Bug 1295471 - [Patches] Update to 8.0.10 + minor fixes
[Patches] Update to 8.0.10 + minor fixes
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: owncloud (Show other bugs)
24
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Igor Gnatenko
Fedora Extras Quality Assurance
:
Depends On:
Blocks: CVE-2016-1499
  Show dependency treegraph
 
Reported: 2016-01-04 10:44 EST by Nicolas Chauvet (kwizart)
Modified: 2016-03-20 11:43 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-20 09:46:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Add cron by default (works with php-fpm for nginx users) (2.03 KB, patch)
2016-01-04 10:44 EST, Nicolas Chauvet (kwizart)
no flags Details | Diff
Add missing redirect for webdav (769 bytes, patch)
2016-01-04 10:45 EST, Nicolas Chauvet (kwizart)
no flags Details | Diff
Add few missing redirection ending in error_log (948 bytes, patch)
2016-01-04 10:45 EST, Nicolas Chauvet (kwizart)
no flags Details | Diff
Update to 8.0.10 (1.93 KB, patch)
2016-01-04 10:46 EST, Nicolas Chauvet (kwizart)
no flags Details | Diff

  None (edit)
Description Nicolas Chauvet (kwizart) 2016-01-04 10:44:32 EST
Created attachment 1111525 [details]
Add cron by default (works with php-fpm for nginx users)

Description of problem:
Current owncloud in fedora and epel7 need an update to 8.0.10
Here is an update, along with few minor fixes to the current branch 8.0.x
Comment 1 Nicolas Chauvet (kwizart) 2016-01-04 10:45 EST
Created attachment 1111526 [details]
Add missing redirect for webdav
Comment 2 Nicolas Chauvet (kwizart) 2016-01-04 10:45 EST
Created attachment 1111527 [details]
Add few missing redirection ending in error_log
Comment 3 Nicolas Chauvet (kwizart) 2016-01-04 10:46 EST
Created attachment 1111528 [details]
Update to 8.0.10
Comment 4 Nicolas Chauvet (kwizart) 2016-01-04 11:07:32 EST
(In reply to Nicolas Chauvet (kwizart) from comment #2)
> Created attachment 1111527 [details]
> Add few missing redirection ending in error_log
I think this patch is hack that cannot be added here by default.
I will revisit and verify that the patch is still needed or fix the mal-formed request from (upstream) sources.

As discussed with RemiFedora, I will add a dependencies on crontabs
Comment 5 Nicolas Chauvet (kwizart) 2016-01-05 03:55:30 EST
Btw, I've requested commit access on the owncloud package.
Comment 6 Adam Williamson 2016-01-05 15:24:42 EST
I'm not 100% sold on all those redirects (what if the server is doing something else with those paths?), but I haven't looked at OC in too long to be up on the details. I'm gonna grant you the commit privs but probably best check with the other maintainers before committing? The other changes look fine.
Comment 7 James Hogarth 2016-01-06 09:22:47 EST
Okay here's my thoughts on these:

1) In principle I have no objection to adding making a cron type behaviour by default but I'd like to see a couple of things as part of it.

  1a) Use a systemd timer instead of cron.
  1b) Patch owncloud to default to this instead of ajax as it currently does, along with instructions to disable the timer if the admin decides to change it back to ajax.

The reason for a timer instead of cron is that it will allow the admin to trivially disable it with systemctl disable owncloud-cron.timer (or whatever we call it) in the event they prefer to use ajax, rather than the next update putting the cron job back as per the proposed patch. So far as I see the default install right now uses ajax so if we put this timer in place let's have the settings UI make it clear it is a timer and how to disable it if they switch to ajax to allow principle of least surprise. 

2) No objections so that standard DAV client behaviour works fully as expected

3) Object strongly as it breaks out of the /owncloud/ namespace potentially breaking other things for users

4) Standard update is fine for obvious reasons.
Comment 8 James Hogarth 2016-01-07 11:00:23 EST
Okay looks like this is needed to deal with CVE-2016-1499 based on that affecting owncloud <= 8.0.9 ...

How about we carry out the non-controversial (4) and perhaps (2) as well ... maybe (1) if we can get an agreement on cron versus timer so that we can eliminate a security issue for the users.

Thoughts?
Comment 9 Nicolas Chauvet (kwizart) 2016-01-08 18:40:27 EST
(In reply to James Hogarth from comment #8)
> Okay looks like this is needed to deal with CVE-2016-1499 based on that
> affecting owncloud <= 8.0.9 ...
> 
> How about we carry out the non-controversial (4) and perhaps (2) as well ...
> maybe (1) if we can get an agreement on cron versus timer so that we can
> eliminate a security issue for the users.
> 
> Thoughts?
I agree with the cron->timer move and security issue, I will try to update soon
Comment 10 Adam Williamson 2016-01-11 11:45:01 EST
I have sent out 8.0.10 and 7.0.12 updates including the well-known fix, I left all other changes out for now.
Comment 11 Adam Williamson 2016-01-11 22:01:16 EST
On the issue of the redirect patch - it may be that some code got added upstream that assumes a virtual host type setup, where ownCloud can assume its top level is the top level of the entire (sub)domain; this is kinda the norm these days. However, Fedora's package was created quite a while ago, using the 'directory as a namespace' approach that used to be commonplace, and ownCloud has always worked with that, and probably ought to continue to do so. Looking at the upstream code that generates non-'namespaced' requests in Fedora's configuration seems like a good idea.
Comment 12 Jan Kurik 2016-02-24 09:13:30 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 13 James Hogarth 2016-03-20 11:43:27 EDT
Igor there's two aspects to this bug that haven't been addressed yet - the DAV alias and the systemd timer rather than defaulting to webcron.

I was intending to include these in the upcoming 9.0 update and close this then.

File new bugs to track? Or just try to remember?

Note You need to log in before you can comment on or make changes to this bug.