nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Roeland Jago Douma	64244e1a4f	CSP: Allow fonts to be provided in data Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	514426e27d	Only trust the X-FORWARDED-HOST header for trusted proxies Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Oliver Wegner	401ca28f07	Adding handling of CIDR notation to trusted_proxies for IPv4 Signed-off-by: Oliver Wegner <void1976@gmail.com>	7 years ago
Roeland Jago Douma	579822b6a5	Add report-uri to CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Roeland Jago Douma	5b61ef9213	Disallow unsafe-eval by default Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	a34495933e	Move caching logic to response This avoids having to do it at all the places we want cached responses. We can't inject the ITimeFactor without breaking public API. However we can perfectly overwrite the service (resulting in the same testable effect). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	d179186430	Remove testcase Since a token now always requires a string we don't need to test for null Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Julius Härtl	5a4aa2b7dd	Add test for PublicTemplateResponse Signed-off-by: Julius Härtl <jus@bitgrid.net>	8 years ago
Roeland Jago Douma	0ee45d3d20	Fix proper types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	ca9f364fd4	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Joas Schilling	870023365c	Fix "Undefined method setExpectedException()" Signed-off-by: Joas Schilling <coding@schilljs.com>	8 years ago
Morris Jobke	c70927eaa0	Remove not needed 3rdparty app disabling during upgrade for PHP 5.x Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Joas Schilling	7bc9a69c3f	Remove deprecated core API Signed-off-by: Joas Schilling <coding@schilljs.com>	8 years ago
Bjoern Schiessle	f0202245ee	allow 'Nextcloud' in the user agent string of Android Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	8 years ago
Morris Jobke	43e498844e	Use ::class in test mocks Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Thomas Citharel	ecf347bd1a	Add CSP frame-ancestors support Didn't set the @since annotation yet. Signed-off-by: Thomas Citharel <tcit@tcit.fr>	9 years ago
Lukas Reschke	f22ab3e665	Add metadata to \OCP\AppFramework\Http\Response::throttle Fixes https://github.com/nextcloud/server/issues/5891 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	8149945a91	Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	2a9192334e	Don't try to parse empty body if there is no body Fixes #3890 If we do a put request without a body the current code still tries to read the body. This patch makes sure that we do not try to read the body if the content length is 0. See RFC 2616 Section 4.3 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Morris Jobke	f9bc53146d	Fix unit tests Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Lukas Reschke	5f8f29508f	Adjust tests to include base-uri Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	adfd1e63f6	Add base-uri to CSP policy As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Robin Appelman	9a8cef965f	add test for skipping cookie checks for ocs Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Christoph Wurst	5e728d0eda	oc_token should be nc_token Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Christoph Wurst	e3815b382d	fix data response test expected cache headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Christoph Wurst	fe6416072d	set 'no-store' cache header if we do not want FF to cache Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Lukas Reschke	a05b8b7953	Harden cookies more appropriate This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Robin Appelman	e4d1cf0f6d	add tests for http/output Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Joas Schilling	c20ab0049f	Identify Chromium as Chrome Signed-off-by: Joas Schilling <coding@schilljs.com>	10 years ago
Lukas Reschke	9e6634814e	Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. Security: As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. Performance: We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	10 years ago
Roeland Jago Douma	777c3ee325	Add FileDisplayResponse A lazy implementation of the DisplayResponse that only hits the filesystem if the etag and mtime do not match.	10 years ago
Lukas Reschke	d50e7ee36c	Remove reading PATH_INFO from server variable Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used. Fixes https://github.com/nextcloud/server/issues/983	10 years ago
Lukas Reschke	b53ea18ea5	Match only for actual session cookie OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Roeland Jago Douma	2fa9e67294	Fix phpunit-5.4 wargning * getMock is deprecated. * \PDOStatement mocking fails hard on phpunit 4.8	10 years ago
Joas Schilling	94ad54ec9b	Move tests/ to PSR-4 (#24731 ) * Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader	10 years ago

38 Commits (336cd77dbdade8e8d5f7467d400aeb6bb90f9507)