nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Lukas Reschke	8313a3fcb3	Add mitigation against BREACH While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.	11 years ago
Lukas Reschke	7dda86f371	Return proper status code in case of a CORS exception When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742	11 years ago
Bernhard Posselt	21ce5d034b	fix #16713	11 years ago
Bernhard Posselt	c8e3599cad	disallow cookie auth for cors requests testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app	11 years ago
Lukas Reschke	886bda5f81	Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969	11 years ago
Lukas Reschke	770fa761b8	Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366	11 years ago
Joas Schilling	6202ca33ba	Make remaining files extend the test base	11 years ago
Bernhard Posselt	63f2f16b85	use new controllermethodreflector for corsmiddleware	12 years ago
Bernhard Posselt	9a4d204b55	add cors middleware remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it	12 years ago

9 Commits (0fac2e3f3aaaeaddf431f7877ebddb6372a00a42)