nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Côme Chilliet	8d5165e8dc	Adapt tests to config value typing Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	3 years ago
Artur Neumann	81f2857f34	check if params given to API are really an array Signed-off-by: Artur Neumann <artur@jankaritech.com>	3 years ago
Stanimir Bozhilov	46c10c77e1	Fix the JSON content type regex to match all MIME types Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	3 years ago
Stanimir Bozhilov	f7d51a39cf	Add unit tests for application/scim+json content type Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	3 years ago
Simon Leiner	09362eaeaa	Support specifying IPv6 proxies in CIDR notation Previously, it was not possible to use CIDR notation for IPv6 proxies in the trusted_proxies parameter of config.php [1]. This patch adds support for that. [1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies Signed-off-by: Simon Leiner <simon@leiner.me>	3 years ago
Côme Chilliet	c7e1c36362	Remove at matcher uses in tests/lib Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	4 years ago
Joas Schilling	cc6653e45c	Adjust and add unit tests Signed-off-by: Joas Schilling <coding@schilljs.com>	4 years ago
Carl Schwan	6312c0df69	Check style update Signed-off-by: Carl Schwan <carl@carlschwan.eu>	4 years ago
Joas Schilling	74a9cadc50	Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating Signed-off-by: Joas Schilling <coding@schilljs.com>	6 years ago
Christoph Wurst	1584c9ae9c	Add visibility to all methods and position of static keyword Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	14c996d982	Use elseif instead of else if Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Christoph Wurst	2ee65f177e	Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	6 years ago
Daniel Kesselberg	8331d8296b	Make getServerHost more robust to faulty user input Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	6 years ago
Daniel Kesselberg	d393b1612b	Modify regex to match some other chromium browsers Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	6 years ago
Roeland Jago Douma	3a7cf40aaa	Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Roeland Jago Douma	c007ca624f	Make phpunit8 compatible Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	6 years ago
Roeland Jago Douma	514426e27d	Only trust the X-FORWARDED-HOST header for trusted proxies Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	7 years ago
Oliver Wegner	401ca28f07	Adding handling of CIDR notation to trusted_proxies for IPv4 Signed-off-by: Oliver Wegner <void1976@gmail.com>	7 years ago
Roeland Jago Douma	d179186430	Remove testcase Since a token now always requires a string we don't need to test for null Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	0ee45d3d20	Fix proper types Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Bjoern Schiessle	f0202245ee	allow 'Nextcloud' in the user agent string of Android Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	8 years ago
Morris Jobke	43e498844e	Use ::class in test mocks Signed-off-by: Morris Jobke <hey@morrisjobke.de>	8 years ago
Roeland Jago Douma	c257cd57d4	Handle SameSiteCookie check for index.php in AppFramework Middleware Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	8 years ago
Roeland Jago Douma	2a9192334e	Don't try to parse empty body if there is no body Fixes #3890 If we do a put request without a body the current code still tries to read the body. This patch makes sure that we do not try to read the body if the content length is 0. See RFC 2616 Section 4.3 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	9 years ago
Robin Appelman	9a8cef965f	add test for skipping cookie checks for ocs Signed-off-by: Robin Appelman <robin@icewind.nl>	9 years ago
Christoph Wurst	5e728d0eda	oc_token should be nc_token Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	9 years ago
Lukas Reschke	a05b8b7953	Harden cookies more appropriate This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening. See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications. Fixes https://github.com/nextcloud/server/issues/1412 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	9 years ago
Joas Schilling	c20ab0049f	Identify Chromium as Chrome Signed-off-by: Joas Schilling <coding@schilljs.com>	9 years ago
Lukas Reschke	d50e7ee36c	Remove reading PATH_INFO from server variable Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used. Fixes https://github.com/nextcloud/server/issues/983	9 years ago
Lukas Reschke	b53ea18ea5	Match only for actual session cookie OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.	10 years ago
Lukas Reschke	a299fa38a9	[master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50	10 years ago
Joas Schilling	94ad54ec9b	Move tests/ to PSR-4 (#24731 ) * Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader	10 years ago
Joas Schilling	9eade36ae5	Fix namespaces in AppFramework tests	10 years ago
Lukas Reschke	a977465af5	Add new CSRF manager for unit testing purposes This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.	10 years ago
Roeland Jago Douma	07fd3889b1	Fix unit tests	10 years ago
Scrutinizer Auto-Fixer	453e1bf66e	Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com	10 years ago
Mitar	e0e51fd79f	Added tests.	10 years ago
Thomas Müller	358858c9e3	Fix undefined HTTP_USER_AGENT	10 years ago
Lukas Reschke	8133d46620	Remove dependency on ICrypto + use XOR	10 years ago
Lukas Reschke	80a232da6a	Add \OCP\IRequest::getHttpProtocol Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119	10 years ago
Robin McCorkell	ebe9bea709	Unit test for preventing warning decoding content	10 years ago
Jörn Friedrich Dreyer	ca8d589f27	use assertSame, add failing case	10 years ago
Lukas Reschke	8313a3fcb3	Add mitigation against BREACH While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.	11 years ago
Lukas Reschke	4efa7c09b1	Use StringUtils::equals on CSRF token and add unit tests	11 years ago
Thomas Müller	bd71540c8a	Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460	11 years ago
Lukas Reschke	4d23e06097	Fix undefined offset There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)	11 years ago

38 Commits (de3b6a2219c933388c39f07faedc39cd76abd472)