Patch 1

3rdparty/Sabre/CardDAV/Plugin.php

@@ -153,6 +153,9 @@ public function beforeGetProperties($path, Sabre_DAV_INode $node, array &$reques
 
                 // Taking out \r to not screw up the xml output
                 $returnedProperties[200][$addressDataProp] = str_replace("\r","", $val);
+                // The stripping of \r breaks the Mail App in OSX Mountain Lion
+                // this is fixed in master, but not backported. /Tanghus
+                $returnedProperties[200][$addressDataProp] = $val;
 
             }
         }

README

@@ -5,9 +5,8 @@ http://ownCloud.org
 
 Installation instructions: http://owncloud.org/support
 
-Source code: http://gitorious.org/owncloud
-Mailing list: http://mail.kde.org/mailman/listinfo/owncloud
-IRC channel: http://webchat.freenode.net/?channels=owncloud
+Source code: https://github.com/owncloud
+Mailing list: https://mail.kde.org/mailman/listinfo/owncloud
+IRC channel: https://webchat.freenode.net/?channels=owncloud
 Diaspora: https://joindiaspora.com/u/owncloud
-Identi.ca: http://identi.ca/owncloud
-
+Identi.ca: https://identi.ca/owncloud

apps/calendar/appinfo/remote.php

@@ -21,10 +21,17 @@
 $caldavBackend    = new OC_Connector_Sabre_CalDAV();
 
 // Root nodes
-$nodes = array(
-	new Sabre_CalDAV_Principal_Collection($principalBackend),
-	new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend),
-);
+$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
+
+$Sabre_CalDAV_CalendarRootNode = new Sabre_CalDAV_CalendarRootNode($principalBackend, $caldavBackend); 
+$Sabre_CalDAV_CalendarRootNode->disableListing = true; // Disable listening
+
+$nodes = array( 
+	$Sabre_CalDAV_Principal_Collection, 
+	$Sabre_CalDAV_CalendarRootNode,
+	);
+
 
 // Fire up server
 $server = new Sabre_DAV_Server($nodes);

apps/calendar/lib/app.php

@@ -383,8 +383,8 @@ public static function generateEventOutput($event, $start, $end){
 		$lastmodified = ($last_modified)?$last_modified->getDateTime()->format('U'):0;
 
 		$output = array('id'=>(int)$event['id'],
-						'title' => htmlspecialchars(($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed')),
-						'description' => isset($vevent->DESCRIPTION)?htmlspecialchars($vevent->DESCRIPTION->value):'',
+						'title' => ($event['summary']!=NULL || $event['summary'] != '')?$event['summary']: self::$l10n->t('unnamed'),
+						'description' => isset($vevent->DESCRIPTION)?$vevent->DESCRIPTION->value:'',
 						'lastmodified'=>$lastmodified);
 
 		$dtstart = $vevent->DTSTART;

apps/contacts/appinfo/remote.php

@@ -36,10 +36,16 @@
 $carddavBackend   = new OC_Connector_Sabre_CardDAV();
 
 // Root nodes
-$nodes = array(
-	new Sabre_CalDAV_Principal_Collection($principalBackend),
-	new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend),
-);
+$Sabre_CalDAV_Principal_Collection = new Sabre_CalDAV_Principal_Collection($principalBackend); 
+$Sabre_CalDAV_Principal_Collection->disableListing = true; // Disable listening
+
+$Sabre_CardDAV_AddressBookRoot = new Sabre_CardDAV_AddressBookRoot($principalBackend, $carddavBackend);
+$Sabre_CardDAV_AddressBookRoot->disableListing = true; // Disable listening
+
+$nodes = array( 
+	$Sabre_CalDAV_Principal_Collection, 
+	$Sabre_CardDAV_AddressBookRoot,
+	);
 
 // Fire up server
 $server = new Sabre_DAV_Server($nodes);

apps/contacts/lib/addressbook.php

@@ -219,6 +219,7 @@ public static function active($uid){
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook:active:, exception: '.$e->getMessage(),OCP\Util::DEBUG);
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook:active, ids: '.join(',', $active),OCP\Util::DEBUG);
 			OCP\Util::writeLog('contacts','OC_Contacts_Addressbook::active, SQL:'.$prep,OCP\Util::DEBUG);
+			return array();
 		}
 
 		return $addressbooks;

apps/files/index.php

@@ -39,7 +39,8 @@
 $dir = isset( $_GET['dir'] ) ? stripslashes($_GET['dir']) : '';
 // Redirect if directory does not exist
 if(!OC_Filesystem::is_dir($dir.'/')) {
-	header('Location: '.$_SERVER['PHP_SELF'].'');
+	header('Location: '.$_SERVER['SCRIPT_NAME'].'');
+	exit();
 }
 
 $files = array();

apps/files/js/filelist.js

@@ -166,23 +166,15 @@ FileList={
 	},
 	do_delete:function(files){
 		if(FileList.deleteFiles || !FileList.useUndo){//finish any ongoing deletes first
+			if(!FileList.deleteFiles) {
+				FileList.prepareDeletion(files);
+			}
 			FileList.finishDelete(function(){
 				FileList.do_delete(files);
 			});
 			return;
 		}
-		if(files.substr){
-			files=[files];
-		}
-		$.each(files,function(index,file){
-			var files = $('tr').filterAttr('data-file',file);
-			files.hide();
-			files.find('input[type="checkbox"]').removeAttr('checked');
-			files.removeClass('selected');
-		});
-		procesSelection();
-		FileList.deleteCanceled=false;
-		FileList.deleteFiles=files;
+		FileList.prepareDeletion(files);
 		$('#notification').text(t('files','undo deletion'));
 		$('#notification').data('deletefile',true);
 		$('#notification').fadeIn();
@@ -209,6 +201,20 @@ FileList={
 				}
 			});
 		}
+	},
+	prepareDeletion:function(files){
+		if(files.substr){
+			files=[files];
+		}
+		$.each(files,function(index,file){
+			var files = $('tr').filterAttr('data-file',file);
+			files.hide();
+			files.find('input[type="checkbox"]').removeAttr('checked');
+			files.removeClass('selected');
+		});
+		procesSelection();
+		FileList.deleteCanceled=false;
+		FileList.deleteFiles=files;
 	}
 }
 

apps/files_sharing/sharedstorage.php

@@ -416,6 +416,25 @@ public function copy($path1, $path2) {
 	public function fopen($path, $mode) {
 		$source = $this->getSource($path);
 		if ($source) {
+			switch ($mode) {
+				case 'r+':
+				case 'rb+':
+				case 'w+':
+				case 'wb+':
+				case 'x+':
+				case 'xb+':
+				case 'a+':
+				case 'ab+':
+				case 'w':
+				case 'wb':
+				case 'x':
+				case 'xb':
+				case 'a':
+				case 'ab':
+					if (!$this->is_writable($path)) {
+						return false;
+					}
+			}
 			$storage = OC_Filesystem::getStorage($source);
 			return $storage->fopen($this->getInternalPath($source), $mode);
 		}

apps/files_versions/templates/settings.php

@@ -1,4 +1,4 @@
-<form id="versions">
+<form id="versionssettings">
         <fieldset class="personalblock">
 	        <input type="checkbox" name="versions" id="versions" value="1" <?php if (OCP\Config::getSystemValue('versions', 'true')=='true') echo ' checked="checked"'; ?> /> <label for="versions"><?php echo $l->t('Enable Files Versioning'); ?></label> <br/>
         </fieldset>

apps/gallery/sharing.php

@@ -37,7 +37,7 @@
     <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js" type="text/javascript"></script>
     <script src="js/sharing.js" type="text/javascript"></script>
     <script>
-      var TOKEN = '<?php echo $_GET['token']; ?>';
+      var TOKEN = '<?php echo htmlentities($_GET['token']); ?>';
     </script>
   </head>
   <body>

apps/gallery/templates/index.php

@@ -14,7 +14,7 @@
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo $root; ?>";
+var root = "<?php echo htmlentities($root); ?>";
 
 function explode(element) {
 	$('div', element).each(function(index, elem) {
@@ -83,56 +83,56 @@ function openNewGal(album_name) {
 $ts = new \OC\Pictures\TileStack(array(), '');
 $previous_element = @$images[0];
 
-$root_images = array();
-$second_level_images = array();
-
+$root_images = array();
+$second_level_images = array();
+
 $fallback_images = array(); // if the folder only cotains subfolders with images -> these are taken for the stack preview
 
 for($i = 0; $i < count($images); $i++) {
 	$prev_dir_arr = explode('/', $previous_element);
 	$dir_arr = explode('/', $images[$i]);
 
-	if(count($dir_arr) == 1) { // getting the images in this directory
-		$root_images[] = $root.$images[$i];
-	} else {
-		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
-			if(count($second_level_images) == 0) { // if we don't have images in this directory
-				if(count($fallback_images) != 0) { // but have fallback_images
-					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
-					$fallback_images = array();
-				}
-			} else { // if we collected images for this directory
-				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
-				$fallback_images = array();
-				$second_level_images = array();
-			}
-		}
-		if (count($dir_arr) == 2) { // These are the pics in our current subdir
-			$second_level_images[] = $root.$images[$i];
-			$fallback_images = array();
-		} else { // These are images from the deeper directories
-			if(count($second_level_images) == 0) {
-				$fallback_images[] = $root.$images[$i];
-			}
-		}
-		// have us a little something to compare against
-		$previous_element = $images[$i];
+	if(count($dir_arr) == 1) { // getting the images in this directory
+		$root_images[] = $root.$images[$i];
+	} else {
+		if(strcmp($prev_dir_arr[0], $dir_arr[0]) != 0) { // if we entered a new directory
+			if(count($second_level_images) == 0) { // if we don't have images in this directory
+				if(count($fallback_images) != 0) { // but have fallback_images
+					$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+					$fallback_images = array();
+				}
+			} else { // if we collected images for this directory
+				$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+				$fallback_images = array();
+				$second_level_images = array();
+			}
+		}
+		if (count($dir_arr) == 2) { // These are the pics in our current subdir
+			$second_level_images[] = $root.$images[$i];
+			$fallback_images = array();
+		} else { // These are images from the deeper directories
+			if(count($second_level_images) == 0) {
+				$fallback_images[] = $root.$images[$i];
+			}
+		}
+		// have us a little something to compare against
+		$previous_element = $images[$i];
 	}
 }
 
-// if last element in the directory was a directory we don't want to miss it :)
-if(count($second_level_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory we don't want to miss it :)
+if(count($second_level_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($second_level_images, $prev_dir_arr[0]));
 }
 
-// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
-if(count($fallback_images)>0) {
-	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
+// if last element in the directory was a directory with no second_level_images we also don't want to miss it ...
+if(count($fallback_images)>0) {
+	$tl->addTile(new \OC\Pictures\TileStack($fallback_images, $prev_dir_arr[0]));
 }
 
-// and finally our images actually stored in the root folder
-for($i = 0; $i<count($root_images); $i++) {
-	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
+// and finally our images actually stored in the root folder
+for($i = 0; $i<count($root_images); $i++) {
+	$tl->addTile(new \OC\Pictures\TileSingle($root_images[$i]));
 }
 
 echo $tl->get();

apps/user_ldap/lib_ldap.php

@@ -666,9 +666,9 @@ static private function readConfiguration($force = false) {
 			self::$ldapPort              = OCP\Config::getAppValue('user_ldap', 'ldap_port', 389);
 			self::$ldapAgentName         = OCP\Config::getAppValue('user_ldap', 'ldap_dn','');
 			self::$ldapAgentPassword     = base64_decode(OCP\Config::getAppValue('user_ldap', 'ldap_agent_password',''));
-			self::$ldapBase              = OCP\Config::getAppValue('user_ldap', 'ldap_base', '');
-			self::$ldapBaseUsers         = OCP\Config::getAppValue('user_ldap', 'ldap_base_users',self::$ldapBase);
-			self::$ldapBaseGroups        = OCP\Config::getAppValue('user_ldap', 'ldap_base_groups', self::$ldapBase);
+			self::$ldapBase              = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base', ''));
+			self::$ldapBaseUsers         = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base_users',self::$ldapBase));
+			self::$ldapBaseGroups        = self::sanitizeDN(OCP\Config::getAppValue('user_ldap', 'ldap_base_groups', self::$ldapBase));
 			self::$ldapTLS               = OCP\Config::getAppValue('user_ldap', 'ldap_tls',0);
 			self::$ldapNoCase            = OCP\Config::getAppValue('user_ldap', 'ldap_nocase', 0);
 			self::$ldapUserDisplayName   = strtolower(OCP\Config::getAppValue('user_ldap', 'ldap_display_name', 'uid'));

apps/user_webfinger/host-meta.php

@@ -1,4 +1,8 @@
 <?php
+if (!OCP\App::isEnabled("user_webfinger")) {
+	return;
+}
+
 $hostMetaHeader = array(
 	'Access-Control-Allow-Origin' => '*',
 	'Content-Type' => 'application/xrd+json'

apps/user_webfinger/webfinger.php

@@ -1,4 +1,8 @@
 <?php
+if (!OCP\App::isEnabled("user_webfinger")) {
+	return;
+}
+
 header("Access-Control-Allow-Origin: *");
 header("Content-Type: application/xrd+json");
 
@@ -15,7 +19,7 @@
  * 	href="<?php echo WF_BASEURL; ?>/apps/myApp/profile.php?user=<?php echo WF_USER; ?>">
  * </Link>
  *
- '* but can also use complex database queries to generate the webfinger result
+ * but can also use complex database queries to generate the webfinger result
  **/
 // calculate the documentroot
 // modified version of the one in lib/base.php that takes the .well-known symlink into account

core/ajax/appconfig.php

@@ -7,6 +7,7 @@
 
 require_once ("../../lib/base.php");
 OC_Util::checkAdminUser();
+OCP\JSON::callCheck();
 
 $action=isset($_POST['action'])?$_POST['action']:$_GET['action'];
 $result=false;

core/js/js.js

@@ -402,11 +402,7 @@ $(document).ready(function(){
 	//use infield labels
 	$("label.infield").inFieldLabels();
 
-	// hide log in button etc. when form fields not filled
-	$('#submit').hide();
-	$('#remember_login').hide();
-	$('#remember_login+label').hide();
-	$('input#user, input#password').keyup(function() {
+	checkShowCredentials = function() {
 		var empty = false;
 		$('input#user, input#password').each(function() {
 			if ($(this).val() == '') {
@@ -422,7 +418,10 @@ $(document).ready(function(){
 			$('#remember_login').show();
 			$('#remember_login+label').fadeIn();
 		}
-	});
+	}
+	// hide log in button etc. when form fields not filled
+	checkShowCredentials();
+	$('input#user, input#password').keyup(checkShowCredentials);
 
 	$('#settings #expand').keydown(function(event) {
 		if (event.which == 13 || event.which == 32) {

index.php

@@ -77,7 +77,7 @@
 		}
 		// confirm credentials in cookie
 		if(isset($_COOKIE['oc_token']) && OC_User::userExists($_COOKIE['oc_username']) &&
-		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") == $_COOKIE['oc_token']) {
+		OC_Preferences::getValue($_COOKIE['oc_username'], "login", "token") === $_COOKIE['oc_token']) {
 			OC_User::setUserId($_COOKIE['oc_username']);
 			OC_Util::redirectToDefaultPage();
 		}

lib/base.php

@@ -111,10 +111,14 @@ public static function detectFormfactor(){
 		if(isset($_SERVER['HTTP_USER_AGENT'])){
 			if(stripos($_SERVER['HTTP_USER_AGENT'],'ipad')>0) {
 				$mode='tablet';
+			}elseif(stripos($_SERVER['HTTP_USER_AGENT'],'Android')>0){
+				$mode='tablet';
 			}elseif(stripos($_SERVER['HTTP_USER_AGENT'],'iphone')>0){
 				$mode='mobile';
 			}elseif((stripos($_SERVER['HTTP_USER_AGENT'],'N9')>0) and (stripos($_SERVER['HTTP_USER_AGENT'],'nokia')>0)){
 				$mode='mobile';
+			}elseif((stripos($_SERVER['HTTP_USER_AGENT'],'Android')>0) and (stripos($_SERVER['HTTP_USER_AGENT'],'Mobile')>0)){
+				$mode='mobile';
 			}else{
 				$mode='default';
 			}
@@ -434,6 +438,7 @@ public static function init(){
 
 		// Check for blacklisted files
 		OC_Hook::connect('OC_Filesystem','write','OC_Filesystem','isBlacklisted');
+		OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
 
 		//make sure temporary files are cleaned up
 		register_shutdown_function(array('OC_Helper','cleanTmp'));