Commit Graph

35398 Commits

Author SHA1 Message Date
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma f589f1a1d6
Move files_sharing Controllers => Controller
lib/Controller is the default location for controllers. So lets put them
all in there.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 11:46:25 +02:00
Morris Jobke 169faf8c32
Remove sensible information from exception message
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2016-10-24 11:42:04 +02:00
Joas Schilling d0d7767366
Fix misleading SSL/TLS SMTP email configuration
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-24 11:34:30 +02:00
Olivier Mehani 19ad058d06
Add message to NotSquareException thrown from Avatar
This prevents cryptic messages such as the following, from `user_ldap`:

     Could not set avatar for uid=user,ou=People,dc=example,dc=net, because:

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

Add message to NotPermittedException thrown from Files\Nodes\Folder

Ditto.

Don't use translation macros here as this seems to be pretty low-level
errors that generally get caught and prettified, and I don't want to
unduly clog down the lower layers.

Signed-off-by: Olivier Mehani <shtrom@ssji.net>

fixup! Add message to NotPermittedException thrown from Files\Nodes\Folder
2016-10-24 11:27:27 +02:00
Morris Jobke f054adb429 Merge pull request #1866 from xcellardoor/master
Modified the SQLite warning of server/settings/templates/admin/tiptri…
2016-10-24 11:21:56 +02:00
Morris Jobke 57a5551c3d Merge pull request #1853 from nextcloud/fix_di_share_api
Moved Share20OCS to proper Controller location
2016-10-24 10:57:47 +02:00
Roeland Jago Douma ab91fa2660 Merge pull request #1820 from nextcloud/4byte-filenames
Allow 4byte unicode filenames on supported platforms
2016-10-24 10:38:25 +02:00
Sam Cater f19d4ec29b
Modified the SQLite warning of server/settings/templates/admin/tiptricks.php to be more understandable and legible
Signed-off-by: Sam Cater <sam@samcater.com>

Added sign off of commit
2016-10-24 09:02:56 +01:00
Roeland Jago Douma 6604e76e94
Fix middleware tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:52:34 +02:00
Roeland Jago Douma ea07bbc562
Move Share20OCS to ShareAPIController
It was already a controller just still residing in its old location.

* Moved ShareAPIController to user plain userID instead of user object
* Moved Share20OCS to ShareAPIController
* Removed initisation of class from Application.php and leave it to the
AppFramework
* Fixed tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:52:34 +02:00
Roeland Jago Douma 7998689bc9
Added method to DB and fix test
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:45:04 +02:00
Joas Schilling 2aca56f207
Fix missing semicolon
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-24 09:26:30 +02:00
Lukas Reschke 598c145430 Merge pull request #1849 from nextcloud/oc_26368
Adding capability about new chunking - refs #25682 (#26368)
2016-10-22 15:11:49 +02:00
Lukas Reschke 1be6213ba4 Merge pull request #1832 from nextcloud/select2-into-core
Select2 into core
2016-10-22 14:35:07 +02:00
Lukas Reschke 169e889890
Add unit test
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-22 14:05:53 +02:00
Lukas Reschke 038d02a27d Merge pull request #1852 from nextcloud/downstream-25579
Adding Open Graph Support for public shares
2016-10-22 14:01:19 +02:00
Lukas Reschke 2b22a5fafd Merge pull request #1841 from nextcloud/oc_26359
Bumo zxcvbn && Fix zxcvbn path in setup page (26359)
2016-10-22 13:54:19 +02:00
Arthur Schiwon ab3954745c
avoid that all avatars are copied to the author row when editing comments
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2016-10-21 22:57:06 +02:00
Roeland Jago Douma 7792902808
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 21:43:15 +02:00
Morris Jobke 57d54c9b72
Use proper image
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2016-10-21 21:42:40 +02:00
Thomas Müller e0d919bbfc
Adding Open Graph Support for public shares http://ogp.me/
In case no preview is available we display the ownCloud logo

Fix unit test
2016-10-21 21:42:40 +02:00
Roeland Jago Douma e8adf53f77 Merge pull request #1848 from nextcloud/php7.1-RC4
Bump to php7.1 RC4
2016-10-21 21:28:49 +02:00
Roeland Jago Douma 1184ed6f6d Merge pull request #1851 from nextcloud/oc_26352
cleanup occ help (#26352)
2016-10-21 21:20:41 +02:00
John Molakvoæ 3e5e07aa64
Template css order
Select2 systemtags removal
Settings again
Fix Script

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2016-10-21 16:56:31 +02:00
Vincent Petry ae1000e045
Remove removed --dry-run command from occ help (#26352)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 16:38:37 +02:00
Robin Appelman 7427fb170f
show empty folder message in filepicker
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-10-21 16:35:55 +02:00
Thomas Müller bf85139f53
Adding capability about new chunking - refs #25682 (#26368)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 16:33:37 +02:00
Robin Appelman 55c445ff39
set initial cropper to max size
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-10-21 15:08:36 +02:00
Roeland Jago Douma eaf152efeb
Fix DateTime comparisson
Datetime now returns microseconds. But if the database doesn't store
those comparing them for equality most likely fails.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 13:43:39 +02:00
Roeland Jago Douma 13168ffbba
Bump to php7.1 RC4
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 11:37:25 +02:00
Joas Schilling 9965a95e3b Merge pull request #1842 from nextcloud/oc_26372
console.php now returns 1 instead of 0 on all errors (#26372)
2016-10-21 10:48:59 +02:00
Morris Jobke 9aeecfb3f2
fix .gitignore and include zxcvbn.js
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2016-10-21 10:19:18 +02:00
Morris Jobke 8dcef4fb59
remove unneeded steps
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2016-10-21 10:03:48 +02:00
Joas Schilling 0d878f94e6
Add unit tests
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-21 09:59:34 +02:00
Roeland Jago Douma 3cbaec416a
Fix personal page
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 09:51:36 +02:00
Philipp Eichhorn 8936320990
Fix zxcvbn path in setup page (#26359)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 09:51:33 +02:00
Roeland Jago Douma 6136af4973
Bump bower dep to proper v4.4.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 09:51:29 +02:00
Patrick Paysant 81d0c47244
console.log now returns 1 instead of 0 on all errors
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-21 09:49:08 +02:00
Morris Jobke 2b76d14330 Merge pull request #1834 from nextcloud/downstream-26186
Add more files plugins to new DAV endpoint
2016-10-21 09:44:15 +02:00
Joas Schilling 103bf6dd28
Switch to public API
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-21 09:09:26 +02:00
Joas Schilling 0b1fb180a5
Make AppConfig part of the public API
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-21 09:09:23 +02:00
Roeland Jago Douma 50b6ee67cb Merge pull request #1806 from nextcloud/karakayasemi_1767
Update file.php put function posthook calls
2016-10-21 08:45:51 +02:00
Morris Jobke 2799b0a821 Merge pull request #1835 from nextcloud/downstream-24948
Move OC\Files\Storage\Shared to the right namespace
2016-10-20 23:48:15 +02:00
Morris Jobke 1dd7072b41 Merge pull request #1827 from nextcloud/downstream-26381
Get rid of very old oc:// stream wrapper (#26381)
2016-10-20 23:44:42 +02:00
Vincent Petry 73e216e0a7
Add more files plugins to new DAV endpoint (#26186)
* Add more files plugins to new DAV endpoint

Also fix report plugin to properly retrieve the path from the
prolongated URL

* In case the report is not for this plugin -> simply return to allow other plugins to get executed

* Adjust onReport tests to match new behavior
2016-10-20 21:36:15 +02:00
Semih Serhat Karakaya 33cee3502a
Update file.php put function posthook calls
Logicaly, postHooks should emit after touch. For chunking file it is already emitting after touch.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-20 21:07:15 +02:00
Vincent Petry 9e9fef46d9
Get rid of very old oc:// stream wrapper (#26381) 2016-10-20 20:46:30 +02:00
Morris Jobke d9aeee2aa1 Merge pull request #1826 from nextcloud/downstream-26391
Fix post_unshareFromSelf hook parameter format
2016-10-20 20:44:05 +02:00
Morris Jobke c7ba73e6f4 Merge pull request #1824 from nextcloud/downstream-26423
Ensure $commands being an array
2016-10-20 20:43:26 +02:00