Commit Graph

125 Commits

Author SHA1 Message Date
Christoph Wurst 6995223b1e
Add well known handlers API
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-16 13:13:05 +01:00
zertrin af5380f5a8 Fix security header setting in .htaccess by adding 'onsuccess unset'
The headers might already be set by the system administrator at the http server
level (apache or nginx) for some or all virtualhosts.

Using "always set" in the .htaccess of Nextcloud leads to the situation where
the headers might be set twice (once in the default 'onsuccess' table and once
in the 'always' table)! Which leads to warnings in the admin area.

Adding "onsuccess unset" solves the problem, and forces the header in
the 'onsucess' table to be unset, and the header in the 'always' table to be set.

NOTE: with this change, Nextcloud overrides whatever the system administrator
might have already set

See github issues #16893 #16476 #16938 #18017 and discussion in PR #19002

Signed-off-by: zertrin <zertrin@gmail.com>
2020-03-05 11:11:09 +08:00
Maxence Lange bf408c58c2 +nodeinfo public service
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2019-08-29 16:21:16 -01:00
J0WI 1b074f48d8
Remove duplicated spaces
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2019-08-11 20:11:50 +02:00
J0WI bd9403d3da
Use "always" condition for security headers
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2019-08-11 20:11:50 +02:00
J0WI 3f2932c75a
Sort headers
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2019-08-11 20:11:50 +02:00
J0WI 76cbd7db6e
Add X-Frame-Options header to .htaccess
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2019-08-11 20:11:49 +02:00
Joas Schilling c6a69ba925
Remove the upload and memory setting
* Remove unneeded private method phpFileSize()
* Bump autoloader
* Remove setUploadLimit tests
* Remove integrity check hacks for upload limit

Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-03-04 12:14:22 +01:00
Morris Jobke 92b5743bf4
Remove unused php5 config from .htaccess
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-03-04 11:24:10 +01:00
Julius Härtl b9f2ce2796
Fix loading of .woff2 files in .htaccess
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-11-18 11:02:20 +01:00
Morris Jobke df6e9109c8
Merge pull request #11396 from nextcloud/wellknown-webfinger
adding .well-known/webfinger
2018-10-24 14:51:15 +02:00
Patrik Kernstock 8cdd906d66 Add "Referrer-Policy" to htaccess file, addresses issue #11099
Signed-off-by: Patrik Kernstock <info@pkern.at>
2018-10-11 19:44:05 +02:00
Maxence Lange 6642efa7f4 adding .well-known/webfinger
Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
2018-10-10 13:01:23 +02:00
Morris Jobke de56915605
Merge pull request #7419 from Abijeet/feature-7175
Fixes #7175 - Allow to search for email address in user management
2018-03-06 21:53:37 +01:00
Dan Callahan 8797590099
Correct mistaken regex wildcard in .htaccess
Fixes #8578

Signed-off-by: Dan Callahan <dan.callahan@gmail.com>
2018-02-28 13:50:54 +00:00
Robert Scheck 7583615bab Handle SSL certificate verifications for others than Let's Encrypt
Do no longer (wrongly) rewrite URLs like

  * http://example.net/.well-known/pki-validation/file.txt (Comodo)
  * http://example.net/.well-known/pki-validation/fileauth.txt (DigiCert, Thawte, GeoTrust)
  * http://example.net/.well-known/pki-validation/gsdv.txt (GlobalSign)
  * http://example.net/.well-known/pki-validation/starfield.htm (Starfield, GoDaddy)
  * http://example.net/.well-known/pki-validation/swisssign-check.txt (SwissSign)

for automated SSL certificate verifications. All (common commercial)
certificate authorities (CA) except Let's Encrypt (via ACME) seem to
use "pki-validation" rather "acme-challenge" for their domain control
validation (DCV).

Signed-off-by: Robert Scheck <robert@fedoraproject.org>
2018-02-05 15:33:42 +01:00
Abijeet ac14d02e1e Added newline to end of htaccess file
Signed-off-by: Abijeet <abijeetpatro@gmail.com>
2017-12-18 21:40:02 +05:30
Abijeet ec28c54dbc Adds search by email function on the users screen.
Fixes #7175.

- Updated the query to fetch the users in users > everyone tab.
- Updated the query to fetch the users in users > admin tab.
- Tested to ensure that the disabled users are also being fetched.
- Added test cases.

Signed-off-by: Abijeet <abijeetpatro@gmail.com>
2017-12-16 17:18:05 +05:30
Lukas Reschke bff6c8aafc
Move X-Frame-Options into PHP
The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-26 17:26:11 +02:00
Flole998 075d39e61a Fix for Win Clients sometimes not connecting
Fix for Win Clients sometimes not connecting
2017-02-03 23:47:18 +01:00
Jörn Friedrich Dreyer 9802c5cdd8
Cache js, css and woff files for a week (#26591)
increases the cache duration for css and js files from 2 hours to half a year. Should they change the versionhash changes as well and a new file is fetched. Half a year should be long enough for oc updates.

Also allows caching woff files for 7 days. Currently, there is no versionhash available, but pressing F5 will also refresh the woff files.
2016-11-14 16:52:28 +01:00
Joas Schilling a3c8534b7b
Make sure memory limit is > post size and upload filesize 2016-09-13 16:50:36 +02:00
Lukas Reschke 35743c187d
Also cache WOFF, SVG and GIF 2016-08-08 17:39:53 +02:00
Martin 1059315e09 .htaccess update making two rules non-capturing 2016-06-03 16:34:26 +02:00
Lukas Reschke 52add798d4 Do not automatically try to enable index.php-less URLs (#24539)
The current logic for mod_rewrite relies on the fact that people have properly configured ownCloud, basically it reads from the `overwrite.cli.ur
l` entry and then derives the `RewriteBase` from it.

This usually works. However, since the ownCloud packages seem to install themselves at `/owncloud` (because subfolders are cool or so…) _a lot_ of people have just created a new Virtual Host for it or have simply symlinked the path etc.

This means that `overwrite.cli.url` is wrong, which fails hard if it is used as RewriteBase since Apache does not know where it should serve files from. In the end the ownCloud instance will not be accessible anymore and users will be frustrated. Also some shared hosters like 1&1 (because using shared hosters is so awesome… ;-)) have somewhat dubious Apache configurations or use versions of mod_rewrite from the mediveal age. (because updating is money or so…)

Anyhow. This makes this explicitly an opt-in configuration flag. If `htaccess.RewriteBase` is set then it will configure index.php-less URLs, if
admins set that after installation and don't want to wait until the next ownCloud version they can run `occ maintenance:update:htaccess`.

For ownCloud 9.0 we also have to add a repair step to make sure that instances that already have a RewriteBase configured continue to use it by copying it into the config file. That way all existing URLs stay valid. That one is not in this PR since this is unneccessary in master.

Effectively this reduces another risk of breakage when updating from ownCloud 8 to ownCloud 9.

Fixes https://github.com/owncloud/core/issues/24525, https://github.com/owncloud/core/issues/24426 and probably some more.
2016-05-12 09:43:26 +02:00
Lukas Reschke 24abe1e1e1 Use raw PATH_INFO
PATH_INFO will be empty at this point and thus the logic in base.php did not catch this. Changing this to "getRawPathInfo" will ensure that the path info is properly read.

Fixes https://github.com/owncloud/core/issues/23199
2016-03-17 17:32:38 +01:00
Lukas Reschke ee84017192 always_populate_raw_post_data has been removed with PHP 7.0 2016-03-15 11:28:14 +01:00
Lukas Reschke 2cfde7cd0b Duplicate block for PHP 7 2016-03-15 10:41:17 +01:00
Stephan Köninger 73a7c45dd4 Allow jpg files to be statically served
When using an background image in themes of type JPG, the current setting of owncloud's htaccess file does not allow to deliver these kinds of images as static content. Adding the file extensions as done in this commit, it works flawlessly.
2016-03-10 23:08:56 +01:00
Lukas Reschke bc4a043a76 Add base rewrite rule only when RewriteBase is defined
In case Apache is configured with an `Alias` such as with the ownCloud packages the rewrite rules will fail when no valid RewriteBase is configured.
2016-03-09 15:13:07 +01:00
Lukas Reschke 0a624c0f1e Exclude ocs-provider from rewrite rule
Otherwise `localhost/ocs-provider/` cannot be accessed if mod_rewrite is install
ed. Only affects master.
2016-02-25 18:47:09 +01:00
Thomas Müller e6a1e78149 Merge pull request #18194 from RealRancor/proxy_fcgi
Add mod_proxy_fcgi to .htaccess
2016-02-05 13:29:41 +01:00
Victor Dubiniuk 4ced903427 Do not rewrite updater requests 2016-01-28 20:04:56 +03:00
Lukas Reschke 4d0dcd3c53 Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
2016-01-12 10:37:16 +01:00
Lukas Reschke 28165876fc Remove CSP stuff from .htaccess
😢 Seems like Apache is inconsistent fun between versions. Let's remove it thus for now.
2016-01-08 11:31:42 +01:00
Jörn Friedrich Dreyer 047008e9e3 always check if the csp is empty 2016-01-08 11:08:38 +01:00
Lukas Reschke 1ae30d1d9c Use setifempty to please incompatible httpd versions
Some httpd versions have problem with the old logic leading to resourced served with multiple headers.
2016-01-08 11:08:37 +01:00
Thomas Müller e307406486 Merge pull request #20966 from knox/master
Do not rewrite letsencrypt .well-known URI
2016-01-07 17:16:51 +01:00
Morris Jobke 2f53866668 Allow ico files to be served statically 2016-01-06 13:45:11 +01:00
mbi 63974992f9 Merge branch 'master' into master 2015-12-30 10:34:42 +01:00
Thomas Müller f831d93f3f Merge pull request #20878 from owncloud/proper-htaccess-support-in-code-signing-checker
Also run .htaccess routine when installing on another system than Apache
2015-12-11 11:46:37 +01:00
mbi 1aff941be6 Do not rewrite letsencrypt .well-known URI 2015-12-08 21:11:38 +01:00
mbi 508c46a112 Merge branch 'master' into master 2015-12-08 21:02:52 +01:00
Lukas Reschke 235094ab54 Remove version check out of .htaccess
This can now be achieved using the new code signing.
2015-12-08 08:16:23 +01:00
Lukas Reschke 3bce1b20fe Add DirectorySlash to dynamic .htaccess write
When `DirectorySlash off` is set then Apache will not lookup folders anymore. This is required for example when we use the rewrite directives on an existing path such as  `/core/search`. By default Apache would load `/core/search/` instead `/core/search` so the redirect would fail here.

This leads however to the problem that URLs such as `localhost/owncloud` would not load anymore while `localhost/owncloud/` would. This has caused problems such as https://github.com/owncloud/core/pull/21015

With this change we add the `DirectorySlash off` directive only when the `.htaccess` is writable to the dynamic part of it. This would also make `localhost/owncloud` work again as it would trigger the 404 directive which triggers the redirect in base.php.
2015-12-08 08:10:55 +01:00
Lukas Reschke 37efc1d1e1 Allow .ico files
Makes `/core/img/favicon.ico` accessible again via web.
2015-12-07 17:15:04 +01:00
Lukas Reschke 7b9bc721e9 Add CSP header to static resources
Fixes https://github.com/owncloud/core/issues/16164
2015-12-07 15:50:09 +01:00
mbi 27f420e0a7 Allow .well-known URI for letsencrypt
See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot
2015-12-05 23:22:26 +01:00
Morris Jobke 65b4d97a2a fix indentation 2015-12-02 10:51:52 +01:00
Lukas Reschke a936107c5c Append PATH_INFO to ensure that file can be loaded on update 2015-12-01 20:15:45 +01:00