc69e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 18 Aug 2012 14:57:19 +0200
Subject: [PATCH 22/27] Add a missing exit();

---
 apps/files/index.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/files/index.php b/apps/files/index.php
index 077187fbc136..f6a1c4bfb4c9 100644
--- a/apps/files/index.php
+++ b/apps/files/index.php
@@ -40,6 +40,7 @@
 // Redirect if directory does not exist
 if(!OC_Filesystem::is_dir($dir.'/')) {
 	header('Location: '.$_SERVER['SCRIPT_NAME'].'');
+	exit();
 }
 
 $files = array();

From 2051a5db5dd4e0530437a33a448f5592342dff65 Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@owncloud.com>
Date: Mon, 20 Aug 2012 17:04:57 +0200
Subject: [PATCH 23/27] Fix deletion for browser that do not support
 onBeforeUnload, fixes oc-1534

---
 apps/files/js/filelist.js | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 3645258f98f0..c3eb906f39e9 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -166,23 +166,15 @@ FileList={
 	},
 	do_delete:function(files){
 		if(FileList.deleteFiles || !FileList.useUndo){//finish any ongoing deletes first
+			if(!FileList.deleteFiles) {
+				FileList.prepareDeletion(files);
+			}
 			FileList.finishDelete(function(){
 				FileList.do_delete(files);
 			});
 			return;
 		}
-		if(files.substr){
-			files=[files];
-		}
-		$.each(files,function(index,file){
-			var files = $('tr').filterAttr('data-file',file);
-			files.hide();
-			files.find('input[type="checkbox"]').removeAttr('checked');
-			files.removeClass('selected');
-		});
-		procesSelection();
-		FileList.deleteCanceled=false;
-		FileList.deleteFiles=files;
+		FileList.prepareDeletion(files);
 		$('#notification').text(t('files','undo deletion'));
 		$('#notification').data('deletefile',true);
 		$('#notification').fadeIn();
@@ -209,6 +201,20 @@ FileList={
 				}
 			});
 		}
+	},
+	prepareDeletion:function(files){
+		if(files.substr){
+			files=[files];
+		}
+		$.each(files,function(index,file){
+			var files = $('tr').filterAttr('data-file',file);
+			files.hide();
+			files.find('input[type="checkbox"]').removeAttr('checked');
+			files.removeClass('selected');
+		});
+		procesSelection();
+		FileList.deleteCanceled=false;
+		FileList.deleteFiles=files;
 	}
 }
 

From 5afdfec91dc90f7648adf532e2320b93277b2f5b Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 21 Aug 2012 17:56:20 +0200
Subject: [PATCH 24/27] Sanitizing the user input to prevent a reflected XSS.
 Thanks to Nico Golde (ngolde.de)

---
 apps/gallery/templates/index.php | 76 ++++++++++++++++----------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index e30052fafa30..a41bf3c47ba7 100644
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -14,7 +14,7 @@
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
 	$('div', element).each(function(index, elem) {
@@ -83,56 +83,56 @@ function openNewGal(album_name) {
 $ts = new \OC\Pictures\TileStack(array(), '');
 $previous_element = @$images[0];
 
-$root_images = array();
-$second_level_images = array();
-
+$root_images = array();
+$second_level_images = array();
+
 $fallback_images = array(); // if the folder only cotains subfolders with images -> these are taken for the stack preview
 
 for($i = 0; $i < count($images); $i++) {
 	$prev_dir_arr = explode('/', $previous_element);
 	$dir_arr = explode('/', $images[$i]);
 
-	if(count($dir_arr) == 1) { // getting the images in this directory
-		$root_images[] = $root.$images[$i];
-	} else {
-		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
-			if(count($second_level_images) == 0) { // if we don't have images in this directory
-				if(count($fallback_images) != 0) { // but have fallback_images
-					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
-					$fallback_images = array();
-				}
-			} else { // if we collected images for this directory
-				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
-				$fallback_images = array();
-				$second_level_images = array();
-			}
-		}
-		if (count($dir_arr) == 2) { // These are the pics in our current subdir
-			$second_level_images[] = $root.$images[$i];
-			$fallback_images = array();
-		} else { // These are images from the deeper directories
-			if(count($second_level_images) == 0) {
-				$fallback_images[] = $root.$images[$i];
-			}
-		}
-		// have us a little something to compare against
-		$previous_element = $images[$i];
+	if(count($dir_arr) == 1) { // getting the images in this directory
+		$root_images[] = $root.$images[$i];
+	} else {
+		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
+			if(count($second_level_images) == 0) { // if we don't have images in this directory
+				if(count($fallback_images) != 0) { // but have fallback_images
+					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+					$fallback_images = array();
+				}
+			} else { // if we collected images for this directory
+				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+				$fallback_images = array();
+				$second_level_images = array();
+			}
+		}
+		if (count($dir_arr) == 2) { // These are the pics in our current subdir
+			$second_level_images[] = $root.$images[$i];
+			$fallback_images = array();
+		} else { // These are images from the deeper directories
+			if(count($second_level_images) == 0) {
+				$fallback_images[] = $root.$images[$i];
+			}
+		}
+		// have us a little something to compare against
+		$previous_element = $images[$i];
 	}
 }
 
-// if last element in the directory was a directory we don't want to miss it :)
-if(count($second_level_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory we don't want to miss it :)
+if(count($second_level_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
 }
 
-// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
-if(count($fallback_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
+if(count($fallback_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
 }
 
-// and finally our images actually stored in the root folder
-for($i = 0; $i<count($root_images); $i++) {
-	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
+// and finally our images actually stored in the root folder
+for($i = 0; $i<count($root_images); $i++) {
+	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
 }
 
 echo $tl->get();

From 49c17fc39128604c8d74170f2b71d59d052d089e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sun, 26 Aug 2012 00:56:18 +0300
Subject: [PATCH 25/27] I like TLS/SSL

---
 README | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/README b/README
index 77379a46456e..838c5da5240a 100644
--- a/README
+++ b/README
@@ -5,9 +5,8 @@ http://ownCloud.org
 
 Installation instructions: http://owncloud.org/support
 
-Source code: http://gitorious.org/owncloud
-Mailing list: http://mail.kde.org/mailman/listinfo/owncloud
-IRC channel: http://webchat.freenode.net/?channels=owncloud
+Source code: https://github.com/owncloud
+Mailing list: https://mail.kde.org/mailman/listinfo/owncloud
+IRC channel: https://webchat.freenode.net/?channels=owncloud
 Diaspora: https://joindiaspora.com/u/owncloud
-Identi.ca: http://identi.ca/owncloud
-
+Identi.ca: https://identi.ca/owncloud
\ No newline at end of file

From a79175330eb73ec328d4c34e163559afa9f14ca2 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sun, 26 Aug 2012 11:32:20 +0300
Subject: [PATCH 26/27] Gitorious => Github

---
 themes/README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/themes/README b/themes/README
index e348f86a1209..4025bc8970e8 100644
--- a/themes/README
+++ b/themes/README
@@ -2,6 +2,6 @@ This is the themes folder. Themes can be used to customize the look and feel of
 Themes can be placed in this folder with the name of the theme as foldername. The theme can be activated by putting 
 "theme" => 'themename', into the config.php file.
 The folder structure of a theme is exactly the same as the main ownCloud structure. You can override js files and templates with own versions. css files are loaded additionaly to the default files so you can override css properties.
-Themes should be developed here: https://gitorious.org/owncloud/themes
+Themes should be developed here: https://github.com/owncloud/themes
 You can also find a super simple example there
 

From 170da456f424c3f0444829d50eb024f86d9aecd5 Mon Sep 17 00:00:00 2001
From: Duarte Velez Grilo <duartegrilo@gmail.com>
Date: Wed, 29 Aug 2012 17:21:59 +0200
Subject: [PATCH 27/27] Update lib/base.php

Added user agent strings for Android mobile and tablet.
---
 lib/base.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/base.php b/lib/base.php
index 67f8e7702fc3..0c5fe92a75fb 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -111,10 +111,14 @@ public static function detectFormfactor(){
 		if(isset($_SERVER['HTTP_USER_AGENT'])){
 			if(stripos($_SERVER['HTTP_USER_AGENT'],'ipad')>0) {
 				$mode='tablet';
+			}elseif(stripos($_SERVER['HTTP_USER_AGENT'],'Android')>0){
+				$mode='tablet';
 			}elseif(stripos($_SERVER['HTTP_USER_AGENT'],'iphone')>0){
 				$mode='mobile';
 			}elseif((stripos($_SERVER['HTTP_USER_AGENT'],'N9')>0) and (stripos($_SERVER['HTTP_USER_AGENT'],'nokia')>0)){
 				$mode='mobile';
+			}elseif((stripos($_SERVER['HTTP_USER_AGENT'],'Android')>0) and (stripos($_SERVER['HTTP_USER_AGENT'],'Mobile')>0)){
+				$mode='mobile';
 			}else{
 				$mode='default';
 			}