Do not send Content-Length headers with a value larger than PHP_INT_MAX
(2147483647) on Apache PHP SAPI 32-bit. PHP will eat them and send 2147483647
instead.
When X-Sendfile is enabled, Apache will send a correct Content-Length header,
even for files larger than 2147483647 bytes. When X-Sendfile is not enabled,
ownCloud will not send a Content-Length header. This prevents progress bars
from working, but allows the actual transfer to work properly.
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.
This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.
Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.
Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
- Use OCP\Response constants instead of the HTTP error code
- Use checkAppEnabled() instead of OC_App::isEnabled with an if statement
- Remove uneeded variable $baseURL
- Rename $isvalid to $isValid
The Freebox is the multimedia device of a french Internet provider: Free. This device provides a seedbox which uses the user agent "Mozilla/5.0". In the "Content-Disposition" header, if the "filename" key is used with the "filename*=UTF-8''" value, the seedbox does not take care about the header and saves the file name with the origin URL. This patch brings the support for the Freebox users.
Added new OC\Response API called setContentDispositionHeader() that
contains the needed workarounds for UTF8 and IE.
Refactored download code to use the new API.
Removed unused trashbin download file.
Lukas Reschke
Olivier Paroz
Morris Jobke
Thomas Müller
Andreas Fischer
Jenkins for ownCloud
Clark Tomlinson
Robin McCorkell
Lukas Reschke
Vincent Petry
Jörn Friedrich Dreyer
Martial Saunois