nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	2a054e6c04	Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	5 years ago
Holger Hees	e70249e089	Update SecurityMiddleware.php OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header. in other areas OC::$WEBROOT is always used together with an /	6 years ago
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	2fbad1ed72	Fix (array) indent style to always use one tab Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Joas Schilling	d445f9b9fe	Fix loaded controller check Signed-off-by: Joas Schilling <coding@schilljs.com>	6 years ago
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Daniel Kesselberg	9055f46351	Make phan happy ;) Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	6 years ago
Arthur Schiwon	0a1937208f	Fixes a 500 without userid plus cleanup of unused use statements Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	6 years ago
Joas Schilling	15f00f0126	Mark "Talk" active on /call/token URLs Signed-off-by: Joas Schilling <coding@schilljs.com>	6 years ago
Roeland Jago Douma	37a4282c7a	Split up security middleware With upcoming work for the feature policy header. Splitting this in smaller classes that just do 1 thing makes sense. I rather have a few small classes that are tiny and do 1 thing right (and we all understand what is going on) than have big ones. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Christoph Wurst	22ae682823	Make it possible to show admin settings for sub admins Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	7 years ago
Roeland Jago Douma	8c1e75e052	Do not use file as template parameter Using file will overwrite the $file parameter in the template base. Leading to trying to include a file that is the exception message. Which will of course fail. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Arthur Schiwon	38a90130ce	move log constants to ILogger Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	8 years ago
Roeland Jago Douma	3ad7daeda5	Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	340e8ef16c	Make SecurityMiddleware strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Julien Veyssier	7da0812186	Do not throw AppNotEnabledException for app public pages - refs #6962 , refs #5309 It allows non-logged user to access public pages of applications restricted to a group Signed-off-by: Julien Veyssier <eneiluj@posteo.net>	8 years ago
Morris Jobke	cf35c4b03a	Provide translated error message for permission error Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	c0adfa4375	Don't perform CSRF check on OCS routes with Bearer auth Fixes #5694 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Morris Jobke	2a38605545	Properly log the full exception instead of only the message Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	57050146f6	Move passwordconfirmation to its own midleware Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Bjoern Schiessle	1bcbeb24bc	disable password confirmation with SSO Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	8 years ago
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Morris Jobke	ce0c45a4ea	Use proper DI for security middleware for app enabled check Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Lukas Reschke	f93a82b8b0	Remove explicit type hints for Controller This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	3548603a88	Fix middleware implementations signatures Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Joas Schilling	72c1b24844	Check whether the $_SERVER['REQUEST_*'] vars exist before using them Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Lukas Reschke	8149945a91	Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	a1ae5275f9	Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	66835476b5	Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Bjoern Schiessle	32e0ec3e58	handle optional annotation parameters Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Bjoern Schiessle	df296249d6	introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Joas Schilling	bb7787a157	Add the 15 seconds to the window, instead of removing Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	827b6a610e	Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Christoph Wurst	0ebffa4a5f	do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Roeland Jago Douma	e351ba56f1	Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Lukas Reschke	9e6634814e	Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. Security: As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. Performance: We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	7c078a81b4	Add trict CSP to OCS responses If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.	9 years ago
Roeland Jago Douma	5c718b13b8	We should properly check for 'true' instaed of the bool	10 years ago
Roeland Jago Douma	f7f5216aa3	Dark hackery to not always disable CSRF for OCS controllers	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	4eebccd81f	Fix inconsistent nameing of AppFramework	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago
Lukas Reschke	331e4efacb	Move login form into controller First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.	10 years ago
Stefan Weil	b1a856d7b7	lib: Fix typos (found by codespell) Signed-off-by: Stefan Weil <sw@weilnetz.de>	10 years ago
Lukas Reschke	c353d51810	Remove Scrutinizer Auto Fixer	10 years ago
Lukas Reschke	809ff5ac95	Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```	10 years ago
Thomas Müller	682821c71e	Happy new year!	10 years ago

47 Commits (5cd1880daa048a685da689c7f41a2e50486494de)