nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	1ee833efab	refactor: Replace __CLASS__ with ::class references Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	1 year ago
Anna Larch	8af7ecb257	chore: adjust code to adhere to coding standard Signed-off-by: Anna Larch <anna@nextcloud.com>	1 year ago
Daniel Kesselberg	af6de04e9e	style: update codestyle for coding-standard 1.2.3 Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	1 year ago
Ferdinand Thiessen	2916e5df7e	feat: Provide CSP nonce as `<meta>` element This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	1 year ago
Ferdinand Thiessen	86f01a3358	fix: Make sure CSP nonce is not double base64 encoded Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	1 year ago
Ferdinand Thiessen	9716b0d735	refactor: Migrate some legacy and core functions to `IFilenameValidator` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	1 year ago
Benjamin Gaussorgues	f1d97a3188	feat(Security): add Factory for IP addresses and ranges Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	1 year ago
Joas Schilling	047479ccf9	feat(security): Add public API to allow validating IP Ranges and checking for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	1 year ago
Benjamin Gaussorgues	202e5b1e95	feat(security): restrict admin actions to IP ranges Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	1 year ago
Christopher Ng	415edcac9b	chore: More explicit splitHash typing Signed-off-by: Christopher Ng <chrng8@gmail.com>	2 years ago
Christopher Ng	d9bf6c432e	feat: Add method to validate an IHasher hash Signed-off-by: Christopher Ng <chrng8@gmail.com>	2 years ago
Robin Appelman	e140907123	fix: don't use custom certificate bundle if no customer certificates are configured Signed-off-by: Robin Appelman <robin@icewind.nl>	2 years ago
Andy Scherzinger	dae7c159f7	chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>	2 years ago
Joas Schilling	b627e6efe4	fix: Correctly check result of function Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Ferdinand Thiessen	5a513c924f	fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blocklist Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2 years ago
Andrew Summers	f9ce6bfdff	Refactor `OC\Server::getHasher` Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>	2 years ago
Julius Härtl	02d6d3f5b1	fix: Add edge as supported user agent for CSPv3 nonces Signed-off-by: Julius Härtl <jus@bitgrid.net>	2 years ago
Joas Schilling	33e1c8b236	fix(security): Handle idn_to_utf8 returning false Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2 years ago
Ferdinand Thiessen	7df9eb3351	feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2 years ago
Benjamin Gaussorgues	f04035caa0	Simplify IP address normalizer with IP masks Remove dead code Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2 years ago
Faraz Samapoor	f313ca92e7	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2 years ago
Faraz Samapoor	1c023e6666	Update lib/private/Security/Certificate.php Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2 years ago
Faraz Samapoor	f9596edb00	Updates the typed properties. Based on: https://github.com/nextcloud/server/pull/39013#discussion_r1242340826 Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2 years ago
Faraz Samapoor	4f46656d39	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2 years ago
Christoph Wurst	e477bb7eaf	feat(appframework): Expose programmatic rate limiter Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2 years ago
Andrew Summers	1395a53602	Refactor `OC\Server::getSecureRandom` Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>	2 years ago
Joas Schilling	124588d4a6	fix: Make bypass function public API Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Joas Schilling	fd9b2d488e	feat: Expose if the own IP is allowed to bypass bruteforce protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Joas Schilling	abc98d343c	feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Joas Schilling	a95800c647	feat(security): Add a bruteforce protection backend base on memcache Similar to the ratelimit backend Signed-off-by: Joas Schilling <coding@schilljs.com>	2 years ago
Daniel Calviño Sánchez	41f2d912d2	Allow "wasm-unsafe-eval" in CSP If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2 years ago
Faraz Samapoor	e73757b4a5	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	3 years ago
Robin Appelman	223612b15a	log failures to read certificates during listing Signed-off-by: Robin Appelman <robin@icewind.nl>	3 years ago
Faraz Samapoor	e7cc7653b8	Refactors "strpos" calls in lib/private to improve code readability. Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>	3 years ago
Jan Messer	647c65a640	[BUGFIX] throw exception instead of error if unable to create file handler (only exceptions are catch) Signed-off-by: Jan Messer <jan@mtec-studios.ch>	3 years ago
Jan Messer	7a443863fe	[BUGFIX] check return value and improve error handling With S3 primary storage there was a problem with getting the CA bundle from the storage without having the CA bundle for the connection which causes that the CertificateManager was throwing an Error. This commit improves the handling in CertificateManager and log unexpected behaviors. Signed-off-by: Jan Messer <jan@mtec-studios.ch>	3 years ago
Côme Chilliet	426c0341ff	Use typed version of IConfig::getSystemValue as much as possible Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	3 years ago
Côme Chilliet	ea05544213	Fix return type of methods returning false on error Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	3 years ago
Joas Schilling	454281af03	feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI Signed-off-by: Joas Schilling <coding@schilljs.com>	3 years ago
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	3 years ago
Christoph Wurst	8aea25b5b9	Add remote host validation API Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	3 years ago
Côme Chilliet	71ee292650	Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	3 years ago
Carl Schwan	ef31396727	Mark method as deprecated Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Carl Schwan <carl@carlschwan.eu>	3 years ago
Carl Schwan	48d9c4d2b0	Port existing server code to new interface Signed-off-by: Carl Schwan <carl@carlschwan.eu>	3 years ago
Joas Schilling	c0f47af2d0	Add a public interface for the bruteforce throttler and register for injection Signed-off-by: Joas Schilling <coding@schilljs.com>	3 years ago
luz paz	368f83095d	Fix typos in lib/private subdirectory Found via `codespell -q 3 -S l10n -L jus ./lib/private` Signed-off-by: luz paz <luzpaz@github.com>	3 years ago
Joas Schilling	8274c05e19	Only ignore attempts of the same action Signed-off-by: Joas Schilling <coding@schilljs.com>	4 years ago
Carl Schwan	ca3cd5a625	Fix detection of firefox in ContentSecurityPolicyNonceManager Reuse Request::USER_AGENT_FIREFOX, and also update the safari detection since safari < 12 is not supported anymore and we can remove a bit of code duplication Signed-off-by: Carl Schwan <carl@carlschwan.eu>	4 years ago
Vincent Petry	01dbd22c9c	Validate requested length is random string generator Signed-off-by: Vincent Petry <vincent@nextcloud.com>	4 years ago

1 2 3 4 5

228 Commits (2bdc97741cd42843f85750421cba032942d860ed)