Commit Graph

296 Commits

Author SHA1 Message Date
Vincent Petry d5b0b55eef Throw exception on downgrade attempt 2015-08-30 18:07:22 +02:00
Lukas Reschke 8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Vincent Petry b3a1aef934 Merge pull request #13641 from owncloud/cache-storage-status
Store storage availability in database
2015-08-07 17:31:03 +02:00
Thomas Müller c3cac887f5 - more injection
- less static calls
- use params on sql queries
- handle sql exception on database and user creation gracefully
2015-07-30 00:04:30 +02:00
Andreas Böhler 3a0d42ecf3 Add hook 'pre_displayLoginPage' 2015-07-28 13:00:18 +02:00
Andreas Böhler 3645308d0b Add possibility for alternative logins to force redirection of login page 2015-07-28 10:31:49 +02:00
Robin McCorkell df19cabb44 Store storage availability in database
Storage status is saved in the database. Failed storages are rechecked every
10 minutes, while working storages are rechecked every request.

Using the files_external app will recheck all external storages when the
settings page is viewed, or whenever an external storage is saved.
2015-07-20 16:27:26 +01:00
Morris Jobke d52e197b0d Merge pull request #16965 from owncloud/getUserFolder-in-IRootFolder
Add getUserFolder to IRootFolder
2015-07-09 14:29:47 +02:00
Thomas Müller 1385b1ec48 Remove OC_Appconfig 2015-07-03 18:00:16 +02:00
Thomas Müller d3ac73c0c9 Remove OC_Log 2015-07-03 18:00:16 +02:00
Vincent Petry cc373ab89a Merge pull request #15470 from rullzer/files_sharing_getUrlContent
Move away from private static function OC_Util::getUrlContent
2015-07-03 17:47:46 +02:00
Morris Jobke 3e97ca3b96 Add getUserFolder to IRootFolder
* untangle DI of user specific folders
* allows to autodetect the dependency
2015-07-03 11:11:58 +02:00
Morris Jobke f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Victor Dubiniuk 4239054383 Add type hint for OC_Channel 2015-05-27 18:03:11 +03:00
Thomas Müller 3babcd0344 Merge pull request #16339 from owncloud/master-override-channel
Allow change update channel via public API
2015-05-26 11:42:41 +02:00
Vincent Petry 7386257676 Merge pull request #16075 from owncloud/skeleton-copy-delay
wait with copying the skeleton untill login and setupfs are done
2015-05-20 13:52:08 +02:00
Christian Hoffmann 35207ae363 Clean-up of orthography, grammar
* Changed "instead to" to "instead of".
* Changed "setup" to "set up" (past participle).
2015-05-19 21:15:22 +02:00
Robin Appelman 077d41a9ce wait with copying the skeleton untill login and setupfs are done 2015-05-18 12:11:31 +02:00
Roeland Jago Douma 9866066d3e Depreatace OC_Util::getUrlContent
It is just a wrapper and the other functions are deprecated already
2015-05-18 11:03:48 +02:00
Victor Dubiniuk af814ba270 Allow change update channel via public API 2015-05-13 20:29:33 +03:00
Lukas Reschke cbfdbf96d2 Mute XCache error when trying to clear the opcode cache
From https://github.com/owncloud/core/issues/16287:

> This is caused by XCache at 8e59d4c64b/lib/private/util.php (L1276) where we are trying to reset the opcode cache with `XC_TYPE_PHP`.
> I suspect that while XCache is installed its opcode component is not used. Unfortunately, the XCache API is not really properly documented and thus I don't know what API we would have to call to check whether the `XC_TYPE_PHP` cache is populated. In fact, there is an [open XCache bug](http://xcache.lighttpd.net/ticket/176) since 7 years that discusses this problem and is likely to never get fixed since XCache is abandonware.

Fixes https://github.com/owncloud/core/issues/16287
2015-05-12 19:22:39 +02:00
Lukas Reschke 11310355ed Don't depend on always_populate_raw_post_data 2015-05-05 12:36:15 +02:00
Lukas Reschke 7c5558327d Check `mbstring.func_overload` only if the mb module is installed.
Fixes https://github.com/owncloud/core/issues/14670
2015-05-04 17:13:25 +02:00
Lukas Reschke 64393b4c03 Remove PHP 5.4 warning in checkSetup
This is catched in index.php as older PHP versions will never execute the code path until there due to 5.4 syntax changes.
2015-05-04 17:11:17 +02:00
Lukas Reschke 4b9e034968 Remove hard-dependency on disabled output_buffering
This removes the hard-dependency on output buffering as requested at https://github.com/owncloud/core/issues/16013 since a lot of distributions such as Debian and Ubuntu decided to use `4096` instead of the PHP recommended and documented default value of `off`.

However, we still should encourage disabling this setting for improved performance and reliability thus the setting switches in `.user.ini` and `.htaccess` are remaining there. It is very likely that we in other cases also should disable the output buffering but aren't doing it everywhere and thus causing memory problems.

Fixes https://github.com/owncloud/core/issues/16013
2015-05-04 14:15:15 +02:00
Lukas Reschke 0abce86b31 Disallow Windows Server in Server Check
Will prevent users from use ownCloud on Windows Server 🙈
2015-04-09 15:56:37 +02:00
Thomas Müller bf809ac85a Removing left overs from old encryption app 2015-04-07 13:30:29 +02:00
Robin Appelman f585994c4b setup mount manager before wrappers 2015-04-02 13:28:36 +02:00
Robin Appelman 3cb53b7756 setup storage wrappers before setting up the filesystem 2015-04-01 17:12:06 +02:00
Lukas Reschke 65202d2a18 Add check for activated local memcache
Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it.

Fixes https://github.com/owncloud/core/issues/14956
2015-03-28 13:59:22 +01:00
Robin McCorkell 1511a42da7 Check for relative datadirectory path 2015-03-27 23:29:46 +00:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Lukas Reschke 5f044ebf1b Add wrapper for Guzzle 2015-03-25 16:04:41 +01:00
Robin Appelman 73874ca27f Merge pull request #14704 from owncloud/storage-wrapper-mount
pass mountpoint to storage wrapper callback
2015-03-19 16:20:38 +01:00
Robin Appelman 8f9ddef435 kill fileoperations proxy
check is now handled by storage backends
2015-03-18 15:04:28 +01:00
Lukas Reschke 00f5025ff1 Add cURL as hard-dependency
It is required by other functionalities such as S2S anyways and ownCloud will fail hard at a lot of places without it.
2015-03-12 18:39:54 +01:00
Robin Appelman 7adda88786 Copy mount options to the storage 2015-03-11 15:06:48 +01:00
Thomas Müller 6c1a1234f8 Properly handle available databases at runtime and respect setup checks in command line as well 2015-03-11 09:27:12 +01:00
Thomas Müller 81fa9550a0 No need to restart the web server in cli mode 2015-03-11 09:27:12 +01:00
Lukas Reschke 6dc59019af Merge pull request #14346 from owncloud/storage-based-path-validation
adding storage specific filename verification
2015-03-10 11:02:47 +01:00
Thomas Müller e28d314b53 deprecate isValidFileName() 2015-03-09 10:38:38 +01:00
Morris Jobke d550143ba0 proper filename for "require version.php" 2015-03-09 08:03:28 +01:00
Joas Schilling ed4c05c7b5 Use findLanguage() instead of creating the object first 2015-03-03 16:47:31 +01:00
Lukas Reschke 4100610390 Disable some server checks when running on HHVM
Ref https://github.com/owncloud/core/issues/10837#issuecomment-76516839
2015-02-28 10:08:41 +01:00
Lukas Reschke b58455241b Add notice about Travis Checks
Maybe it helps in the future so we won't forget it again 🙈
2015-02-27 10:23:20 +01:00
Thomas Müller f72f9e0159 Merge pull request #14530 from owncloud/revert-14403
Revert "Updating license headers"
2015-02-27 00:39:29 -08:00
Morris Jobke 18d43f7469 Merge pull request #14474 from owncloud/move-utf-8-check-to-setup
Move UTF-8 check to setup
2015-02-26 16:00:31 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Lukas Reschke de44a2b2ab Remove unused and deprecated Code
Function is not used anymore anywhere in the code base: https://github.com/search?q=user%3Aowncloud+secureRNGAvailable&type=Code&utf8=%E2%9C%93
2015-02-25 12:11:14 +01:00
Lukas Reschke 06cf93e6ee Move UTF-8 check to setup
Nobody reads the warnings anyways and so we should enforce it at installation time... Also allows us to get rid of some duplicated code.

To test change the `default_charset` to something other than `utf-8` or `UTF-8`, both should work fine with that change here. An error should then get shown.

We already set those default charsets in the shipped .user.ini and .htaccess
2015-02-24 23:51:36 +01:00
Thomas Müller 1fd1b355e4 Fix namespace of OC_Setup -> \OC\Setup 2015-02-23 16:44:40 +01:00
Vincent Petry 4290e1990e Merge pull request #13829 from owncloud/appmanager-list
Better caching for enabled apps
2015-02-23 16:03:32 +01:00
Thomas Müller df3c73de72 Merge pull request #14403 from owncloud/update-license-headers
Update license headers
2015-02-23 13:53:16 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke 43641d917b Use "off" and "off" instead of true booleans
Apparently a boolean in php.ini is according to the documentation "on" or "off"…

Fixes itself.
2015-02-23 09:40:15 +01:00
Lukas Reschke 2f0f38761d Add helper to check for `ini` values in `OC_Util::checkServer`
This allows to check for specific values in the PHP.ini that ownCloud requires for full compatibility.

`mbstring.func_overload`: https://github.com/owncloud/core/issues/14372
`output_buffering`: http://doc.owncloud.org/server/8.0/admin_manual/configuration/big_file_upload_configuration.html#configuring-php

Fixes https://github.com/owncloud/core/issues/14372 and https://github.com/owncloud/core/issues/14412
2015-02-21 12:12:34 +01:00
Robin Appelman 5542fafd36 allow overwriting the appmanager in oc_util by subclassing 2015-02-18 14:24:50 +01:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Thomas Müller fc7f279d90 catch any whitespaces which might get written to the output buffer while loading a theme 2015-02-12 16:42:17 +01:00
Yann VERRY 1fcea6f1bd in some case charset can be in lower case.
Add strtoupper() in UTF-8 check to avoid error message
2015-02-11 11:59:33 +01:00
Morris Jobke 11283c57d9 Merge pull request #11056 from AdamWill/9885-opcode
add function to invalidate one opcache file, use it if possible #9885
2015-02-10 17:21:15 +01:00
Lukas Reschke 2bd1c17345 Don't encode url unecessary twice
The URL was previously encoded twice which leads to getting redirected to a 404 page when the password has been entered incorrect at least once.

Testplan:

- [ ] Opening `http://localhost/core/index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fadmin` redirects to the admin page when providing the correct credentials
- [ ] Opening `http://localhost/core/index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fadmin` redirects to the admin page when providing the invalid credentials and then providing valid ones.
- [ ] Logging in as admin then going to the admin page and clearing the cookies and refreshing will show the login and when repeating the above test steps you're redirected correctly.

Fixes https://github.com/owncloud/core/issues/9804
2015-02-02 15:09:59 +01:00
Lukas Reschke 30a5758a95 Don't check for `always_populate_raw_post_data` on HHVM
HHVM seems to have problems with this at the moment (even setting those values in the php.ini of HHVM doesn't have helped much) and thus the unit test execution failed.

So it's better if we disable this check for now for HHVM.
2015-01-23 13:54:34 +01:00
Morris Jobke 7e4afa3f25 Merge pull request #13593 from owncloud/add-check-for-raw-post-data
Add check for `HTTP_RAW_POST_DATA` setting for >= 5.6
2015-01-22 23:59:52 +01:00
Morris Jobke 254a1fa12a Merge pull request #13314 from owncloud/login-hook-logout
Return false if the login is canceled in a hook
2015-01-22 23:34:19 +01:00
Morris Jobke 55c28608c9 translate error messages 2015-01-22 14:52:47 +01:00
Robin Appelman 8a9acc5083 Allow custom error messages for the login page 2015-01-22 14:13:02 +01:00
Lukas Reschke bb80cf4eca Add check for `HTTP_RAW_POST_DATA` setting for >= 5.6
PHP 5.6 otherwise throws notices for perfectly valid code which results in broken endpoints.

Fixes https://github.com/owncloud/core/issues/13592
2015-01-22 13:50:38 +01:00
Bernhard Posselt 6737dd111d ignore core 2015-01-14 15:27:37 +01:00
Bernhard Posselt 4ec4914bb4 move check into addTranslation method 2015-01-14 14:57:56 +01:00
Bernhard Posselt 1cce1f0e6b dont load core scritps 2015-01-14 14:43:11 +01:00
Bernhard Posselt d6f1ff7993 only load translsations for apps 2015-01-14 13:48:21 +01:00
Bernhard Posselt 8cb60b2366 make translation lookup faster (O(n) -> O(1)) 2015-01-14 13:39:29 +01:00
Bernhard Posselt 717e3acd9b autoload app's js translations 2015-01-14 13:34:52 +01:00
Bjoern Schiessle 89f17ef6fe adapt decrypt all and restore/delete key backups to the new folder structure for encryption key introduced with OC8 2015-01-13 12:45:33 +01:00
Lukas Reschke e80ece9a2b Verify whether value is already normalized
Apparently `normalizer_normalize` is not verifying itself whether the string needs to be converted or not. Or does it at least not very performantly.

This simple change leads to a 4% performance gain on the processing of normalizeUnicode. Since this method is called quite often (i.e. for every file path) this has actually a measurable impact. For examples searches are now 200ms faster on my machine. Still not perfect but way to go.

Part of https://github.com/owncloud/core/issues/13221
2015-01-10 12:12:40 +01:00
Thomas Müller 296a852063 check for working htaccess will result in a dead lock because the server is blocking the request to itself - fixes #13153 2015-01-08 09:13:18 +01:00
Thomas Müller aec79b0c0e Merge pull request #13043 from owncloud/check-for-hash
Check for hash
2014-12-28 14:12:57 +01:00
Lukas Reschke 222e4a0762 Check for hash
See https://github.com/owncloud/core/pull/13042
2014-12-28 13:23:34 +01:00
Frank Karlitschek 4a40e5699c remove Edition 2014-12-25 11:36:41 +01:00
Frank Karlitschek 3dea2b95c6 Automatically detect the edition based on the enterprise_key app. 2014-12-25 09:48:15 +01:00
Thomas Müller 775f6a1354 make sure styles and scripts are only loaded once 2014-12-16 18:26:43 +01:00
Joas Schilling 4d232e536e Deprecate Util::formatDate()
Make DateTimeFormatter a service and adjust tests that have been inaccurate
2014-12-10 11:58:56 +01:00
Lukas Reschke ddcf2b84ec Remove checks for safe mode and magic quotes
Both are removed from 5.4.0

Safe Mode: http://php.net/manual/en/features.safe-mode.php
> This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

Magic Quotes: http://php.net/manual/en/security.magicquotes.php
> This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
2014-12-05 19:14:47 +01:00
Lukas Reschke 1b0bc2e099 PHP 5.4 is now required for master
🍻
2014-12-04 10:46:38 +01:00
Joas Schilling 2c39aec8cb Replace deprecated constant with new class constant 2014-11-25 16:30:21 +01:00
Lukas Reschke 9a1673c79d Check for XMLWriter class
This is not installed by default in all cases and will break the DAV features of ownCloud. Lot's of reports such as https://github.com/owncloud/ios-issues/issues/167#issuecomment-63798507
2014-11-20 13:13:14 +01:00
Adam Williamson 8b2b0aae31 deleteFromOpcodeCache: make parameter mandatory, document parameter
Both pointed out in submission review by @bantu, thanks.
2014-11-06 18:05:20 -08:00
Adam Williamson 3b4823d89c add function to invalidate one opcache file, use it if possible #9885
Issue #9885 appears to be triggered by ownCloud invalidating the entire
PHP opcache. Testing indicates it can be avoided by only invalidating the
single file that was written from the opcache, instead of clearing the
whole thing. In general it is more efficient to invalidate only the single
file that was changed, rather than the whole cache.

This adds a deleteFromOpcodeCache() function which invalidates a single
file from the opcache if possible, returning true if the underlying
function returns true (which may mean 'success', or 'file does not exist',
or 'file exists but is not in opcache', all of which are OK to treat as
good for our purposes). It also changes writeData() in config.php to try
using deleteFromOpcodeCache() and only fall back on clearOpcodeCache() if
that fails.
2014-11-06 17:58:58 -08:00
Morris Jobke d763b32048 ability to add bower resources
* add addVendorScript & addVendorStyle
* refactoring of addScript and addStyle
* add shortcuts vendorScript and vendorStyle
2014-11-03 20:54:40 +01:00
Vincent Petry bed81ea854 Merge pull request #11080 from owncloud/addheader-text-2
Fix the addHeader tag attributes text methods to not ignore the text parameter
2014-10-30 18:13:46 +01:00
Thomas Müller a589d61b78 in case a translation javascript is not found we no longer bail out
remove translation.php
2014-10-29 10:09:12 +01:00
Vincent Petry ec1a73fab9 Added OC.L10N namespace with translation functions
Added addTranslations and fixed de.js file

Fixed de.js to use OC.L10N.register() and use to correct expected
format.

Added JS unit tests for OC.L10N class

Include translations JS script for all apps
2014-10-29 10:09:12 +01:00
Lukas Reschke 510d0b2cf3 Fix the "addHeader($tag, $attributes, $text)" methods to not ignore the $text parameter
Also support closing tags with no text content given

Conflicts:
	lib/private/template.php
2014-10-28 11:15:58 +01:00
Lukas Reschke d6380a5395 Merge pull request #11786 from owncloud/MakeSupportedDBsConfigurable
Make supported DBs configurable within config.php
2014-10-27 22:24:16 +01:00
Lukas Reschke 233c49f4b9 Make supported DBs configurable within config.php
This commit will make the supported DBs for installation configurable within config.php. By default the following databases are tested: "sqlite", "mysql", "pgsql". The reason behind this is that there might be instances where we want to prevent SQLite to be used by mistake.

To test this play around with the new configuration parameter "supportedDatabases".
2014-10-27 21:39:34 +01:00
Lukas Reschke b3a04840b5 Add type hinting to functions
It's only reasonable to have proper type hinting here which might even help us to catch bugs.
2014-10-24 14:13:40 +02:00
Lukas Reschke 2d2a4741ce Make files non executable
There is not much sense in having these files marked executable, we should avoid that.
2014-10-24 11:14:51 +02:00
Robin Appelman 1e69f5e7ac Log some basic events 2014-10-20 13:38:38 +02:00
Jörn Friedrich Dreyer 9b0f0df7f5 make skeleton compatible with objectstore
suspend encryption proxy when copying skeleton
2014-10-20 11:28:36 +02:00