Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.
To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.
To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');
$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```
If you now open the files app the policy should be:
```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
```
06:49:56 There was 1 risky test:
06:49:56
06:49:56 1) OC\AppFramework\Http\JSONResponseTest::testRenderProvider
06:49:56 This test did not perform any assertions
```
While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
The ETag set in the IF_NONE_MODIFIED header is wraped in quotes (").
However the ETag that is set in response is not (yet). Also we need to
cast the ETag to a string.
* Added unit test
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
`json_encode` fails hard on PHP >= 5.5 if a non UTF-8 value is specified by returning false. Older PHP versions just nullify the value which makes it at least somewhat usable.
This leads to very confusing errors which are very hard to debug since developers are usually not aware of this. In this case I'd consider throwing a fatal exception – since it arguably is an error situation – is a fair solution since this makes developers and administrators aware of any occurence of the problem so that these bugs can get fixed.
Fixes https://github.com/owncloud/core/issues/17265
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
For enhanced security it is important that there is also a way to disallow domains, including the default ones.
With this commit every method gets added a new "disallow" function.
This is required when working with stuff such as PDF.js in the files_pdfviewer application. Opt-in only.
Master change only because the stable CSP policies has a failback that allows nearly anything 🙈
First stab at the StreamResponse, see #12988
The idea is to use an interface ICallbackResponse (I'm not 100% happy with the name yet, suggestions?) that allow the response to output things in its own way, for instance stream the file using readfile
Unittests are atm lacking, plan is to
check if a mock of ICallbackResponse will be used by calling its callback (also unhappy with this name) method
Usage is:
$response = new StreamResponse('path/to/file');
rename io to output, add additional methods and handle error and not modified cases when using StreamResponse
fix indention and uppercasing, also handle forbidden cases
fix indention
fix indention
no forbidden, figuring out if a file is really readable is too complicated to get to work across OSes and streams
remove useless import
remove useless import
fix intendation
X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies.
This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.
This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.
Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.
Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.
Testplan:
- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request
Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.
Fixes https://github.com/owncloud/core/issues/13366
Currently there is no AppFramework way to modify cookies, which makes it unusable for quite some use-cases or results in untestable code.
This PR adds some basic functionalities to add and invalidate cookies.
Usage:
```php
$response = new TemplateResponse(...);
$response->addCookie('foo', 'bar');
$response->invalidateCookie('foo');
$response->addCookie('bar', 'foo', new \DateTime('2015-01-01 00:00'));
```
Existing cookies can be accessed with the AppFramework using `$this->request->getCookie($name)`.
fix docstrings
adjust copyright date
another copyright date update
another header update
implement third headers argument, fix indention, fix docstrings
fix docstrings
Lukas Reschke
Roeland Jago Douma
Scrutinizer Auto-Fixer
Mitar
Thomas Müller
Robin McCorkell
Jörn Friedrich Dreyer
Roeland Jago Douma
Morris Jobke
sualko
Bernhard Posselt
Joas Schilling
Bernhard Posselt
Clark Tomlinson
Vincent Petry
Joas Schilling