open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: Delete legacy OC_Response

Browse Source 
Moved the last used method in base.php where it’s called. Ideally we
 would remove it but it’s not clear whether that would be possible any
 time soon or even at all.

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
pull/55387/head
Côme Chilliet 1 week ago
parent 2a9f6389f4
commit eb54143c2d
No known key found for this signature in database
GPG Key ID: A3E2F658B28C760A
4 changed files with 36 additions and 86 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 37
      lib/base.php
  2. 1
      lib/composer/composer/autoload_classmap.php
  3. 1
      lib/composer/composer/autoload_static.php
  4. 83
      lib/private/legacy/OC_Response.php

37
lib/base.php
Unescape View File

@ -579,6 +579,41 @@ class OC {
}
}
/**
* This function adds some security related headers to all requests served via base.php
* The implementation of this function has to happen here to ensure that all third-party
* components (e.g. SabreDAV) also benefit from this headers.
*/
private static function addSecurityHeaders(): void {
/**
* FIXME: Content Security Policy for legacy components. This
* can be removed once \OCP\AppFramework\Http\Response from the AppFramework
* is used everywhere.
* @see \OCP\AppFramework\Http\Response::getHeaders
*/
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'nonce-' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
. 'font-src \'self\' data:; '
. 'media-src *; '
. 'connect-src *; '
. 'object-src \'none\'; '
. 'base-uri \'self\'; ';
header('Content-Security-Policy:' . $policy);
// Send fallback headers for installations that don't have the possibility to send
// custom headers on the webserver side
if (getenv('modHeadersAvailable') !== 'true') {
header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
}
}
public static function init(): void {
// First handle PHP configuration and copy auth headers to the expected
// $_SERVER variable before doing anything Server object related
@ -702,7 +737,7 @@ class OC {
self::checkConfig();
self::checkInstalled($systemConfig);
OC_Response::addSecurityHeaders();
self::addSecurityHeaders();
self::performSameSiteCookieProtection($config);

1
lib/composer/composer/autoload_classmap.php
Unescape View File

@ -2179,7 +2179,6 @@ return array(
'OC_Helper' => $baseDir . '/lib/private/legacy/OC_Helper.php',
'OC_Hook' => $baseDir . '/lib/private/legacy/OC_Hook.php',
'OC_JSON' => $baseDir . '/lib/private/legacy/OC_JSON.php',
'OC_Response' => $baseDir . '/lib/private/legacy/OC_Response.php',
'OC_Template' => $baseDir . '/lib/private/legacy/OC_Template.php',
'OC_User' => $baseDir . '/lib/private/legacy/OC_User.php',
'OC_Util' => $baseDir . '/lib/private/legacy/OC_Util.php',

1
lib/composer/composer/autoload_static.php
Unescape View File

@ -2220,7 +2220,6 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
'OC_Helper' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Helper.php',
'OC_Hook' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Hook.php',
'OC_JSON' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_JSON.php',
'OC_Response' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Response.php',
'OC_Template' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Template.php',
'OC_User' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_User.php',
'OC_Util' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Util.php',

83
lib/private/legacy/OC_Response.php
Unescape View File

@ -1,83 +0,0 @@
<?php
/**
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
class OC_Response {
/**
* Sets the content disposition header (with possible workarounds)
* @param string $filename file name
* @param string $type disposition type, either 'attachment' or 'inline'
*/
public static function setContentDispositionHeader($filename, $type = 'attachment') {
if (\OC::$server->getRequest()->isUserAgent(
[
\OC\AppFramework\Http\Request::USER_AGENT_IE,
\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
])) {
header('Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode($filename) . '"');
} else {
header('Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode($filename)
. '; filename="' . rawurlencode($filename) . '"');
}
}
/**
* Sets the content length header (with possible workarounds)
* @param string|int|float $length Length to be sent
*/
public static function setContentLengthHeader($length) {
if (PHP_INT_SIZE === 4) {
if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
// Apache PHP SAPI casts Content-Length headers to PHP integers.
// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
// platforms). So, if the length is greater than PHP_INT_MAX,
// we just do not send a Content-Length header to prevent
// bodies from being received incompletely.
return;
}
// Convert signed integer or float to unsigned base-10 string.
$lfh = new \OC\LargeFileHelper;
$length = $lfh->formatUnsignedInteger($length);
}
header('Content-Length: ' . $length);
}
/**
* This function adds some security related headers to all requests served via base.php
* The implementation of this function has to happen here to ensure that all third-party
* components (e.g. SabreDAV) also benefit from this headers.
*/
public static function addSecurityHeaders() {
/**
* FIXME: Content Security Policy for legacy ownCloud components. This
* can be removed once \OCP\AppFramework\Http\Response from the AppFramework
* is used everywhere.
* @see \OCP\AppFramework\Http\Response::getHeaders
*/
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'nonce-' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
. 'font-src \'self\' data:; '
. 'media-src *; '
. 'connect-src *; '
. 'object-src \'none\'; '
. 'base-uri \'self\'; ';
header('Content-Security-Policy:' . $policy);
// Send fallback headers for installations that don't have the possibility to send
// custom headers on the webserver side
if (getenv('modHeadersAvailable') !== 'true') {
header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
}
}
}
Write Preview
Loading…
Cancel
Save