Commit Graph

9 Commits

Author SHA1 Message Date
Lukas Reschke bc6d17ed74 Add check for availability of /dev/urandom
Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system:

1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop
2. MTRand: chr((mt_rand() ^ mt_rand()) % 256)
3. Rand: chr((rand() ^ rand()) % 256)
4. UniqId: Plain uniqid()

An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour.

One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface.

Thanks to David Black from d1b.org for bringing this again to our attention.
2015-05-26 14:16:07 +02:00
Joas Schilling 81ec1c8a1a Remove hardcoded link to performance docs 2015-04-07 12:25:30 +02:00
Lukas Reschke 65202d2a18 Add check for activated local memcache
Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it.

Fixes https://github.com/owncloud/core/issues/14956
2015-03-28 13:59:22 +01:00
Lukas Reschke 9d1ce53cb1 Add some generic default headers as well via PHP 2015-03-26 22:32:57 +01:00
Lukas Reschke bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00
cmeh 09a0bf22df Update setupchecks.js
Changed *"won't work"* to "will not work" (as proposed by @DeepDiver1975).
2015-02-16 10:25:01 +01:00
cmeh d89cf737ae Message clean-up
*Changes:*

* "… is not yet properly setup" in line 24 is changed to " … is not yet set up properly" (better word order and space in the middle of "set up", as it is a participle of the verb "to set up").
* "internet" is corrected to "Internet" with a capitalized "I" in lines 54 and 59.
* Also in line 54: "3rd party" is changed to "third-party" to for a more coherent spelling across the different ownCloud components.
* "… apps don´t work" is corrected to "… apps won't work" (with a proper (and hopefully correctly escaped) (apostrophe)[http://en.wikipedia.org/wiki/Apostrophe#Typographic_form] instead of the (acute accent)[http://en.wikipedia.org/wiki/Acute_accent]).
* Still in line 54: The negation is corrected from "… might also not work" to "… might not work, either".
2015-02-16 09:59:41 +01:00
Lukas Reschke 2b76227180 Check for working .htaccess via AJAX
Fixes https://github.com/owncloud/core/issues/12650
2014-12-06 15:34:53 +01:00
Vincent Petry e65ceb08fc Moved WebDAV and internet checks to client side JS
- Added setup checks in JavaScript
- Moved isWebDAVWorking to JS using SetupChecks
- Moved internet connection checks to an ajax call that goes through the
  server
2014-09-23 11:16:14 +02:00