Morris Jobke
99c9423766
Remove @suppress SqlInjectionChecker
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-09-16 15:53:56 +02:00
Joas Schilling
c25063dc07
Don't break when the IP is empty
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-09-10 14:20:27 +02:00
Christoph Wurst
2a054e6c04
Update the license headers for Nextcloud 20
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-08-24 14:54:25 +02:00
Joas Schilling
35a8519591
Fix CS
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
770381c0c6
Correctly return ms delay when at max
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
931aca2fee
Add missing default
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
d9c4c9eb99
Simplify array filter
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
dfeee3b850
Fix wrong doc + type hint
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
8376c4891f
Only throw when also the last 30 mins were attacking
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
6f751d01db
Make the throttling O(2^n) instead of O(n^n)
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
64539a6ee1
Make Throttler strict
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
c8fea66d65
Split delay calculation from getting the attempts
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Joas Schilling
cdb36c8ead
Let the database count the entries
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Joas Schilling
e66bc4a8a7
Send "429 Too Many Requests" in case of brute force protection
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Morris Jobke
c0be7e329f
Prefer typed event over string based ones
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-10 15:22:55 +02:00
Morris Jobke
e57bca31ad
Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip
...
Implement occ command to reset bruteforce attemps from a given IP address
2020-05-25 14:04:18 +02:00
Morris Jobke
bd997a105c
Fix code style
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-05-25 14:03:21 +02:00
Roeland Jago Douma
35ff4aa1c6
Use random_bytes
...
Since we don't care if it is human readbale.
The code is backwards compatible with the old format.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-05-11 12:46:59 +02:00
MichaIng
229570badf
Apply Argon2 options for Argon2id hashing as well
...
Signed-off-by: MichaIng <micha@dietpi.com>
2020-05-01 11:42:13 +02:00
MichaIng
ad60619655
Fix Argon2 options checks
...
The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum.
Options are now applied the following way:
- If config.php contains the setting with an integer higher or equal to the minimum, it is applied.
- If config.php contains the setting with an integer lower than the minimum, the minimum is applied.
- If config.php does not contain the setting or with no integer value, the PHP default is applied.
Signed-off-by: MichaIng <micha@dietpi.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-04-30 10:18:46 +02:00
Christoph Wurst
cb057829f7
Update license headers for 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +02:00
Arthur Schiwon
5437844b7e
fix credentialsManager documentation and ensure userId to be used as string
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-04-15 19:34:23 +02:00
Christoph Wurst
28f8eb5dba
Add visibility to all constants
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +02:00
Christoph Wurst
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst
14c996d982
Use elseif instead of else if
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 10:35:09 +02:00
Christoph Wurst
afbd9c4e6e
Unify function spacing to PSR2 recommendation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +02:00
Christoph Wurst
41b5e5923a
Use exactly one empty line after the namespace declaration
...
For PSR2
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +02:00
Christoph Wurst
1a9330cd69
Update the license headers for Nextcloud 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +02:00
Christoph Wurst
b80ebc9674
Use the short array syntax, everywhere
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +01:00
Johannes Riedel
0c38569c83
Implement occ command security:bruteforceattemps:reset-for-ip
...
Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>
2020-03-19 16:20:22 +01:00
Pavel Krasikov
f11dee9bc4
fix safari useragent for versions with 3 digits
...
Signed-off-by: Pavel Krasikov <klonishe@gmail.com>
2020-03-14 16:47:28 +03:00
Roeland Jago Douma
12e1c469cf
Add Argon2id support
...
When available we should use argon2id for hashing.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-07 07:52:33 +01:00
Roeland Jago Douma
0d651f106c
Allow selecting the hashing algorithm
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-03 21:41:17 +01:00
Arthur Schiwon
f92ba2cebe
ignore values that undershoot the minimum, go with default
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-22 16:04:57 +01:00
blizzz
56c3ba6ac7
use getSystemValueInt
...
Co-Authored-By: kesselb <mail@danielkesselberg.de>
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-21 09:04:53 +01:00
Arthur Schiwon
171bb98229
expose Argon2 options (as we did for bcrypt)
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-20 18:21:50 +01:00
Christoph Wurst
1b46621cd3
Update license headers for 18
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-20 09:23:25 +01:00
Konrad Bucheli
f2d3e34c96
handle IPv6 addresses with an explict incoming interface at the end (e.g fe80::ae2d:d1e7:fe1e:9a8d%enp2s0)
...
Signed-off-by: Konrad Bucheli <konrad.bucheli@gmx.ch>
Signed-off-by: Konrad Bucheli <kb@open.ch>
2019-12-10 22:47:20 +01:00
Julius Härtl
d05f131929
Move overwritehost check to isTrustedDomain
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-12-07 09:53:06 +01:00
Christoph Wurst
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +01:00
Roeland Jago Douma
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Johannes Koenig
2df8d646c1
make TrustedDomainHelper case insensitive
...
Signed-off-by: Johannes Koenig <mail@jokoenig.de>
2019-10-06 20:43:55 +02:00
Roeland Jago Douma
2b98eea129
Harden identifyproof openssl code
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-09-14 13:52:10 +02:00
Roeland Jago Douma
7927aebdeb
Fix report of phpstan in Limiter
...
* unneeded arguments to constructor
* added return types
* let automatic DI do its work
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-19 19:38:43 +02:00
Roeland Jago Douma
b8c5008acf
Add feature policy header
...
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma
f94ee72507
Add form-action CSP element
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +02:00
Roeland Jago Douma
417fbb5d60
setting unsafe-eval is deprecated
...
This will be removed in a future version of Nextcloud.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-30 16:27:38 +02:00
Sam Bull
ea935f65fd
Add support for CSP_NONCE server variable
...
Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.
Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-18 12:16:29 +02:00
Roeland Jago Douma
5ac857bcdc
Add an event to edit the CSP
...
This introduces and event that can be listend to when we actually use
the CSP. This means that apps no longer have to always inject their CSP
but only do so when it is required. Yay for being lazy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-08 20:35:15 +02:00