Commit Graph

207 Commits

Author SHA1 Message Date
Roeland Jago Douma cd35ad6aaa Add 'OCP\Files\IMimeTypeDetector' to DI container
* Added test to server container as well
2016-01-07 13:20:43 +01:00
Bernhard Posselt 23c754aed3 prefer scalar type hints over phpdoc annotation
use method exists lookup to be safe and not break on old hhvm versions

add test that checks if type hint is preferred over annotation
2015-12-24 09:20:26 +01:00
Joas Schilling 412e4ed3f6 Register app containers in the OC container 2015-12-18 13:45:07 +01:00
Thomas Müller 6317ba8cb4 Merge pull request #21135 from owncloud/add-polyfill
Add polyfills for PHP55, PHP56 and PHP70 functionalities
2015-12-11 11:40:51 +01:00
Lukas Reschke f3360d51c6 Use PHP polyfills 2015-12-11 08:47:36 +01:00
Scrutinizer Auto-Fixer ffc49a24f0 Scrutinizer Auto-Fixes
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-12-10 16:43:37 +01:00
Lukas Reschke 7c45eaa70b Add type description
Allows IDEs and static code analyzers. Would have saved me some minutes today :)
2015-12-08 15:20:54 +01:00
Scrutinizer Auto-Fixer 453e1bf66e Scrutinizer Auto-Fixes
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-12-07 15:43:36 +00:00
Thomas Müller 602b636d3e Merge pull request #20807 from owncloud/dont-append-redirect-url-if-user-is-already-logged-in
Don't append redirect URL if user is logged-in
2015-12-03 16:53:59 +01:00
Joas Schilling 44852ce324 Allow DI for OCP\Files\IMimeTypeDetector 2015-12-01 16:49:20 +01:00
Joas Schilling 3c5a6b829e Allow DI the system tag stuff without Application class 2015-11-30 17:08:29 +01:00
Lukas Reschke f4eb15d340 Show error template
Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
2015-11-30 11:25:52 +01:00
Thomas Müller bdbefe17d6 Merge pull request #20782 from mitar/better-https
Also allow empty value for no-HTTPS
2015-11-27 14:24:23 +01:00
Mitar 59511d97ee Also allow empty value for no-HTTPS.
This makes it work better with old version of Nginx.
2015-11-27 01:01:56 -08:00
Morris Jobke 7aed592957 Add full interface of server container as alias 2015-11-26 18:20:25 +01:00
Robin Appelman 2d7c9f0ba9 also match ie11 with Request::USER_AGENT_IE 2015-11-22 16:05:52 +01:00
Thomas Müller 358858c9e3 Fix undefined HTTP_USER_AGENT 2015-11-22 16:05:50 +01:00
Lukas Reschke daa388ce8d Move index.php from files to AppFramework
1. Allows it to use the more secure CSP rules of the AppFramework.
2. Adds some unit tests.
2015-11-16 21:10:11 +01:00
Robin Appelman d514200b56 Add escapeLikeParameter to IDBConnection 2015-11-05 16:41:30 +01:00
Lukas Reschke bafb86fb9f Use getHttpProtocol instead of $_SERVER 2015-10-30 18:05:30 +01:00
Lukas Reschke 8f09d5b67c Update license headers 2015-10-26 14:04:01 +01:00
Lukas Reschke 8133d46620 Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
Morris Jobke a0743f12c6 Provide IAppContainer as dependency injection 2015-10-20 10:33:53 +02:00
Morris Jobke bf579a153f fix IE8 user agent detection 2015-10-09 11:19:06 +02:00
Thomas Müller 020bb33150 Merge pull request #19034 from owncloud/http-request-warning
Prevent warning decoding content
2015-10-08 21:51:47 +02:00
Thomas Müller 8d2c8cf2a2 Merge pull request #19607 from owncloud/use-url
Use `/` if installed in main folder
2015-10-08 13:01:41 +02:00
Lukas Reschke 6a4f22c61f Use `/` if installed in main folder
Otherwise an empty string is used indicating the cookie is only valid for those resources. This can lead to eunexpected behaviour.

Fixes https://github.com/owncloud/core/issues/19196
2015-10-06 15:24:19 +02:00
Lukas Reschke 80a232da6a Add \OCP\IRequest::getHttpProtocol
Only allow valid HTTP protocols.

Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
2015-10-06 14:18:46 +02:00
Morris Jobke 8366ce2767 deduplicate @xenopathic 2015-10-06 09:52:19 +02:00
Morris Jobke b945d71384 update licence headers via script 2015-10-05 21:15:52 +02:00
Jörn Friedrich Dreyer d81416c51d return '' instead of false 2015-09-23 12:32:49 +02:00
Joas Schilling ee75f9f594 Fix type hint errors in the container and the interface 2015-09-23 10:13:41 +02:00
Robin McCorkell 31a8949adf Prevent warning decoding content 2015-09-14 22:36:40 +01:00
Bernhard Posselt fd74522804 make resolve public to avoid boiler plate code
add resolve to public interface
2015-09-13 17:44:24 +02:00
Roeland Jago Douma f12caf930e Properly return 304
The ETag set in the IF_NONE_MODIFIED header is wraped in quotes (").
However the ETag that is set in response is not (yet). Also we need to
cast the ETag to a string.

* Added unit test
2015-09-01 11:04:41 +02:00
Robin McCorkell e60c4bada1 Decode request content only on getContent 2015-08-31 01:05:25 +01:00
Thomas Müller 534b2e407a Merge pull request #17662 from owncloud/locking-db
Database backend for locking
2015-08-26 03:56:37 +02:00
Lukas Reschke 8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Thomas Müller abd3d5c6a5 Merge pull request #17982 from owncloud/appframework-sanitize-name
Sanitize class names before registerService/query
2015-08-12 12:19:24 +02:00
Robin McCorkell cd0a2874de Merge pull request #17852 from owncloud/register-alias-factory
Add test for factories
2015-08-11 13:30:56 +01:00
Robin McCorkell 8944af57cb Set default `forwarded_for_headers` to 'HTTP_X_FORWARDED_FOR' 2015-08-10 23:04:52 +02:00
Robin Appelman 58e96e53b0 add method to check if we're inside a transaction 2015-08-10 14:15:44 +02:00
Roeland Jago Douma f0b617b508 Use DI
* Register OCP\Capability\IManager at DIContainer
* Add register capabilities to appframework
* Register capabilities in DI way
* Make unit test pass again
* Remove CapabiltiesManager from OCP
2015-08-10 10:45:16 +02:00
Robin McCorkell fcc03e588a Add \OCP\ISession to AppFramework 2015-08-07 12:29:57 +01:00
Lukas Reschke 90a11efecd Remove "use" statement
Ref https://bugs.php.net/bug.php?id=66773
2015-08-05 09:31:21 +02:00
Lukas Reschke 4efa7c09b1 Use StringUtils::equals on CSRF token and add unit tests 2015-08-04 18:34:33 +02:00
Robin McCorkell 182bc17aeb Sanitize class names before registerService/query
Leading backslashes are removed, so a `registerService('\\OC\\Foo')`
can still be resolved with `query('OC\\Foo')`.
2015-07-30 21:02:16 +01:00
Bernhard Posselt d8673dabe3 add test for factories
use ref for factory test

use a factory for registerAlias

Ensure we construct SimpleContainer

Use single instance of DIContainer in routing tests
2015-07-25 01:59:30 +02:00
Thomas Müller 1f8ee61006 Merge pull request #17755 from owncloud/alias-container-alive
Add registerAlias method to shortcut interface registration #17714
2015-07-24 13:11:32 +02:00
Joas Schilling 20cd0ae55b Add a log message when the Doctrine Query Builder is retrieved 2015-07-21 15:53:28 +02:00