The ETag set in the IF_NONE_MODIFIED header is wraped in quotes (").
However the ETag that is set in response is not (yet). Also we need to
cast the ETag to a string.
* Added unit test
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
* Register OCP\Capability\IManager at DIContainer
* Add register capabilities to appframework
* Register capabilities in DI way
* Make unit test pass again
* Remove CapabiltiesManager from OCP
When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus.
Fixes https://github.com/owncloud/core/issues/17742
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
Type hints such as `@param bool $doSomething` will now correctly get
parsed, allowing for alignment of docblock parameters if the app developer so
wishes.
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
First stab at the StreamResponse, see #12988
The idea is to use an interface ICallbackResponse (I'm not 100% happy with the name yet, suggestions?) that allow the response to output things in its own way, for instance stream the file using readfile
Unittests are atm lacking, plan is to
check if a mock of ICallbackResponse will be used by calling its callback (also unhappy with this name) method
Usage is:
$response = new StreamResponse('path/to/file');
rename io to output, add additional methods and handle error and not modified cases when using StreamResponse
fix indention and uppercasing, also handle forbidden cases
fix indention
fix indention
no forbidden, figuring out if a file is really readable is too complicated to get to work across OSes and streams
remove useless import
remove useless import
fix intendation