Work around a very obscure but potentially severe security problem.

The user can have the variables OWNCLOUD_USERNAME and OWNCLOUD_GROUPNAME
defined in his environment to point to his own username and groupname.

Suggested by:	Adam McDougall

2 files changed, 8 insertions, 2 deletions

diff --git a/www/owncloud/Makefile b/www/owncloud/Makefile
index c7f5f8594c93..5c8cb69d4964 100644
--- a/www/owncloud/Makefile
+++ b/www/owncloud/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	owncloud
 PORTVERSION=	6.0.2
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	http://download.owncloud.org/community/
 
@@ -19,9 +20,14 @@ USE_PHP=	bz2 ctype curl dom exif fileinfo filter gd hash iconv json \
 		xsl wddx zip zlib
 WANT_PHP_WEB=	yes
 
+OWNCLOUD_USERNAME?=	www
+OWNCLOUD_GROUPNAME?=	${OWNCLOUD_USERNAME}
+
 WRKSRC=		${WRKDIR}/${PORTNAME}
 NO_BUILD=	yes
 SUB_FILES=	pkg-message
+PLIST_SUB=	OWNCLOUD_USERNAME=${OWNCLOUD_USERNAME} \
+		OWNCLOUD_GROUPNAME=${OWNCLOUD_GROUPNAME}
 
 OPTIONS_MULTI=	DB
 OPTIONS_MULTI_DB=	MYSQL PGSQL SQLITE
diff --git a/www/owncloud/pkg-plist b/www/owncloud/pkg-plist
index 513338c75e2a..9dbb1d887502 100644
--- a/www/owncloud/pkg-plist
+++ b/www/owncloud/pkg-plist
@@ -1,5 +1,5 @@
-@owner www
-@group www
+@owner %%OWNCLOUD_USERNAME%%
+@group %%OWNCLOUD_GROUPNAME%%
 %%WWWDIR%%/.htaccess
 %%WWWDIR%%/3rdparty/Archive/Tar.php
 %%WWWDIR%%/3rdparty/Console/Getopt.php