Package: collabtive | Debian Sources

Package: collabtive / 0.7.6-1

Metadata

Package	Version	Patches format
collabtive	0.7.6-1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
descriptive_subject_in_mails \| (download)	managemessage.php \| 5 3 + 2 - 0 ! managetask.php \| 10 7 + 3 - 0 ! 2 files changed, 10 insertions(+), 5 deletions(-)	added the message title to message notifications sent by mail As requested by a local user
fix_datei_arbitrary_execution \| (download)	include/class.datei.php \| 7 7 + 0 - 0 ! 1 file changed, 7 insertions(+)	fix for arbitrary code execution Collabtive allows users to upload files with any name to a directory under the webserver's documentroot. Most webservers running Collabtive will be happy to run any file with a ".php" extension as PHP code - I suggest the following patch, which renames the file to ._php
follow_symlinks_for_templates \| (download)	include/class.settings.php \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	follow symbolic links when listing available templates The Debian package moves the templates to /etc, to allow the local administrator to add his own. This needs Collabtive to be able to follow the symlinks.
admins_can_edit_any_project \| (download)	include/initfunctions.php \| 8 8 + 0 - 0 ! 1 file changed, 8 insertions(+)	allow administrative users to edit any project Without this patch, all projects are listed, but clicking on any of them yields a "not your project" access denied error.
check_if_already_installed \| (download)	install.php \| 18 17 + 1 - 0 ! 1 file changed, 17 insertions(+), 1 deletion(-)	fix install.php so it does not require to be disabled The upstream-supplied install.php can be a huge security risk. We had disabled it, but it does importantly reduce ease of installation. This patch re-enables it, but does some sanity checks to avoid a rogue user disrupting the site.
specify_paths_in_install_templates \| (download)	templates/standard/install1.tpl \| 8 4 + 4 - 0 ! templates/winter/install1.tpl \| 6 3 + 3 - 0 ! 2 files changed, 7 insertions(+), 7 deletions(-)	display full pathnames in the install.php requirements Debian-specific patch: The installer complains regarding permissions of certain files. In Debian, those files are not restricted to Collabtive's directory, but are spread all over the filesystem So the user should be prompted with the full pathname.
smarty3_compatibility \| (download)	include/initfunctions.php \| 2 2 + 0 - 0 ! init.php \| 6 6 + 0 - 0 ! language/en/lng.conf \| 30 15 + 15 - 0 ! language/lt/lng.conf \| 32 16 + 16 - 0 ! templates/standard/header.tpl \| 2 1 + 1 - 0 ! templates/winter/header.tpl \| 2 1 + 1 - 0 ! 6 files changed, 41 insertions(+), 33 deletions(-)	changes needed for smarty 3.x compatibility The Debian package providing Smarty 2.x has just been dropped, in favor of the updated 3.x series. This version is much stricter. This patch implements the needed changes for it to be used. Note that Collabtive's sources still ship with Smarty 2.x included - Our binary package disables it.

1