nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Joas Schilling	b1d652e8b0	Copy the regexes to the public interface	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	eb11ed1851	Make ownCloud work again in php 7.0.6 See https://bugs.php.net/bug.php?id=72117	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago
Lukas Reschke	8222ad5157	Move logout to controller Testable code. Yay.	10 years ago
Lukas Reschke	95820fbd5b	Add magical regex to catch browsers	10 years ago
Lukas Reschke	cc8c0b6a90	Check if request is sent from official ownCloud client There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check) While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.	10 years ago
Roeland Jago Douma	e6dc80f0f3	Fix warning in request.php * Added proper @property tags * RunTimeException => RuntimeException Makes code analyzers happier	10 years ago
Lukas Reschke	a977465af5	Add new CSRF manager for unit testing purposes This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.	10 years ago
Thomas Müller	682821c71e	Happy new year!	10 years ago
Roeland Jago Douma	98c4951f45	getLowStrengthGenerator does not do anything anymore	10 years ago
Lukas Reschke	f3360d51c6	Use PHP polyfills	10 years ago
Mitar	59511d97ee	Also allow empty value for no-HTTPS. This makes it work better with old version of Nginx.	10 years ago
Robin Appelman	2d7c9f0ba9	also match ie11 with Request::USER_AGENT_IE	10 years ago
Thomas Müller	358858c9e3	Fix undefined HTTP_USER_AGENT	10 years ago
Lukas Reschke	8133d46620	Remove dependency on ICrypto + use XOR	10 years ago
Morris Jobke	bf579a153f	fix IE8 user agent detection	10 years ago
Lukas Reschke	80a232da6a	Add \OCP\IRequest::getHttpProtocol Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119	10 years ago
Morris Jobke	8366ce2767	deduplicate @xenopathic	10 years ago
Morris Jobke	b945d71384	update licence headers via script	10 years ago
Jörn Friedrich Dreyer	d81416c51d	return '' instead of false	10 years ago
Robin McCorkell	31a8949adf	Prevent warning decoding content	10 years ago
Robin McCorkell	e60c4bada1	Decode request content only on getContent	10 years ago
Lukas Reschke	8313a3fcb3	Add mitigation against BREACH While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.	11 years ago
Robin McCorkell	8944af57cb	Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR'	11 years ago
Lukas Reschke	90a11efecd	Remove "use" statement Ref https://bugs.php.net/bug.php?id=66773	11 years ago
Lukas Reschke	4efa7c09b1	Use StringUtils::equals on CSRF token and add unit tests	11 years ago
Thomas Müller	bd71540c8a	Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460	11 years ago
Morris Jobke	f63915d0c8	update license headers and authors	11 years ago
Lukas Reschke	4d23e06097	Fix undefined offset There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)	11 years ago
Joas Schilling	6da9e1a742	Fix visibility of public API methods	11 years ago
Morris Jobke	ccf47f40aa	Remove unused variables * should make scrutinizer a lot more happy * reduces maybe memory footprint	11 years ago
Jenkins for ownCloud	b585d87d9d	Update license headers	11 years ago
Lukas Reschke	bbd5f28415	Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.	11 years ago
Morris Jobke	06aef4e8b1	Revert "Updating license headers" This reverts commit `6a1a4880f0`.	11 years ago
Lukas Reschke	9adcd15cb3	Use [0] instead of current as HHVM might have problems with that	11 years ago
Lukas Reschke	1c6eae9017	Get the real protocol behind several proxies X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies. This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.	11 years ago
Vincent Petry	9f6dcb9d3e	Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity	11 years ago
Thomas Müller	0a9b8242ee	properly initialize OC::$WEBROOT and host name	11 years ago
Jenkins for ownCloud	6a1a4880f0	Updating license headers	11 years ago
Lukas Reschke	cebf9f6a5a	Incorporate review changes	11 years ago
Lukas Reschke	992164446c	Add blackmagic due to cyclic dependency 🙈	11 years ago
Lukas Reschke	9f91d64918	Make scrutinizer happy	11 years ago
Lukas Reschke	886bda5f81	Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969	11 years ago
Lukas Reschke	770fa761b8	Respect `mod_unique_id` and refactor `OC_Request::getRequestId` When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366	11 years ago
Bernhard Posselt	bb0c88a577	always set url parameters when they are available in the app dispatch prefer url parameters passed into the main method. If they are not present, use the containers urlParameters add space	11 years ago
Lukas Reschke	41374986d3	Remove dead code	11 years ago
Bernhard Posselt	1d45239c65	adjust license headers to new mail address	12 years ago
Bernhard Posselt	62cce982bb	default to GET request when no method is set to fix unittests, also set parsed json parameters on the post attribute	12 years ago

1 2

59 Commits (5cd1880daa048a685da689c7f41a2e50486494de)