Red Hat Bugzilla – Bug 1295471
[Patches] Update to 8.0.10 + minor fixes
Last modified: 2016-03-20 11:43:27 EDT
Created attachment 1111525 [details]
Add cron by default (works with php-fpm for nginx users)
Description of problem:
Current owncloud in fedora and epel7 need an update to 8.0.10
Here is an update, along with few minor fixes to the current branch 8.0.x
Created attachment 1111526 [details]
Add missing redirect for webdav
Created attachment 1111527 [details]
Add few missing redirection ending in error_log
Created attachment 1111528 [details]
Update to 8.0.10
(In reply to Nicolas Chauvet (kwizart) from comment #2)
> Created attachment 1111527 [details]
> Add few missing redirection ending in error_log
I think this patch is hack that cannot be added here by default.
I will revisit and verify that the patch is still needed or fix the mal-formed request from (upstream) sources.
As discussed with RemiFedora, I will add a dependencies on crontabs
Btw, I've requested commit access on the owncloud package.
I'm not 100% sold on all those redirects (what if the server is doing something else with those paths?), but I haven't looked at OC in too long to be up on the details. I'm gonna grant you the commit privs but probably best check with the other maintainers before committing? The other changes look fine.
Okay here's my thoughts on these:
1) In principle I have no objection to adding making a cron type behaviour by default but I'd like to see a couple of things as part of it.
1a) Use a systemd timer instead of cron.
1b) Patch owncloud to default to this instead of ajax as it currently does, along with instructions to disable the timer if the admin decides to change it back to ajax.
The reason for a timer instead of cron is that it will allow the admin to trivially disable it with systemctl disable owncloud-cron.timer (or whatever we call it) in the event they prefer to use ajax, rather than the next update putting the cron job back as per the proposed patch. So far as I see the default install right now uses ajax so if we put this timer in place let's have the settings UI make it clear it is a timer and how to disable it if they switch to ajax to allow principle of least surprise.
2) No objections so that standard DAV client behaviour works fully as expected
3) Object strongly as it breaks out of the /owncloud/ namespace potentially breaking other things for users
4) Standard update is fine for obvious reasons.
Okay looks like this is needed to deal with CVE-2016-1499 based on that affecting owncloud <= 8.0.9 ...
How about we carry out the non-controversial (4) and perhaps (2) as well ... maybe (1) if we can get an agreement on cron versus timer so that we can eliminate a security issue for the users.
(In reply to James Hogarth from comment #8)
> Okay looks like this is needed to deal with CVE-2016-1499 based on that
> affecting owncloud <= 8.0.9 ...
> How about we carry out the non-controversial (4) and perhaps (2) as well ...
> maybe (1) if we can get an agreement on cron versus timer so that we can
> eliminate a security issue for the users.
I agree with the cron->timer move and security issue, I will try to update soon
I have sent out 8.0.10 and 7.0.12 updates including the well-known fix, I left all other changes out for now.
On the issue of the redirect patch - it may be that some code got added upstream that assumes a virtual host type setup, where ownCloud can assume its top level is the top level of the entire (sub)domain; this is kinda the norm these days. However, Fedora's package was created quite a while ago, using the 'directory as a namespace' approach that used to be commonplace, and ownCloud has always worked with that, and probably ought to continue to do so. Looking at the upstream code that generates non-'namespaced' requests in Fedora's configuration seems like a good idea.
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.
More information and reason for this action is here:
Igor there's two aspects to this bug that haven't been addressed yet - the DAV alias and the systemd timer rather than defaulting to webcron.
I was intending to include these in the upcoming 9.0 update and close this then.
File new bugs to track? Or just try to remember?