nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Julius Härtl	a055d8ddf9	Always return overwritehost if configured Signed-off-by: Julius Härtl <jus@bitgrid.net>	6 years ago
Daniel Kesselberg	fdf4e1ebb2	Remove duplicate code Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	6 years ago
b108@volgograd	bf167ad3ac	Remove duplicate functionality This functionality implemented in the next line: $requestUri = preg_replace('%/{2,}%', '/', $requestUri);	7 years ago
Roeland Jago Douma	514426e27d	Only trust the X-FORWARDED-HOST header for trusted proxies Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Oliver Wegner	401ca28f07	Adding handling of CIDR notation to trusted_proxies for IPv4 Signed-off-by: Oliver Wegner <void1976@gmail.com>	7 years ago
Daniel Kesselberg	986f4df2a5	Add REMOTE_ADDR to getHeader Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	7 years ago
Robin Appelman	c0a283fefb	ensure we always return an array from `Request::getParams` Signed-off-by: Robin Appelman <robin@icewind.nl>	7 years ago
Roeland Jago Douma	043a824e6a	Fix comments Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	0ee45d3d20	Fix proper types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	a229095af1	Make Request strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	4ef302c0be	Request->getHeader() should always return a string PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant. Found while enabling the strict_typing for lib/private for the PHP7+ migration. Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	ca70694502	Also check for empty content lenth Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	9717cdfb9e	If there is no content don't error Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	ede15f0988	Fix L10N::t Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
coderkun	bdc7bb1f26	Add IPv6 to “localhost” regex (#440 ) Signed-off-by: Oliver Hanraths <olli@coderkun.de>	9 years ago
Joas Schilling	695696a4a6	Use constants Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Juan Pablo Villafáñez	38e5135cb9	Reorder the entries of the log for easier reading	9 years ago
Roeland Jago Douma	2a9192334e	Don't try to parse empty body if there is no body Fixes #3890 If we do a put request without a body the current code still tries to read the body. This patch makes sure that we do not try to read the body if the content length is 0. See RFC 2616 Section 4.3 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Roeland Jago Douma	8626ccab1c	dont require strict same site cookies for ocs requests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Joas Schilling	33fb86f68b	Fix detection of the new iOS app Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Christoph Wurst	5e728d0eda	oc_token should be nc_token Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Lukas Reschke	a05b8b7953	Harden cookies more appropriate This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Joas Schilling	c20ab0049f	Identify Chromium as Chrome Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Lukas Reschke	d50e7ee36c	Remove reading PATH_INFO from server variable Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used. Fixes https://github.com/nextcloud/server/issues/983	10 years ago
Roeland Jago Douma	8f3dc0ba43	Remove IE_8 user agent string	10 years ago
Lukas Reschke	b53ea18ea5	Match only for actual session cookie OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.	10 years ago
Joas Schilling	0215b004da	Update with robin	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Joas Schilling	b1d652e8b0	Copy the regexes to the public interface	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	eb11ed1851	Make ownCloud work again in php 7.0.6 See https://bugs.php.net/bug.php?id=72117	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago
Lukas Reschke	8222ad5157	Move logout to controller Testable code. Yay.	10 years ago
Lukas Reschke	95820fbd5b	Add magical regex to catch browsers	10 years ago
Lukas Reschke	cc8c0b6a90	Check if request is sent from official ownCloud client There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check) While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.	10 years ago
Roeland Jago Douma	e6dc80f0f3	Fix warning in request.php * Added proper @property tags * RunTimeException => RuntimeException Makes code analyzers happier	10 years ago
Lukas Reschke	a977465af5	Add new CSRF manager for unit testing purposes This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.	10 years ago
Thomas Müller	682821c71e	Happy new year!	10 years ago
Roeland Jago Douma	98c4951f45	getLowStrengthGenerator does not do anything anymore	10 years ago
Lukas Reschke	f3360d51c6	Use PHP polyfills	10 years ago
Mitar	59511d97ee	Also allow empty value for no-HTTPS. This makes it work better with old version of Nginx.	10 years ago
Robin Appelman	2d7c9f0ba9	also match ie11 with Request::USER_AGENT_IE	10 years ago
Thomas Müller	358858c9e3	Fix undefined HTTP_USER_AGENT	10 years ago
Lukas Reschke	8133d46620	Remove dependency on ICrypto + use XOR	10 years ago
Morris Jobke	bf579a153f	fix IE8 user agent detection	10 years ago
Lukas Reschke	80a232da6a	Add \OCP\IRequest::getHttpProtocol Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119	10 years ago

38 Commits (3e720942e58f99b038616d95e00a01ac9dd2f490)