From f3e9106864421d902cb3751fdd0004f84b369938 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Sat, 28 Nov 2015 12:19:58 +0100
Subject: Don't trust update server

In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.

While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
---
 lib/private/templatelayout.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/private/templatelayout.php b/lib/private/templatelayout.php
index 7d16823d2a8..f5974128b73 100644
--- a/lib/private/templatelayout.php
+++ b/lib/private/templatelayout.php
@@ -85,7 +85,9 @@ class OC_TemplateLayout extends OC_Template {
 				if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) {
 					$this->assign('updateAvailable', true);
 					$this->assign('updateVersion', $data['versionstring']);
-					$this->assign('updateLink', $data['web']);
+					if(substr($data['web'], 0, 8) === 'https://') {
+						$this->assign('updateLink', $data['web']);
+					}
 					\OCP\Util::addScript('core', 'update-notification');
 				} else {
 					$this->assign('updateAvailable', false); // No update available or not an admin user
-- 
cgit v1.2.3