nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Joas Schilling	72c1b24844	Check whether the $_SERVER['REQUEST_*'] vars exist before using them Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Morris Jobke	c54a59d51e	Remove unused use statements Signed-off-by: Morris Jobke <hey@morrisjobke.de>	9 years ago
Lukas Reschke	8149945a91	Make BruteForceProtection annotation more clever This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware. Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	a1ae5275f9	Move to dedicated MiddleWare Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Lukas Reschke	66835476b5	Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Bjoern Schiessle	32e0ec3e58	handle optional annotation parameters Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Bjoern Schiessle	df296249d6	introduce brute force protection for api calls Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	9 years ago
Joas Schilling	61e15988a0	Allow to overwrite the message which we already do in SubadminMiddleware Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	bb7787a157	Add the 15 seconds to the window, instead of removing Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Joas Schilling	827b6a610e	Introduce PasswordConfirmRequired annotation Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Christoph Wurst	0ebffa4a5f	do not double encode the redirect url Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Roeland Jago Douma	e351ba56f1	Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Lukas Reschke	9e6634814e	Add support for CSP nonces CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce. At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.) IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO. Implementing this offers the following advantages: 1. Security: As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist 2. Performance: We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file. If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/ Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Roeland Jago Douma	7c078a81b4	Add trict CSP to OCS responses If a repsonse now explicitly has the Empty CSP set then the middleware won't touch it.	9 years ago
Roeland Jago Douma	3c55fe6bab	Split OCS version handling This cleans up a bit the OCSController/Middleware. Since the 2 versions of OCS differ a bit. Moved a lot of stuff internal since it is of no concern to the outside.	9 years ago
Roeland Jago Douma	e3b0e50dda	Extend OCSMiddleware * Always set 401 (v1.php and v2.php) * Set proper error codes for v2.php * Proper OCS output on unhandled exceptions	10 years ago
Roeland Jago Douma	aacb68c9a5	Extend OCSMiddleware * Always set 401 (v1.php and v2.php) * Set proper error codes for v2.php * Proper OCS output on unhandled exceptions	10 years ago
Roeland Jago Douma	5c718b13b8	We should properly check for 'true' instaed of the bool	10 years ago
Roeland Jago Douma	f7f5216aa3	Dark hackery to not always disable CSRF for OCS controllers	10 years ago
Roeland Jago Douma	8bdd0adcee	Support subdir in the OCS v2 endpoint We should check against the ending substring since people could run their nextcloud in a subfolder. * Added test	10 years ago
Roeland Jago Douma	b543fd8d30	Set proper status code in OCS AppFramework Middleware	10 years ago
Joas Schilling	ba87db3fcc	Fix others	10 years ago
Lukas Reschke	ba4f12baa0	Implement brute force protection Class Throttler implements the bruteforce protection for security actions in Nextcloud. It is working by logging invalid login attempts to the database and slowing down all login attempts from the same subnet. The max delay is 30 seconds and the starting delay are 200 milliseconds. (after the first failed login)	10 years ago
Roeland Jago Douma	e42f2f2650	AppFramework do not get default response The OCSResponse differs from other responses in that it defaults to XML. However we fell back to json by default. This makes sure that if nothing is set we don't pass anything. Which defaults then to the controllers default (which is often 'json') but in the case of the OCSResponse 'xml'.	10 years ago
Roeland Jago Douma	ea47974a08	Add OCSMiddleware to catch OCS exceptions * OCSException * OCSBadRequestException * OCSForbiddenException * OCSNotFoundException	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Christoph Wurst	82b50d126c	add PasswordLoginForbiddenException	10 years ago
Christoph Wurst	331d88bcab	create session token on all APIs	10 years ago
Christoph Wurst	9997c431c3	use client login method on CORS routes	10 years ago
Lukas Reschke	aba539703c	Update license headers	10 years ago
Roeland Jago Douma	4eebccd81f	Fix inconsistent nameing of AppFramework	10 years ago
Roeland Jago Douma	1d33a5ef13	Move \OC\AppFramework to PSR-4 * Also moved the autoloader setup a bit up since we need it in initpaths	10 years ago

36 Commits (bcddca9a64fb980019df052a99bc08fbef14b577)