This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.
Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.
Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjPhttp://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/
Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
reduce calls of \OCP\Util::needUpgrade()
where \OCP\Util::needUpgrade() is called we can call as well
self::checkUpgrade and use the cached result
In line 877 the call way unnecessary anyway because of the first part of
the if statement
move caching to \OCP\Util::needUpgrade
renaming variable
fixing testNeedUpgradeCore()
cache result of checkUpgrade() in self::$needUpgrade
reduce calls of \OCP\Util::needUpgrade()
where \OCP\Util::needUpgrade() is called we can call as well
self::checkUpgrade and use the cached result
In line 877 the call way unnecessary anyway because of the first part of
the if statement
move caching to \OCP\Util::needUpgrade
renaming variable
fixing testNeedUpgradeCore()
fix typo in variable name
deleting tabs
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
Fix issue where the currently logged user was causing side-effects when
upgrading.
Now setting incognito mode (no user) on update to make sure the whole
apps list is taken into account with getEnabledApps() or isEnabled().
OC_Util::sanitizeHTML() also supports array but we actually had no unit test for it. Additionally this commit introduces a test for escaping " into "
- added PHP utility function to check for file name validity
- fixes issue where a user can create a file called ".." from the files UI
- added extra checks to make sure newfile.php and newfolder.php also
check for invalid characters
In environments where there are rules for the email addresses, the "from
address" that owncloud uses has to be configurable.
This patch adds a new configuration variable 'mail_from_address'.
If it is configured, owncloud will use this as the sender of *all*
emails. (OwnCloud uses 'sharing-noreply' and 'password-noreply' by
default). By using the 'mail_from_address' configuration, only this
email address will be used.
When accessing a shared folder, the folder's owner appears as mountpoint
but wasn't wrapped by a quota storage wrapper.
This fix makes sure that all home storages are wrapped by a quota
storage wrapper, if applicable, to make sure quotas are respected when
uploading into shared folders.
instanceid is generated by uniqid() and then used as the
session_name. Because session_name requires at least one letter
and uniqid() does not guarantee to provide that, in the case that
uniqid() generates a string of only digits, the user will be stuck
in an infinite login loop because every request will generate a
new PHP session.
Roeland Jago Douma
Lukas Reschke
Morris Jobke
Thomas Müller
Individual IT Services
Joas Schilling
Robin McCorkell
Joas Schilling
Robin Appelman
Vincent Petry
ringmaster
Bjoern Schiessle
Lukas Reschke
Jens-Christian Fischer
kondou
Victor Dubiniuk
Miquel Rodríguez Telep / Michael Rodríguez-Torrent