nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Roeland Jago Douma	0ee45d3d20	Fix proper types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	a229095af1	Make Request strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	4ef302c0be	Request->getHeader() should always return a string PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant. Found while enabling the strict_typing for lib/private for the PHP7+ migration. Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	ca70694502	Also check for empty content lenth Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	9717cdfb9e	If there is no content don't error Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	ede15f0988	Fix L10N::t Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
coderkun	bdc7bb1f26	Add IPv6 to “localhost” regex (#440 ) Signed-off-by: Oliver Hanraths <olli@coderkun.de>	9 years ago
Joas Schilling	695696a4a6	Use constants Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Juan Pablo Villafáñez	38e5135cb9	Reorder the entries of the log for easier reading	9 years ago
Roeland Jago Douma	2a9192334e	Don't try to parse empty body if there is no body Fixes #3890 If we do a put request without a body the current code still tries to read the body. This patch makes sure that we do not try to read the body if the content length is 0. See RFC 2616 Section 4.3 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	8626ccab1c	dont require strict same site cookies for ocs requests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Joas Schilling	33fb86f68b	Fix detection of the new iOS app Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Christoph Wurst	5e728d0eda	oc_token should be nc_token Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Lukas Reschke	a05b8b7953	Harden cookies more appropriate This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Joas Schilling	c20ab0049f	Identify Chromium as Chrome Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Lukas Reschke	d50e7ee36c	Remove reading PATH_INFO from server variable Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used. Fixes https://github.com/nextcloud/server/issues/983	9 years ago
Roeland Jago Douma	8f3dc0ba43	Remove IE_8 user agent string	10 years ago
Lukas Reschke	b53ea18ea5	Match only for actual session cookie OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.	10 years ago
Joas Schilling	0215b004da	Update with robin	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Joas Schilling	b1d652e8b0	Copy the regexes to the public interface	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	eb11ed1851	Make ownCloud work again in php 7.0.6 See https://bugs.php.net/bug.php?id=72117	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago
Lukas Reschke	8222ad5157	Move logout to controller Testable code. Yay.	10 years ago
Lukas Reschke	95820fbd5b	Add magical regex to catch browsers	10 years ago
Lukas Reschke	cc8c0b6a90	Check if request is sent from official ownCloud client There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check) While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.	10 years ago
Roeland Jago Douma	e6dc80f0f3	Fix warning in request.php * Added proper @property tags * RunTimeException => RuntimeException Makes code analyzers happier	10 years ago
Lukas Reschke	a977465af5	Add new CSRF manager for unit testing purposes This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.	10 years ago
Thomas Müller	682821c71e	Happy new year!	10 years ago
Roeland Jago Douma	98c4951f45	getLowStrengthGenerator does not do anything anymore	10 years ago
Lukas Reschke	f3360d51c6	Use PHP polyfills	10 years ago
Mitar	59511d97ee	Also allow empty value for no-HTTPS. This makes it work better with old version of Nginx.	10 years ago
Robin Appelman	2d7c9f0ba9	also match ie11 with Request::USER_AGENT_IE	10 years ago
Thomas Müller	358858c9e3	Fix undefined HTTP_USER_AGENT	10 years ago
Lukas Reschke	8133d46620	Remove dependency on ICrypto + use XOR	10 years ago
Morris Jobke	bf579a153f	fix IE8 user agent detection	10 years ago
Lukas Reschke	80a232da6a	Add \OCP\IRequest::getHttpProtocol Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119	10 years ago
Morris Jobke	8366ce2767	deduplicate @xenopathic	10 years ago
Morris Jobke	b945d71384	update licence headers via script	10 years ago
Jörn Friedrich Dreyer	d81416c51d	return '' instead of false	10 years ago
Robin McCorkell	31a8949adf	Prevent warning decoding content	10 years ago
Robin McCorkell	e60c4bada1	Decode request content only on getContent	10 years ago
Lukas Reschke	8313a3fcb3	Add mitigation against BREACH While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.	11 years ago
Robin McCorkell	8944af57cb	Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'	11 years ago
Lukas Reschke	90a11efecd	Remove "use" statement Ref https://bugs.php.net/bug.php?id=66773	11 years ago
Lukas Reschke	4efa7c09b1	Use StringUtils::equals on CSRF token and add unit tests	11 years ago

28 Commits (0ee45d3d20ce53db97b6835acb00a95e27ee072d)