Commit Graph

37553 Commits

Author SHA1 Message Date
Lukas Reschke 148e7abb51
Harden JS by disabling jQuery eval
Disable execution of eval in jQuery. We do require an allowed eval CSP
configuration at the moment for handlebars et al. But for jQuery there is
not much of a reason to execute JavaScript directly via eval.

This thus mitigates some unexpected XSS vectors. As example try to insert
`$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');`
with and without this patch in your browsers JS console when the file list
is opened.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 23:03:02 +01:00
Lukas Reschke c4fe36cc02 Merge pull request #3862 from nextcloud/dont-set-the-status-twice
Don't set the HTTP status twice
2017-03-16 22:05:47 +01:00
Lukas Reschke d134dea508
Don't call function in constructor
The constructor is iniitiated already very early in base.php, thus requiring this here will break the setup and some more. For now we probably have to live with a static function call here thus.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 21:59:47 +01:00
Lukas Reschke 9e957d0ac9
Adjust integration test
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 20:51:40 +01:00
Morris Jobke cd4ebe2777 Merge pull request #3008 from nextcloud/appmenu-experiment
Show apps in header
2017-03-16 13:03:41 -06:00
Lukas Reschke 5f8f29508f
Adjust tests to include base-uri
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 18:12:10 +01:00
Roeland Jago Douma 2a9d1a7147 Merge pull request #3863 from nextcloud/additional-hardening-of-t
Harden t() with DOMPurify
2017-03-16 15:54:04 +01:00
Lukas Reschke adfd1e63f6
Add base-uri to CSP policy
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 15:16:20 +01:00
Lukas Reschke 6c8d48b0f6
Harden t() with DOMPurify
This mitigates issues where developers pass untrusted user-input through t() which may lead to XSS issues.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 14:17:42 +01:00
Lukas Reschke 793d7d1bd7 Merge pull request #3860 from nextcloud/fix_master_after_3802
Fix unit tests of master
2017-03-16 14:08:32 +01:00
Joas Schilling 3a53784f80
Don't set the HTTP status twice
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-16 13:35:41 +01:00
Roeland Jago Douma bb2ec51bbb
Fix unit tests of master
Follow up to #3802

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-16 12:46:02 +01:00
Roeland Jago Douma 57c1be8633 Merge pull request #3802 from Ko-/master
Check that set_time_limit is not disabled before calling it
2017-03-16 12:27:26 +01:00
Joas Schilling 7ca2f5f137 Merge pull request #3857 from nextcloud/issue-3901-legacy-caldav-endpoint-email-invitations
Fix scheduling plugin on legacy caldav endpoint
2017-03-16 12:14:32 +01:00
Julius Haertl b8ef616455
Fix html formating issues
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl 780400302c
Rebuild menu to keep order of icons correct
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl 25e18b840b
Reduce device width and hide app name when menu is open
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl 1d6fba03f4
Make enabling/disabling apps work with the new menu
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl efc681dcfe
Fix positioning of popovermenu
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl f58f8f6f47
Fix popover positioning after window resize
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl 267b89f5c7
Cleanup SCSS for app menu and fix mobile view
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:10 +01:00
Julius Haertl 7eae6690ad
Make app management icon act like a normal app icon
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:09 +01:00
Julius Haertl 61dc78e6dc
Fix menu issues
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:09 +01:00
Julius Haertl a630e4629f
Generate seperate menu list for header bar
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:09 +01:00
Julius Haertl e3e4cb3e67
Move active app to the first slot
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:09 +01:00
Julius Haertl 42feab59d5
Show app icons in the header
Signed-off-by: Julius Haertl <jus@bitgrid.net>
2017-03-16 11:55:09 +01:00
Ko- 786ee72146 Add warning on admin screen when set_time_limit is unavailable 2017-03-16 11:48:28 +01:00
Joas Schilling 652ee8a605
Fix scheduling plugin on legacy caldav endpoint
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-16 09:55:15 +01:00
Roeland Jago Douma 4d207680f2 Merge pull request #3624 from marncz/master
Update.js: countdown feedback before redirect
2017-03-16 07:56:51 +01:00
Nextcloud bot 2fafdb39ac
[tx-robot] updated from transifex 2017-03-16 01:07:36 +00:00
Lukas Reschke 085891a15d
Escape like parameters in database user backend
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-15 22:46:40 +01:00
Roeland Jago Douma 93c9a06761 Merge pull request #3788 from nextcloud/fed-share-modify
Add api to change the remote of an incoming federated share
2017-03-15 17:32:35 +01:00
Joas Schilling f2d3704e97 Merge pull request #3843 from nextcloud/encryption-fix-mail-share
take share by mail into consideration if we calculate the access list
2017-03-15 15:23:17 +01:00
Roeland Jago Douma 5ed45fc8e6 Merge pull request #3848 from nextcloud/remove-single-quotes-around-search-query
Remove single quotes around search query like in user search
2017-03-15 15:05:15 +01:00
Joas Schilling 0fe45966a0
Remove single quotes around search query like in user search
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-15 12:53:44 +01:00
Björn Schießle 5a998da206 Merge pull request #3841 from nextcloud/encyryption-trash-bin
Delete files on encryption error
2017-03-15 09:07:07 +01:00
Marcin Czarnecki 1a3617cdd6 Spacing
Signed-off-by: marncz <M.Czarnecki1@uni.brighton.ac.uk>
2017-03-15 06:35:40 +00:00
Morris Jobke 13aae43d89
Fix layout of sharing buttons
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-14 22:52:28 -06:00
Nextcloud bot 4da6b7e796
[tx-robot] updated from transifex 2017-03-15 01:07:49 +00:00
Marcin Czarnecki df2670ca3c Update: feedback before redirect
Signed-off-by: marncz <M.Czarnecki1@uni.brighton.ac.uk>
2017-03-14 20:36:17 +00:00
Roeland Jago Douma 67faf7edc4 Merge pull request #3838 from Xuanwo/basename-fix
[OC/Files/Cache]: Fix wrong usage of basename
2017-03-14 21:00:24 +01:00
Roeland Jago Douma 562c45d925 Merge pull request #3829 from nextcloud/reshares-in-folder
switch reshares to true (display reshares in the folder/filelist)
2017-03-14 20:13:09 +01:00
Maxence Lange 16e1c21fcc
fix mock
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-14 19:27:20 +01:00
Maxence Lange 1b9ed81cb6
switch reshares to true
Signed-off-by: Maxence Lange <maxence@nextcloud.com>
2017-03-14 19:27:07 +01:00
Roeland Jago Douma 25553172f4 Merge pull request #3836 from nextcloud/do-not-double-check-app-update
Do not check for app update twice
2017-03-14 19:26:01 +01:00
Bjoern Schiessle 8f92808caf
take share by mail into consideration if we calculate the access list
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-03-14 17:40:42 +01:00
Roeland Jago Douma 6565533d3b Merge pull request #3600 from coletivoEITA/master
added method needsPartFile() in Storage
2017-03-14 15:14:59 +01:00
Roeland Jago Douma 3c2312fb09 Merge pull request #3783 from andrius-kulbis/master
Fix deleted objectstore shares
2017-03-14 15:14:39 +01:00
Robin Appelman 8217b16cfe Merge pull request #3824 from nextcloud/dav-search-getlastmodified
fix searching and ordering on getlastmodified
2017-03-14 14:42:57 +01:00
Robin Appelman e392d02d80
safer casting of datetime
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-14 14:12:40 +01:00