Commit Graph

285 Commits

Author SHA1 Message Date
Joas Schilling b4bacf46f3
Do not send a body for "No content", "Not modified" and others
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-05-04 13:46:13 +02:00
Joas Schilling f5b143e318
Allow to inject ISearchResult
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-04-26 12:19:15 +02:00
Arthur Schiwon 38a90130ce
move log constants to ILogger
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2018-04-26 10:45:52 +02:00
Roeland Jago Douma 129a608ebe
OCP\AppFramework\App strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-09 08:42:03 +01:00
Morris Jobke a2db959f5c
Merge pull request #8593 from eneiluj/master
Allow public page access to apps with group restrictions
2018-03-08 11:27:52 +01:00
Roeland Jago Douma 3ad7daeda5
Add tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 11:05:18 +01:00
Roeland Jago Douma 340e8ef16c
Make SecurityMiddleware strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-08 10:11:47 +01:00
Joas Schilling 1dd40b1f45
Single quotes
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-07 16:50:18 +01:00
Joas Schilling 559978c50e
Suppress phan error
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-07 16:43:16 +01:00
Joas Schilling 09d8387b00
Try without autoloading
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-06 13:56:44 +01:00
Joas Schilling 97c4c00e3f
Better debugging for "Your test case is not allowed to access the database."
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-03-05 16:06:29 +01:00
Julien Veyssier 7da0812186 Do not throw AppNotEnabledException for app public pages - refs #6962, refs #5309
It allows non-logged user to access public pages of applications restricted to a group

Signed-off-by: Julien Veyssier <eneiluj@posteo.net>
2018-02-28 20:35:53 +01:00
Morris Jobke a60d7a8563
Merge pull request #8541 from nextcloud/translate-permission-error-page
Provide translated error message for permission error
2018-02-26 17:50:21 +01:00
Morris Jobke cf35c4b03a
Provide translated error message for permission error
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-26 17:00:29 +01:00
Roeland Jago Douma 043a824e6a
Fix comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma 0ee45d3d20
Fix proper types
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma a229095af1
Make Request strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma fb41a93a95
Merge pull request #8473 from nextcloud/strict_cmr
Strict OCP\AppFramework\Utility\IControllerMethodReflector
2018-02-21 22:56:40 +01:00
Roeland Jago Douma 4859775893
Don't try to match on false
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 20:38:14 +01:00
Roeland Jago Douma aa060f5332
Strict OCP\AppFramework\Utility\IControllerMethodReflector
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 19:55:49 +01:00
Roeland Jago Douma ca9f364fd4
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Roeland Jago Douma a773b055fc
Make the middlewareDispatcher strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:24 +01:00
Roeland Jago Douma bb0c7b2943
Make AppFramework/Http/Dispatcher strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 08:51:46 +01:00
Roeland Jago Douma cf83eb5e77
Merge pull request #8336 from nextcloud/cleanup-unused-parameter
Cleanup unused parameter
2018-02-20 10:16:59 +01:00
Morris Jobke d3d045dd5c
Remove unused import statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-14 16:55:43 +01:00
Morris Jobke d18d323f21
Remove fromMailAddress from MailSettingsController
Was removed in https://github.com/nextcloud/server/pull/4379 (0a54d5a) and https://github.com/nextcloud/server/pull/4380 (bae64e8)

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-13 21:40:38 +01:00
Morris Jobke 01482b32a1
Merge pull request #8062 from nextcloud/use-class
Use ::class statement instead of string
2018-01-29 15:25:08 +01:00
Roeland Jago Douma c0adfa4375
Don't perform CSRF check on OCS routes with Bearer auth
Fixes #5694

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-29 14:37:18 +01:00
Morris Jobke eb51f06a3b
Use ::class statement instead of string
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-29 12:03:47 +01:00
Morris Jobke 870fe20acc
Use $var[] = $a instead of array_push - 2x faster
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-25 22:36:03 +01:00
Morris Jobke 2a38605545
Properly log the full exception instead of only the message
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-23 10:57:21 +01:00
Morris Jobke 4ef302c0be
Request->getHeader() should always return a string
PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant.

Found while enabling the strict_typing for lib/private for the PHP7+ migration.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-17 09:51:31 +01:00
Joas Schilling 7bc9a69c3f
Remove deprecated core API
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 17:54:50 +01:00
Roeland Jago Douma d44de92c31
Merge pull request #7838 from nextcloud/timefactory_strict
Make the ITimeFactory strict + return types
2018-01-15 09:27:37 +01:00
Roeland Jago Douma 7ffd62bf95
Make the ITimeFactory strict + return types
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:55:40 +01:00
Roeland Jago Douma 704133d732
Remove deprecated functions from DI Container
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-13 19:29:52 +01:00
Roeland Jago Douma 57050146f6
Move passwordconfirmation to its own midleware
Add tests

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-02 21:58:14 +01:00
Bjoern Schiessle 1bcbeb24bc
disable password confirmation with SSO
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2018-01-02 20:30:37 +01:00
Roeland Jago Douma ca70694502
Also check for empty content lenth
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-12-14 21:48:59 +01:00
Morris Jobke 31c5c2a592
Change @georgehrke's email
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke 0eebff152a
Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Roeland Jago Douma b88db3a389 Merge pull request #6921 from nextcloud/appmanager-securitymiddleware
Use proper DI for security middleware for app enabled check
2017-10-24 19:58:24 +02:00
Morris Jobke ce0c45a4ea
Use proper DI for security middleware for app enabled check
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 15:36:28 +02:00
Julius Härtl 4cfa1c66b8
Doc: Fix phpDoc issues
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2017-10-23 23:23:56 +02:00
Roeland Jago Douma c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Joas Schilling c4b3198ac2
Rethrow the correct exception when there was an error in an app container
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-09-12 11:54:13 +02:00
Bjoern Schiessle 9524badccc
extend the identity proof manager to allow system wide key pairs
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Roeland Jago Douma 9717cdfb9e
If there is no content don't error
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:51:13 +02:00
Lukas Reschke f93a82b8b0
Remove explicit type hints for Controller
This is public API and breaks the middlewares of existing apps. Since this also requires maintaining two different code paths for 12 and 13 I'm at the moment voting for reverting this change.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 17:32:03 +02:00
Morris Jobke 84c22fdeef Merge pull request #5907 from nextcloud/add-metadata-to-throttle-call
Add metadata to \OCP\AppFramework\Http\Response::throttle
2017-08-01 14:43:47 +02:00
Morris Jobke 6010c4f267 Merge pull request #5877 from nextcloud/typehint_middleware
Prop argument type for Middleware
2017-08-01 14:28:16 +02:00
Roeland Jago Douma ede15f0988
Fix L10N::t
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-01 08:20:17 +02:00
Roeland Jago Douma 3548603a88
Fix middleware implementations signatures
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-31 16:54:19 +02:00
Lukas Reschke f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Roeland Jago Douma 5f227bd93b
More phpstorm inspection fixes
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 11:39:29 +02:00
Bjoern Schiessle 7c2d473d76
add new config switched for the global scale architecture
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-05-29 18:19:28 +02:00
Joas Schilling 72c1b24844
Check whether the $_SERVER['REQUEST_*'] vars exist before using them
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-15 14:33:27 +02:00
coderkun bdc7bb1f26 Add IPv6 to “localhost” regex (#440)
Signed-off-by: Oliver Hanraths <olli@coderkun.de>
2017-05-14 21:29:03 +02:00
Joas Schilling ca39940614
Automatic creation of Identity manager
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-05-10 09:45:11 +02:00
Morris Jobke c54a59d51e
Remove unused use statements
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-04-22 19:23:31 -05:00
Roeland Jago Douma d12ec7cff1
Revert "Match slashes in ../{id} resource routes"
This reverts commit 31f9be7a75.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-18 21:50:36 +02:00
Lukas Reschke 8149945a91
Make BruteForceProtection annotation more clever
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Morris Jobke d0c0f6cfc1 Merge pull request #4326 from nextcloud/downstream-27562
Reorder the entries of the log for easier reading
2017-04-13 13:11:47 -05:00
Joas Schilling 695696a4a6
Use constants
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-13 12:04:32 -05:00
Lukas Reschke a1ae5275f9
Move to dedicated MiddleWare
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke 511524c668
Add isset() as it can be an empty result
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:17 +02:00
Lukas Reschke d729bde98c
Register in ServerContainer
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Lukas Reschke 66835476b5
Add support for ratelimiting via annotations
This allows adding rate limiting via annotations to controllers, as one example:

```
@UserRateThrottle(limit=5, period=100)
@AnonRateThrottle(limit=1, period=100)
```

Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 12:00:16 +02:00
Juan Pablo Villafáñez 38e5135cb9
Reorder the entries of the log for easier reading 2017-04-12 13:03:19 +02:00
Morris Jobke fa4107893d Merge pull request #4138 from nextcloud/resources_match_fullid
Match slashes in ../{id} resource routes
2017-04-04 15:52:53 -05:00
Roeland Jago Douma 31f9be7a75
Match slashes in ../{id} resource routes
Fixes #2954

Before we could match on <prefix>/{id} however if the id contains a /
this would not match properly. But since we define the resource routes
internally we now make sure that we match all chars (up until the ?).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:37:11 +02:00
Roeland Jago Douma 2a9192334e
Don't try to parse empty body if there is no body
Fixes #3890

If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.

See RFC 2616 Section 4.3

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Joas Schilling 3f86f1276f
Also cache the namespace from appinfo
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 11:50:31 +01:00
Joas Schilling 5695a4ec92
Don't do a recursive search
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:44:13 +01:00
Joas Schilling 9208f6379c
buildAppNamespace already has the fallback
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 10:13:14 +01:00
Roeland Jago Douma 67909cf87b
Make DI work for all apps
As stated in https://github.com/nextcloud/server/pull/3901#issuecomment-288135309
appid's don't have to match the namespace.

Work around this

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 20:53:37 +01:00
Roeland Jago Douma 92f50c7d87
Core is also a special app
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:42:33 +01:00
Roeland Jago Douma 48c34522ed
Move a lot of stuff over to the ServerContainer
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 10:29:59 +01:00
Roeland Jago Douma c92b9ce2c4
Fix settings tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 21641302a9
Add DI intergration tests
* Moved some interface definitions to Server.php (more to come)
* Build/Query only for existing classes in the AppContainer
* Build/Query only for classes of the App in the AppContainer
* Offload other stuff to the servercontainer

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 7cece61ff6
Extend DI tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 246e9ce547
More elegant handling of recursion
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma df14684817
PoC of moving the interface classes to the servercontainer
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:20 +01:00
Roeland Jago Douma 886202123c
Update query method for DIContainer
To align with https://github.com/nextcloud/server/issues/2043#issuecomment-287348294
This would mean that AppContainers only hold the AppSpecific services

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-21 08:52:17 +01:00
Roeland Jago Douma 8626ccab1c
dont require strict same site cookies for ocs requests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-09 16:48:48 +01:00
Roeland Jago Douma f8c459f1a4 Merge pull request #3607 from nextcloud/api-to-resend-welcome-message
OCS API endpoint to resend welcome message
2017-03-03 13:50:30 +01:00
Sebastian Wessalowski e399097e3a Remove deprecated OC_User::isLoggedIn
Signed-off-by: Sebastian Wessalowski <sebastian@wessalowski.org>
2017-03-02 22:59:39 +01:00
Morris Jobke 552921d429
Fix injection of defaults
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:34 -06:00
Morris Jobke 50f3efad6f
OCS API endpoint to resend welcome message
* send a POST request to ocs/v1.php/cloud/users/USERNAME/resendWelcomeMessage to trigger
  the welcome message to be send
* fixes #3367

example curl statement:

  curl -i https://example.org/ocs/v1.php/cloud/users/USERNAME/welcome -H  "OCS-APIRequest: true" -u admin:password -X POST

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-02-28 16:30:33 -06:00
Joas Schilling 0be2921966
Fix DI of the cloud id manager into apps
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-14 12:47:46 +01:00
Morris Jobke dfaaebd765 Merge pull request #3417 from nextcloud/push-notification
Push notification
2017-02-10 16:00:47 -06:00
Joas Schilling 33fb86f68b
Fix detection of the new iOS app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 10:10:21 +01:00
Joas Schilling efdc51c155
Make sure to use the right appdata directory
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-09 15:03:00 +01:00
Christoph Wurst 5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Morris Jobke 5bad417e57 Merge pull request #2044 from nextcloud/login-credential-store
Login credential store
2017-01-30 19:30:04 -06:00
Bjoern Schiessle 32e0ec3e58
handle optional annotation parameters
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:16 +01:00
Joas Schilling 29a0a23918
Fix the regex for annotations with values
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-01-18 15:25:16 +01:00
Bjoern Schiessle df296249d6
introduce brute force protection for api calls
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-01-18 15:25:15 +01:00
Christoph Wurst a6dca9e7a0
add login credential store
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-11 19:20:09 +01:00
Joas Schilling bc3da3a8f5
Remove IDb interface which was deprecated for 3 years already
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-14 11:42:16 +01:00
Joas Schilling 61e15988a0
Allow to overwrite the message which we already do in SubadminMiddleware
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-08 16:23:49 +01:00
Morris Jobke d86b29b42b Merge pull request #2066 from nextcloud/fix-redirect-double-encoding
do not double encode the redirect url
2016-11-29 17:21:43 +01:00
Joas Schilling da9468522b
Add an event merger and use it for the files activities
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-25 15:36:11 +01:00
Lukas Reschke a05b8b7953
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Morris Jobke 332eaec4c0 Merge pull request #1447 from nextcloud/password-confirmation-for-some-actions
Password confirmation for some actions
2016-11-18 15:42:30 +01:00
Joas Schilling bb7787a157
Add the 15 seconds to the window, instead of removing
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling 827b6a610e
Introduce PasswordConfirmRequired annotation
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Robin Appelman 4235b18a88
allow passing a stream to StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Roeland Jago Douma f07d75a4dd
@since 9.2.0 to @since 11.0.0
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-11-15 18:51:52 +01:00
Christoph Wurst 0ebffa4a5f do not double encode the redirect url
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-09 16:14:46 +01:00
Christoph Wurst d907666232
bring back remember-me
* try to reuse the old session token for remember me login
* decrypt/encrypt token password and set the session id accordingly
* create remember-me cookies only if checkbox is checked and 2fa solved
* adjust db token cleanup to store remembered tokens longer
* adjust unit tests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2016-11-02 13:39:16 +01:00
Roeland Jago Douma e55e6f1f14
Cleanup usages
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-29 14:29:50 +02:00
Roeland Jago Douma 740659a04c
Move away from OC_L10N
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-28 21:46:28 +02:00
Morris Jobke d4969abc9d Merge pull request #1800 from nextcloud/nextcloud-rich-object-strings
Nextcloud rich object strings
2016-10-27 15:30:58 +02:00
Joas Schilling c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Roeland Jago Douma e351ba56f1
Move browserSupportsCspV3 to CSPNonceManager
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:10 +02:00
Lukas Reschke 9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma 7998689bc9
Added method to DB and fix test
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-24 09:45:04 +02:00
Joas Schilling 2098648850
Add Rich Object Definitions and a validator
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-20 12:14:51 +02:00
Morris Jobke 96f8f209b9 Merge pull request #1449 from nextcloud/comments-user-mention
Notifications for simple @-mentioning in comments
2016-10-17 09:30:47 +02:00
Thomas Müller c5ca71ee82
[9.2] Register commands in info.xml (#26248)
* Use DI to load console commands from the apps - class name to be defined in the info.xml

* Load commands from info.xml

* Fix unit test

* Allow Di magic for IMountManager

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-11 19:48:26 +02:00
Thomas Müller 67d3574bdf
Don't parse info.xml but reuse already cached app infos - fixes #25603 (#25968)
* Don't parse info.xml but reuse already cached app infos - fixes #25603

* Use === in InfoParser. Fixes test

* InfoParser should not depend on UrlGenerator - fixes issue with session being closed too early
2016-10-07 20:58:22 +02:00
Arthur Schiwon e1073cf442
Notificacations for simple @-mentioning in comments
(WIP) notify user when mentioned in comments

Fix doc, and create absolute URL for as notification link.

PSR-4 compatibility changes

also move notification creation to comments app

Do not notify yourself

unit test for controller and application

smaller fixes

- translatable app name
- remove doubles in mention array
- micro perf optimization
- display name: special label for deleted users, keep user id for users that could not be fetched from userManager

Comment Notification-Listener Unit Test

fix email adresses

remove notification when triggering comment was deleted

add and adjust tests

add missing @license tags

simplify NotificationsController registration

appinfo simplification, php docs

make string easier to translate

adjust test

replace dispatcher-based listeners with a registration method and interface

safer to not pass optional data parameter to setSubject for marking as processed. ID and mention suffices

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

update comment

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2016-10-07 17:11:19 +02:00
Joas Schilling a0b34dfd2f Merge pull request #1629 from nextcloud/cleanup-settings-application
Cleanup settings Application class
2016-10-06 16:57:39 +02:00
Joas Schilling 8b3deb00b3
When we can not create the class, try if the variable is a registered service
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-05 16:33:19 +02:00
Roeland Jago Douma 3260f69590
Add for proper DI
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-05 11:00:16 +02:00
Lukas Reschke 598b243838 Merge pull request #1426 from nextcloud/sanitze_opt
Optimize sanitizeName
2016-09-26 14:10:50 +02:00
Joas Schilling d9063b6141
Use default value instead of throwing when the service could not be found 2016-09-20 13:26:06 +02:00
Roeland Jago Douma e200eda18d
Optimize sanitizeName 2016-09-16 09:52:52 +02:00
Roeland Jago Douma 7c078a81b4
Add trict CSP to OCS responses
If a repsonse now explicitly has the Empty CSP set then the middleware
won't touch it.
2016-09-15 13:11:36 +02:00
Roeland Jago Douma 959bf0d1a7
Cache the build ControllerName
Often a route.php file will have many N routes but only M controllers.
Where N >= M. Which means that in most cases the ControllerName will be
converted multiple times. This is of course far from ideal.

Note that this is per app so the cache will contain at most N entries.
Which is not to bad.
2016-09-11 13:25:32 +02:00
Roeland Jago Douma 240798329d
Set proper content type on OCS responses 2016-09-07 10:55:56 +02:00
Roeland Jago Douma 3c55fe6bab
Split OCS version handling
This cleans up a bit the OCSController/Middleware. Since the 2 versions
of OCS differ a bit. Moved a lot of stuff internal since it is of no
concern to the outside.
2016-09-06 11:57:39 +02:00
Roeland Jago Douma 7f84f05e4d
Cache parsing of info.xml 2016-09-02 09:03:09 +02:00
Roeland Jago Douma 21a87d3c2e
No body or content-length for 204 and 304 responses
See: https://tools.ietf.org/html/rfc7230#section-3.3
2016-08-31 23:07:48 +02:00
Joas Schilling f9cea0b582 Merge pull request #797 from nextcloud/only-match-for-auth-cookie
Match only for actual session cookie
2016-08-31 15:59:16 +02:00
Lukas Reschke d50e7ee36c
Remove reading PATH_INFO from server variable
Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used.

Fixes https://github.com/nextcloud/server/issues/983
2016-08-19 14:48:13 +02:00
Joas Schilling 027069cbae Merge pull request #846 from nextcloud/provisioning_api_ocs
Move Provisioning API to the AppFramework
2016-08-17 10:23:13 +02:00
Marius Blüm c1632c3abd Merge pull request #893 from nextcloud/ie8_be_gone
IE8 be gone!
2016-08-17 09:02:58 +02:00
Roeland Jago Douma 8f3dc0ba43
Remove IE_8 user agent string 2016-08-16 21:01:32 +02:00
Arthur Schiwon 75a73a5a73
satisfy dependencies for files_external 2016-08-15 13:38:02 +02:00
Roeland Jago Douma e3b0e50dda
Extend OCSMiddleware
* Always set 401 (v1.php and v2.php)
* Set proper error codes for v2.php
* Proper OCS output on unhandled exceptions
2016-08-14 18:34:01 +02:00
Roeland Jago Douma deba0f9922
Move OCS Middleware before security middleware
This is required to be able to catch the NotLoggedIn exceptions etc in
the OCSMiddleware and convert them to proper OCS Responses.
2016-08-14 18:34:01 +02:00
Arthur Schiwon 8188bb4509
simplify encryption manager fetching in DIContainer 2016-08-13 01:26:11 +02:00
Lukas Reschke 8261ccce1b
Merge branch 'master' into implement_712 2016-08-11 19:37:17 +02:00
Arthur Schiwon a2f752bcf3
adjust files_external 2016-08-11 15:50:31 +02:00
Arthur Schiwon 1eb8b951c2
more admin page splitup improvements
* bump version to ensure tables are created
* make updatenotification app use settings api
* change IAdmin::render() to getForm() and change return type from Template to TemplateResponse
* adjust User_LDAP accordingly, as well as built-in forms
* add IDateTimeFormatter to AppFramework/DependencyInjection/DIContainer.php. This is important so that \OC::$server->query() is able to resolve the
constructor parameters. We should ensure that all OCP/* stuff that is available from \OC::$server is available here. Kudos to @LukasReschke
* make sure apps that have settings info in their info.xml are loaded before triggering adding the settings setup method
2016-08-10 15:21:25 +02:00
Lukas Reschke 5214b62d55 Merge pull request #691 from nextcloud/ocs_allow_all_old_routes
Allow ocs/v2.php/cloud/... routes
2016-08-09 20:52:49 +02:00
Lukas Reschke b53ea18ea5
Match only for actual session cookie
OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
2016-08-09 19:23:08 +02:00
Roeland Jago Douma 0032a5c2d1
Hanlde Core and Settings app in AppFramework
'core' and 'settings' are just apps but we treat them slightly
different. Make sure that we construct the correct namespace so we can
actually do automatic AppFramework stuff.
2016-08-08 20:48:16 +02:00