Commit Graph

224 Commits

Author SHA1 Message Date
Lukas Reschke 95820fbd5b Add magical regex to catch browsers 2016-03-24 19:02:16 +01:00
Lukas Reschke cc8c0b6a90 Check if request is sent from official ownCloud client
There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check)

While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.
2016-03-24 08:59:56 +01:00
Roeland Jago Douma e6dc80f0f3 Fix warning in request.php
* Added proper @property tags
* RunTimeException => RuntimeException

Makes code analyzers happier
2016-03-23 07:59:20 +01:00
Lukas Reschke c353d51810 Remove Scrutinizer Auto Fixer 2016-03-01 17:48:23 +01:00
Lukas Reschke 933f60e314 Update author information
Probably nice for the people that contributed to 9.0 to see themselves in the AUTHORS file :)
2016-03-01 17:25:15 +01:00
Joas Schilling 2a0cda74d4 Use IQueryBuilder::PARAM_* instead of \PDO::PARAM_* 2016-02-29 09:44:40 +01:00
Joas Schilling 070ff71a2d Add activities for comments 2016-02-05 11:30:53 +01:00
Joas Schilling 25cbc17bec Add activities when a tag is (un-)assigned 2016-02-02 10:11:58 +01:00
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
2016-01-28 18:36:46 +01:00
Roeland Jago Douma f2e70441e4 [Share 2.0] Add getShareManager to OCP\IServerContainer 2016-01-27 22:04:37 +01:00
Lukas Reschke a977465af5 Add new CSRF manager for unit testing purposes
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
2016-01-25 20:03:40 +01:00
Thomas Müller 7731b29136 Merge pull request #21719 from owncloud/move-notification-api-to-ocp
Move the notification API to public namespace
2016-01-22 16:20:26 +01:00
Joas Schilling 31c5848e51 Allow automatic injection of the Manager 2016-01-22 11:02:40 +01:00
Robin McCorkell da4127d23b Introduce CredentialsManager for storage of credentials in DB
CredentialsManager performs a simple role, of storing and retrieving
encrypted credentials from the database. Credentials are stored by user
ID (which may be null) and credentials identifier. Credentials
themselves may be of any type that can be JSON encoded.

The rationale behind this is to avoid further (mis)use of
oc_preferences, which was being used for all manner of data not related
to user preferences.
2016-01-18 11:10:41 +01:00
Robin McCorkell 88cd615214 Introduce IDBConnection::setValues()
setValues() attempts to insert a new row, or failing that, update an
existing row. The ability to set preconditions is also available.
2016-01-18 11:10:41 +01:00
Thomas Müller 682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Roeland Jago Douma 98c4951f45 getLowStrengthGenerator does not do anything anymore 2016-01-11 19:59:15 +01:00
Roeland Jago Douma cd35ad6aaa Add 'OCP\Files\IMimeTypeDetector' to DI container
* Added test to server container as well
2016-01-07 13:20:43 +01:00
Bernhard Posselt 23c754aed3 prefer scalar type hints over phpdoc annotation
use method exists lookup to be safe and not break on old hhvm versions

add test that checks if type hint is preferred over annotation
2015-12-24 09:20:26 +01:00
Joas Schilling 412e4ed3f6 Register app containers in the OC container 2015-12-18 13:45:07 +01:00
Thomas Müller 6317ba8cb4 Merge pull request #21135 from owncloud/add-polyfill
Add polyfills for PHP55, PHP56 and PHP70 functionalities
2015-12-11 11:40:51 +01:00
Lukas Reschke f3360d51c6 Use PHP polyfills 2015-12-11 08:47:36 +01:00
Scrutinizer Auto-Fixer ffc49a24f0 Scrutinizer Auto-Fixes
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-12-10 16:43:37 +01:00
Lukas Reschke 7c45eaa70b Add type description
Allows IDEs and static code analyzers. Would have saved me some minutes today :)
2015-12-08 15:20:54 +01:00
Scrutinizer Auto-Fixer 453e1bf66e Scrutinizer Auto-Fixes
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-12-07 15:43:36 +00:00
Thomas Müller 602b636d3e Merge pull request #20807 from owncloud/dont-append-redirect-url-if-user-is-already-logged-in
Don't append redirect URL if user is logged-in
2015-12-03 16:53:59 +01:00
Joas Schilling 44852ce324 Allow DI for OCP\Files\IMimeTypeDetector 2015-12-01 16:49:20 +01:00
Joas Schilling 3c5a6b829e Allow DI the system tag stuff without Application class 2015-11-30 17:08:29 +01:00
Lukas Reschke f4eb15d340 Show error template
Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
2015-11-30 11:25:52 +01:00
Thomas Müller bdbefe17d6 Merge pull request #20782 from mitar/better-https
Also allow empty value for no-HTTPS
2015-11-27 14:24:23 +01:00
Mitar 59511d97ee Also allow empty value for no-HTTPS.
This makes it work better with old version of Nginx.
2015-11-27 01:01:56 -08:00
Morris Jobke 7aed592957 Add full interface of server container as alias 2015-11-26 18:20:25 +01:00
Robin Appelman 2d7c9f0ba9 also match ie11 with Request::USER_AGENT_IE 2015-11-22 16:05:52 +01:00
Thomas Müller 358858c9e3 Fix undefined HTTP_USER_AGENT 2015-11-22 16:05:50 +01:00
Lukas Reschke daa388ce8d Move index.php from files to AppFramework
1. Allows it to use the more secure CSP rules of the AppFramework.
2. Adds some unit tests.
2015-11-16 21:10:11 +01:00
Robin Appelman d514200b56 Add escapeLikeParameter to IDBConnection 2015-11-05 16:41:30 +01:00
Lukas Reschke bafb86fb9f Use getHttpProtocol instead of $_SERVER 2015-10-30 18:05:30 +01:00
Lukas Reschke 8f09d5b67c Update license headers 2015-10-26 14:04:01 +01:00
Lukas Reschke 8133d46620 Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
Morris Jobke a0743f12c6 Provide IAppContainer as dependency injection 2015-10-20 10:33:53 +02:00
Morris Jobke bf579a153f fix IE8 user agent detection 2015-10-09 11:19:06 +02:00
Thomas Müller 020bb33150 Merge pull request #19034 from owncloud/http-request-warning
Prevent warning decoding content
2015-10-08 21:51:47 +02:00
Thomas Müller 8d2c8cf2a2 Merge pull request #19607 from owncloud/use-url
Use `/` if installed in main folder
2015-10-08 13:01:41 +02:00
Lukas Reschke 6a4f22c61f Use `/` if installed in main folder
Otherwise an empty string is used indicating the cookie is only valid for those resources. This can lead to eunexpected behaviour.

Fixes https://github.com/owncloud/core/issues/19196
2015-10-06 15:24:19 +02:00
Lukas Reschke 80a232da6a Add \OCP\IRequest::getHttpProtocol
Only allow valid HTTP protocols.

Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
2015-10-06 14:18:46 +02:00
Morris Jobke 8366ce2767 deduplicate @xenopathic 2015-10-06 09:52:19 +02:00
Morris Jobke b945d71384 update licence headers via script 2015-10-05 21:15:52 +02:00
Jörn Friedrich Dreyer d81416c51d return '' instead of false 2015-09-23 12:32:49 +02:00
Joas Schilling ee75f9f594 Fix type hint errors in the container and the interface 2015-09-23 10:13:41 +02:00
Robin McCorkell 31a8949adf Prevent warning decoding content 2015-09-14 22:36:40 +01:00