mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
47,092 Commits 349 Branches 696 Tags 1.6 GiB
Commit Graph

91 Commits

Author SHA1 Message Date
Roeland Jago Douma 0e5147f001
Fix tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-11-02 19:20:37 +01:00
Oliver Wegner 401ca28f07 Adding handling of CIDR notation to trusted_proxies for IPv4 
Signed-off-by: Oliver Wegner <void1976@gmail.com>
 2018-10-30 09:15:42 +01:00
Roeland Jago Douma 579822b6a5
Add report-uri to CSP 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-10-21 13:38:32 +02:00
Roeland Jago Douma 5b61ef9213
Disallow unsafe-eval by default 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-10-14 20:45:34 +02:00
Roeland Jago Douma 8c1e75e052
Do not use file as template parameter 
Using file will overwrite the $file parameter in the template base.
Leading to trying to include a file that is the exception message. Which
will of course fail.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-08-09 16:45:25 +02:00
Roeland Jago Douma 5455045a9b
Fix direct access to authen page 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-06-20 08:57:13 +02:00
Roeland Jago Douma 1bb8bc8ff9
Add AuthPublicShareControllerTest 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-06-20 08:53:38 +02:00
Roeland Jago Douma 61e445da88
Add PublicShareControllerTests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-06-20 08:53:38 +02:00
Roeland Jago Douma e7338173e8
Add PublicShareMiddlewareTest 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-06-20 08:53:37 +02:00
Roeland Jago Douma a34495933e
Move caching logic to response 
This avoids having to do it at all the places we want cached responses.

We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-06-04 08:48:54 +02:00
Morris Jobke a2db959f5c
Merge pull request #8593 from eneiluj/master 
Allow public page access to apps with group restrictions
 2018-03-08 11:27:52 +01:00
Roeland Jago Douma 3ad7daeda5
Add tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-03-08 11:05:18 +01:00
Roeland Jago Douma d179186430
Remove testcase 
Since a token now always requires a string we don't need to test for
null

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-03-05 16:14:46 +01:00
Julius Härtl 5a4aa2b7dd
Add test for PublicTemplateResponse 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2018-02-27 12:25:53 +01:00
Morris Jobke a60d7a8563
Merge pull request #8541 from nextcloud/translate-permission-error-page 
Provide translated error message for permission error
 2018-02-26 17:50:21 +01:00
Morris Jobke cf35c4b03a
Provide translated error message for permission error 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2018-02-26 17:00:29 +01:00
Roeland Jago Douma 0ee45d3d20
Fix proper types 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-02-22 15:51:19 +01:00
Roeland Jago Douma ca9f364fd4
Fix tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-02-21 10:55:52 +01:00
Roeland Jago Douma 7405dfb544
Update tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-01-29 14:37:18 +01:00
Joas Schilling bf2be08c9f
Fix risky tests without assertions 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2018-01-25 11:33:25 +01:00
Joas Schilling 870023365c
Fix "Undefined method setExpectedException()" 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2018-01-24 18:10:16 +01:00
Morris Jobke 2a38605545
Properly log the full exception instead of only the message 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2018-01-23 10:57:21 +01:00
Morris Jobke c70927eaa0
Remove not needed 3rdparty app disabling during upgrade for PHP 5.x 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2018-01-19 14:00:27 +01:00
Joas Schilling 7bc9a69c3f
Remove deprecated core API 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2018-01-15 17:54:50 +01:00
Roeland Jago Douma 57050146f6
Move passwordconfirmation to its own midleware 
Add tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-01-02 21:58:14 +01:00
Bjoern Schiessle 1bcbeb24bc
disable password confirmation with SSO 
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
 2018-01-02 20:30:37 +01:00
Bjoern Schiessle f0202245ee
allow 'Nextcloud' in the user agent string of Android 
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
 2017-12-12 12:16:01 +01:00
Roeland Jago Douma b88db3a389 Merge pull request #6921 from nextcloud/appmanager-securitymiddleware 
Use proper DI for security middleware for app enabled check
 2017-10-24 19:58:24 +02:00
Morris Jobke 43e498844e
Use ::class in test mocks 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-10-24 17:45:32 +02:00
Morris Jobke ce0c45a4ea
Use proper DI for security middleware for app enabled check 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-10-24 15:36:28 +02:00
Roeland Jago Douma c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-09-24 21:07:16 +02:00
Thomas Citharel ecf347bd1a Add CSP frame-ancestors support 
Didn't set the @since annotation yet.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
 2017-09-15 15:23:10 +02:00
Lukas Reschke f93a82b8b0
Remove explicit type hints for Controller 
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-08-01 17:32:03 +02:00
Morris Jobke 84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call 
Add metadata to \OCP\AppFramework\Http\Response::throttle
 2017-08-01 14:43:47 +02:00
Roeland Jago Douma f71dc7523f
Fix tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-07-31 16:54:19 +02:00
Roeland Jago Douma 3548603a88
Fix middleware implementations signatures 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-07-31 16:54:19 +02:00
Lukas Reschke f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle 
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-07-27 14:17:45 +02:00
Roeland Jago Douma 0b495ceff8
Remove deprecated Controller Functions 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-07-20 11:03:12 +02:00
Lukas Reschke 8149945a91
Make BruteForceProtection annotation more clever 
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 23:05:33 +02:00
Lukas Reschke 31ae39c569
Add tests for multiple parameters 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 12:00:18 +02:00
Lukas Reschke a1ae5275f9
Move to dedicated MiddleWare 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 12:00:17 +02:00
Lukas Reschke 66835476b5
Add support for ratelimiting via annotations 
This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-04-13 12:00:16 +02:00
Roeland Jago Douma 2a9192334e
Don't try to parse empty body if there is no body 
Fixes #3890

If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.

See RFC 2616 Section 4.3

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-04-04 08:22:33 +02:00
Morris Jobke f9bc53146d
Fix unit tests 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-03-28 21:00:12 -06:00
Roeland Jago Douma 21641302a9
Add DI intergration tests 
* Moved some interface definitions to Server.php (more to come)
* Build/Query only for existing classes in the AppContainer
* Build/Query only for classes of the App in the AppContainer
* Offload other stuff to the servercontainer

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-03-21 08:52:20 +01:00
Roeland Jago Douma 7cece61ff6
Extend DI tests 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2017-03-21 08:52:20 +01:00
Lukas Reschke 5f8f29508f
Adjust tests to include base-uri 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-03-16 18:12:10 +01:00
Lukas Reschke adfd1e63f6
Add base-uri to CSP policy 
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2017-03-16 15:16:20 +01:00
Robin Appelman 9a8cef965f
add test for skipping cookie checks for ocs 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2017-03-10 14:11:00 +01:00
Christoph Wurst 5e728d0eda oc_token should be nc_token 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2017-02-02 21:56:44 +01:00