Commit Graph

1763 Commits

Author SHA1 Message Date
Robin Appelman 29213b6136 extends memcache with add, inc and dec 2015-04-30 14:48:36 +02:00
Joas Schilling cf4a6874fb Allow setting protected properties 2015-04-30 12:04:02 +02:00
Joas Schilling 09d479e79d Add a test to share a subfolder of a folder shared with the owner by group 2015-04-29 13:33:20 +02:00
Morris Jobke 8c7db2536d Merge pull request #15596 from owncloud/issue/15589
Correctly generate the feedback URL for remote share
2015-04-29 10:52:43 +02:00
Morris Jobke 7df7a3b360 Merge pull request #15906 from rullzer/fix_15777
Password set via OCS API should not be double escaped
2015-04-29 10:44:25 +02:00
Lukas Reschke 34d0e610cc Filter potential dangerous filenames for avatars
We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
2015-04-28 16:57:23 +02:00
Joas Schilling b55ef51a27 Add tests for the correct share id on the call aswell 2015-04-28 14:56:13 +02:00
Roeland Jago Douma 02269b6464 Added unit test 2015-04-28 14:00:36 +02:00
Joas Schilling 02c60949dd make scrutinizer happy 2015-04-28 11:28:54 +02:00
Joas Schilling d146c13abd Add tests for the remote sharing url 2015-04-28 11:28:54 +02:00
Morris Jobke de8c15e1a4 Merge pull request #14764 from owncloud/shared-etag-propagate
Propagate etags across shared storages
2015-04-28 10:58:50 +02:00
Thomas Müller 7d0eba7a41 Merge pull request #15886 from owncloud/fix-15848-master
Adjust isLocal() on encryption wrapper
2015-04-27 15:06:26 +02:00
Thomas Müller 678b7d7e4d Merge pull request #15860 from owncloud/enc_fallback_old_encryption
[encryption] handle encrypted files correctly which where encrypted with a old version of ownCloud (<=oc6)
2015-04-27 14:32:19 +02:00
Thomas Müller 936d564058 fixes #15848 2015-04-27 14:26:05 +02:00
Robin Appelman 6bf0579622 fix test 2015-04-27 14:07:16 +02:00
Robin Appelman be55a90323 dont use our now non existing hook 2015-04-27 14:07:15 +02:00
Bjoern Schiessle 27683f9442 fall back to the ownCloud default encryption module and aes128 if we read a encrypted file without a header 2015-04-27 13:01:18 +02:00
Joas Schilling 8f61fbb81f Fix new tests 2015-04-27 11:10:31 +02:00
Joas Schilling d600955a51 Make getDefaultModuleId public and get module protected 2015-04-27 11:03:51 +02:00
Joas Schilling 4e97228cde Deduplicate module mock 2015-04-27 11:03:51 +02:00
Joas Schilling 4b7ae395f2 Add test for setDefaultEncryptionModule 2015-04-27 11:03:51 +02:00
Joas Schilling b35379515c Add a test that the default module is returned before we fall back 2015-04-27 11:03:50 +02:00
Lukas Reschke 4dfdaf741c Merge pull request #15834 from owncloud/make-temporary-file-really-unique
Fix collision on temporary files + adjust permissions
2015-04-25 23:18:26 +02:00
Lukas Reschke b9df932e3c Merge pull request #15683 from owncloud/block-legacy-clients
Block old legacy clients
2015-04-24 18:21:10 +02:00
Bjoern Schiessle 9a5783b284 fix unit tests 2015-04-24 16:47:27 +02:00
jknockaert 4554df2512 enable testWriteWriteRead 2015-04-24 16:44:00 +02:00
jknockaert 18a1225b0c enable testRewind 2015-04-24 16:44:00 +02:00
jknockaert 27ea23ea6b Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert d6841aa706 disable r+ test 2015-04-24 16:44:00 +02:00
jknockaert 7a34f75da6 add two tests
testRewind tests reading and writing after rewind on an encrypted stream; testWriteWriteRead tests r+ mode
2015-04-24 16:44:00 +02:00
Joas Schilling 4334e77035 Merge pull request #15839 from owncloud/enc_fix_moving_shared_files
[encryption] fix moving files to a shared folder
2015-04-24 15:07:36 +02:00
Joas Schilling 411f7893bf Add test "operation on keys failed" 2015-04-24 14:27:23 +02:00
Joas Schilling 781cfff221 Deduplicate data provider and fix method visibility 2015-04-24 13:12:45 +02:00
Bjoern Schiessle 24128d1384 only update share keys if the file was encrypted 2015-04-24 10:19:09 +02:00
Bjoern Schiessle 2646bccb83 update share keys if file gets copied 2015-04-23 17:18:48 +02:00
Bjoern Schiessle 2990b0e07e update share keys if a file is moved to a shared folder 2015-04-23 17:18:48 +02:00
Lukas Reschke ab9ea97d3a Catch not existing User-Agent header
In case of an not sent UA header consider the client as valid
2015-04-23 16:33:51 +02:00
Lukas Reschke 155ae44bc6 Fix collision on temporary files + adjust permissions
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.

**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".

Effectively this leaves us with:

1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647

Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.

This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.

**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)**

Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.

**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)**

Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
Vincent Petry b88d0ba0ac Delete temp files after testing encryption stream wrapper 2015-04-23 13:42:18 +02:00
Lukas Reschke ed0b465cf9 Use 403 instead a 50x response 2015-04-20 12:53:40 +02:00
Lukas Reschke 4ea205e262 Block old legacy clients
This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance.

This has multiple reasons:

1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse
2. Old ownCloud client versions tend to be horrible buggy

In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-20 11:12:17 +02:00
Georg Ehrke 8f51efc49e get rid of OC_Geo 2015-04-19 20:16:56 +02:00
Morris Jobke 758b2332f0 Use data provider instead of hand-crafted for loops
* reduces scrutinizer complains
* uses PHPUnit functionality
2015-04-18 15:19:33 +02:00
Bjoern Schiessle 7d4b1b52d0 always create a new instance of the encryption module 2015-04-17 10:31:33 +02:00
Bjoern Schiessle b25c06f576 detect system wide mount points correctly 2015-04-16 14:15:04 +02:00
Bjoern Schiessle e3d77c4b01 add migration script from old encryption to new one 2015-04-16 14:15:04 +02:00
Vincent Petry 903d52d45f Merge pull request #15809 from owncloud/view-null-root
dont allow using null as view root
2015-04-22 18:10:26 +02:00
Robin Appelman e302213248 add unit tests for null handling in view 2015-04-22 16:24:25 +02:00
Thomas Müller 225cde2183 pass KeyStorage via ctor 2015-04-22 13:09:42 +02:00
Thomas Müller 987bc138df calling renameKeys() on directory level as well - fixes #15778 2015-04-22 12:12:27 +02:00
Thomas Müller fc4127dd62 add $encryptionModuleId to methods of Keys/IStorage 2015-04-22 11:53:05 +02:00
Björn Schießle 570718fb6b Merge pull request #15757 from owncloud/enc-fixfeofforlastblock
Fix encryption feof to not return too early
2015-04-22 11:32:21 +02:00
Bjoern Schiessle 19e8c4fcb1 get dirname from sharePath 2015-04-21 14:58:01 +02:00
Vincent Petry 76dad297ff Fix encryption feof to not return too early
This is because stream_read will pre-cache the next block which causes
feof($this->source) to return true prematurely. So we cannot rely on it.

Fixed encryption stream wrapper unit tests to actually simulate 6k/8k
blocks to make sure we cover the matching logic.

Added two data files with 8192 and 8193 bytes.
2015-04-20 18:32:40 +02:00
Lukas Reschke fe2cbc3795 Merge pull request #15744 from owncloud/fix-inverted-path-in-resourcenotfound
Fix wrong path generation
2015-04-20 16:55:36 +02:00
Lukas Reschke 9bc48451b9 Adjust tests and statuscode 2015-04-20 13:00:02 +02:00
Lukas Reschke 21f0476d31 Fix files 2015-04-20 13:00:02 +02:00
Lukas Reschke 9f61cf60d4 Verify if returned object is an array
The error has to be thrown at this point as otherwise errors and notices are thrown since the time cannot be parsed in L60 and L61
2015-04-20 12:58:57 +02:00
Joas Schilling ddcd79132d Add tests for correct path 2015-04-20 12:31:35 +02:00
Joas Schilling 0cf13e9b78 Fix phpStorm complains and namespace 2015-04-20 12:31:07 +02:00
Morris Jobke e33e5b425a Merge pull request #12006 from owncloud/dav-put-storage
Work directly on the storage when uploading over webdav
2015-04-15 03:08:52 +02:00
Thomas Müller 1aa368effe Merge pull request #15592 from owncloud/fix-15590-master
Avoid php message "Invalid argument supplied for foreach()"
2015-04-15 00:14:08 +02:00
Björn Schießle 4f0437fbde Merge pull request #15598 from owncloud/fix-enc-file-size-master
Fix file size of encrypted files
2015-04-14 16:48:04 +02:00
Morris Jobke 717723b83e Remove unneeded comments 2015-04-14 16:44:24 +02:00
Robin Appelman 308af8b909 pass a stream to the tests 2015-04-14 15:25:52 +02:00
Morris Jobke 82cab25762 Merge pull request #13360 from owncloud/cross-storage-move
Proper copy/move between multiple local storages
2015-04-14 14:35:08 +02:00
Thomas Müller cbe30f740e remove calculateUnencryptedSize() - not needed 2015-04-14 13:08:59 +02:00
Thomas Müller 88cc52c408 Avoid php message "Invalid argument supplied for foreach()" - refs #15590 2015-04-14 11:00:20 +02:00
Morris Jobke 5f66f867b6 Merge pull request #15581 from owncloud/deduplicate-oc-repair-namespace
Fix namespace duplication and other issues in repairlegacystorages
2015-04-13 21:51:38 +02:00
Robin Appelman 01da6be4d6 upda tests 2015-04-13 17:10:02 +02:00
Robin Appelman d7b3a1a35a preserve cache data when doing a cross storage move 2015-04-13 17:10:01 +02:00
Joas Schilling 71de1d58cd Fix namespace duplication and other issues in repairlegacystorages 2015-04-13 16:34:10 +02:00
Robin Appelman 0772e3b4c1 Properly handle copy/move failures in cross storage copy/move 2015-04-13 15:13:03 +02:00
Robin Appelman 31e94708f8 Improve cross storage copy between local storages 2015-04-13 15:13:02 +02:00
Vincent Petry 2822d0579e Properly add trailing slash to mount point
Fixes resolving mount points when shared mount point's target name has
the same prefix as the source name
2015-04-13 12:36:47 +02:00
Thomas Müller 906b6b7337 Prevent php message: "Trying to get property of non-object at /xxx/lib/private/ocsclient.php#282" 2015-04-13 09:43:45 +02:00
Lukas Reschke 84041a4fa2 Merge pull request #15541 from owncloud/add-reply-to-support
Add "Reply-To" support for sharing mails as well as refactor code and add unit-tests
2015-04-12 22:30:35 +02:00
Lukas Reschke e3ad99d252 Add "Reply-To" support to sharing mails and refactor code 2015-04-10 17:30:07 +02:00
Jörn Friedrich Dreyer fafecd1c05 fix cherrypicking 2015-04-10 11:08:24 +02:00
Jörn Friedrich Dreyer a85bc5538f fix filesystem and encryption tests
Conflicts:
	apps/files_encryption/lib/util.php
	apps/files_encryption/tests/hooks.php
2015-04-10 09:12:37 +02:00
Thomas Müller 5abbf6d5b0 Merge pull request #13920 from owncloud/sharing_no_user_entry_for_group_shares
only create a db entry for the user in case of a name conflict on group share
2015-04-09 23:37:02 +02:00
Lukas Reschke 0bad8f644a Merge pull request #15511 from owncloud/fix-typos
Fix typos and some other adjustments
2015-04-09 19:23:27 +02:00
Thomas Müller 06a5a9d0c2 Fix mock object to return proper type 2015-04-09 18:30:45 +02:00
Thomas Müller 11c3741526 Fix mock object to return proper type 2015-04-09 17:45:57 +02:00
Robin Appelman cbcee34eb0 update tests 2015-04-09 14:46:25 +02:00
Thomas Müller 1d9bd3d31e Merge pull request #15496 from owncloud/enc-check-if-key-exists-before-deleting
Check if the key exists, before trying to delete it
2015-04-09 14:45:40 +02:00
Bjoern Schiessle 332ea77865 only create a db entry for the user in case of a name conflict on group share 2015-04-09 11:16:08 +02:00
Joas Schilling 45575d0135 Check if the key exists, before trying to delete it 2015-04-09 10:28:02 +02:00
Lukas Reschke ba52f6f8fc Merge pull request #15314 from owncloud/app-categories-15274
Add different trust levels to AppStore interface
2015-04-09 10:07:32 +02:00
Morris Jobke 9c76d068c3 Merge pull request #15196 from owncloud/limit-file-activities-to-favorites
Limit file activities to favorites
2015-04-09 00:18:31 +02:00
Morris Jobke 103d451459 Merge pull request #14987 from rullzer/ocs_password_fix2
OCS Fixes to allow setting of password without removing additional settings
2015-04-08 14:44:17 +02:00
Vincent Petry f8cfc03f36 Replace originalStorage in tests with a proper teardown
The purpose of $originalStorage in unit tests was to remount the old
root.
However that storage itself is already wrapped by storage wrapper, so
remounting it would rewrap the storage several times.

This fix makes use of "loginAsUser()" and "logout()" from the TestCase
class to properly initialize and cleanup the FS as expected.
2015-04-08 12:45:38 +02:00
Morris Jobke 6c327f8331 Merge pull request #14879 from oparoz/fix-preview-caching
Introducing the maximum size preview
2015-04-07 18:16:24 +02:00
Olivier Paroz 74bf9806b0 Introducing the maximum size preview
The first time we're asked to generate a preview we'll generate one of the maximum dimension indicated in the configuration and all future resizing requests will be done on that preview in order to not waste time converting the same file over and over.

One of the fixes required for #12465
2015-04-07 16:45:59 +02:00
Thomas Müller 2d2cb09715 fixing unit test - expected value change due to different size being stored in cache table 2015-04-07 14:30:01 +02:00
Thomas Müller 54a3bdf1c5 fixing unit test execution related to trashbin 2015-04-07 13:30:31 +02:00
Thomas Müller 268d346b36 fixing unit tests 2015-04-07 13:30:31 +02:00
Thomas Müller fce42a3161 fixing unit test execution - test dummy module was behaving wrong 2015-04-07 13:30:31 +02:00
Thomas Müller 870c53ee37 fixing unit test execution 2015-04-07 13:30:31 +02:00
Bjoern Schiessle 3d7404fe68 add unit tests to the keystorage 2015-04-07 13:30:31 +02:00