Commit Graph

3557 Commits

Author SHA1 Message Date
Lukas Reschke 64393b4c03 Remove PHP 5.4 warning in checkSetup
This is catched in index.php as older PHP versions will never execute the code path until there due to 5.4 syntax changes.
2015-05-04 17:11:17 +02:00
Thomas Müller 08b98a8ede Merge pull request #16042 from owncloud/fix-output-buffering
Remove hard-dependency on disabled output_buffering
2015-05-04 16:43:32 +02:00
Lukas Reschke 5c7d15b941 Merge pull request #16043 from owncloud/activity-288-log-entry-when-no-favorite
Fix undefined variable $tagId
2015-05-04 16:22:21 +02:00
Joas Schilling 50f6386c63 Fix undefined variable $tagId 2015-05-04 16:19:26 +02:00
Joas Schilling 59c657da53 Merge pull request #15772 from owncloud/issue-15771-dont-restrict-permissions-for-share-owner
Do not restrict permissions for the original owner
2015-05-04 15:07:37 +02:00
Lukas Reschke 4b9e034968 Remove hard-dependency on disabled output_buffering
This removes the hard-dependency on output buffering as requested at https://github.com/owncloud/core/issues/16013 since a lot of distributions such as Debian and Ubuntu decided to use `4096` instead of the PHP recommended and documented default value of `off`.

However, we still should encourage disabling this setting for improved performance and reliability thus the setting switches in `.user.ini` and `.htaccess` are remaining there. It is very likely that we in other cases also should disable the output buffering but aren't doing it everywhere and thus causing memory problems.

Fixes https://github.com/owncloud/core/issues/16013
2015-05-04 14:15:15 +02:00
Thomas Müller 4de45b5e61 Merge pull request #15958 from owncloud/usage-of-public-log-interface
Use internally \OCP\ILogger instead of \OC\Log
2015-05-04 09:13:26 +02:00
Morris Jobke cd516eedcd Use OC.Notification for update notifications
* instead of a static rendering inside PHP use the
  JS OC.Notification.showTemporary to hide the
  notification after 7 seconds automatically
* fixes #14811
2015-05-03 17:26:03 +02:00
Lukas Reschke 6738c17cb5 Add proper versioning for doc URL
As per 8.1 we have docs for minor versions as well so we need to link to `8.1` here instead to `8.0`.

Fixes https://github.com/owncloud/core/issues/16002
2015-05-02 21:05:11 +02:00
Thomas Müller 6b691e3840 Merge pull request #15937 from owncloud/file-locking
Add memcache based shared/exclusive locking
2015-05-01 17:47:23 +02:00
jknockaert f5415653fd fix #15973
Rework of stream_seek handling; there where basically two bugs: 1. seeking to the end of the current file would fail (with SEEK_SET); and 2. if seeking to an undefined position (outside 0,unencryptedSize) then newPosition was not defined. I used the opportunity to simplify the code.
2015-04-30 17:10:18 +02:00
Robin Appelman ba7d221cff allow getting the path from the lockedexception 2015-04-30 14:48:42 +02:00
Robin Appelman a40a237441 use trait for cas polyfill for xcache 2015-04-30 14:48:39 +02:00
Robin Appelman 96f9573a4b add memcache based shared/exclusive locking 2015-04-30 14:48:39 +02:00
Robin Appelman acf30ede95 add compare and swap to memcache 2015-04-30 14:48:39 +02:00
Robin Appelman 29213b6136 extends memcache with add, inc and dec 2015-04-30 14:48:36 +02:00
Bernhard Posselt 360d0e3e5e fix #15962 2015-04-30 12:44:45 +02:00
Morris Jobke fbba7a61cb Use internally \OCP\ILogger instead of \OC\Log
* this is the preparation for some upcoming logger related changes
* also fixes an issue in the public interface where we request
  an internal class as parameter
2015-04-30 11:52:30 +02:00
Thomas Müller d308ec4f0e Merge pull request #15949 from owncloud/l10n-string-json
Implement json serialize for l10n string
2015-04-30 11:11:16 +02:00
Bernhard Posselt 1e58538f0e add aliases to pascal case constructor paramters to make it possible to auto assemble controllers 2015-04-29 22:29:45 +02:00
Bernhard Posselt 5b857a6eab implement json serialize for l10n string 2015-04-29 21:22:42 +02:00
Joas Schilling f524ae261a Ignore "parent" shares when the sharee is the owner of the reshare-source 2015-04-29 14:18:46 +02:00
Joas Schilling 3c37cbdfe7 Correctly select file cache values also when checking group shares 2015-04-29 14:12:12 +02:00
Morris Jobke 8c7db2536d Merge pull request #15596 from owncloud/issue/15589
Correctly generate the feedback URL for remote share
2015-04-29 10:52:43 +02:00
Morris Jobke 7df7a3b360 Merge pull request #15906 from rullzer/fix_15777
Password set via OCS API should not be double escaped
2015-04-29 10:44:25 +02:00
Lukas Reschke 34d0e610cc Filter potential dangerous filenames for avatars
We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
2015-04-28 16:57:23 +02:00
Joas Schilling 2eecfcbb80 Fix scrutinizer complains and return type doc 2015-04-28 11:28:55 +02:00
Joas Schilling 9fb7d0bca9 Correctly remove the protocol before prepeding it 2015-04-28 11:28:54 +02:00
Joas Schilling 8f7c64253e Correctly generate the feedback URL for remote share
The trailing slash was added in c78e3c4a7f
to correctly generate the encryption keys
2015-04-28 11:28:54 +02:00
Morris Jobke de8c15e1a4 Merge pull request #14764 from owncloud/shared-etag-propagate
Propagate etags across shared storages
2015-04-28 10:58:50 +02:00
Morris Jobke b4a15db046 Merge pull request #15901 from owncloud/fix-share-docs
fix several issues with doc blocks on share.php
2015-04-28 10:41:04 +02:00
Roeland Jago Douma 73bb3a22f6 Password set via OCS API should not be double escaped 2015-04-28 10:33:19 +02:00
Joas Schilling 7c65448377 Fix return type of the getRootFolder() method 2015-04-28 09:36:29 +02:00
Joas Schilling 46083006e1 fix several issues with doc blocks on share.php 2015-04-28 08:40:47 +02:00
Thomas Müller eb0e9e5646 Merge pull request #15890 from owncloud/fix-helper-docs
Fix several type(hint) errors in private/helper.php
2015-04-27 15:28:50 +02:00
Thomas Müller 7d0eba7a41 Merge pull request #15886 from owncloud/fix-15848-master
Adjust isLocal() on encryption wrapper
2015-04-27 15:06:26 +02:00
Joas Schilling db6395ae20 Fix several type(hint) errors in private/helper.php 2015-04-27 14:45:05 +02:00
Thomas Müller 678b7d7e4d Merge pull request #15860 from owncloud/enc_fallback_old_encryption
[encryption] handle encrypted files correctly which where encrypted with a old version of ownCloud (<=oc6)
2015-04-27 14:32:19 +02:00
Thomas Müller 936d564058 fixes #15848 2015-04-27 14:26:05 +02:00
Morris Jobke 93c25a1f4a Merge pull request #15882 from owncloud/fix-type-annotation
Fix type annotation
2015-04-27 14:17:59 +02:00
Robin Appelman 2e897f05b1 triger propagation for webdav uploads
use post hooks for share etag propagator
2015-04-27 14:07:16 +02:00
Robin Appelman 45784f213f fix propagation when renaming a directly reshared folder 2015-04-27 14:07:16 +02:00
Robin Appelman 30ad56813a propagate etags for all user of a share 2015-04-27 14:07:15 +02:00
Robin Appelman 518d5aadf5 Allow getting *all* share entries owned by a user 2015-04-27 14:07:15 +02:00
Robin Appelman 849e5521de Make the change propagator an emitter 2015-04-27 14:07:15 +02:00
Thomas Müller cc331609bf Merge pull request #15411 from mmattel/fix_for_15375_better_message_text
Improve error messge text for app upgrade try (#15375)
2015-04-27 13:38:16 +02:00
Lukas Reschke d0363fe396 Fix type annotation
Obviously should be an int
2015-04-27 13:31:18 +02:00
Bjoern Schiessle 27683f9442 fall back to the ownCloud default encryption module and aes128 if we read a encrypted file without a header 2015-04-27 13:01:18 +02:00
Joas Schilling d600955a51 Make getDefaultModuleId public and get module protected 2015-04-27 11:03:51 +02:00
Joas Schilling a09df6d453 Verify that the encryption module exists before setting it 2015-04-27 11:03:50 +02:00
Lukas Reschke 4dfdaf741c Merge pull request #15834 from owncloud/make-temporary-file-really-unique
Fix collision on temporary files + adjust permissions
2015-04-25 23:18:26 +02:00
Lukas Reschke b9df932e3c Merge pull request #15683 from owncloud/block-legacy-clients
Block old legacy clients
2015-04-24 18:21:10 +02:00
Bjoern Schiessle 9a5783b284 fix unit tests 2015-04-24 16:47:27 +02:00
jknockaert 49df8ef525 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert 238302ee7d fixed name 2015-04-24 16:44:00 +02:00
jknockaert 1756562501 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert 735f6cc037 fix encryption header error
When moving back the pointer to position 0 (using stream_seek), the pointer on the encrypted stream will be moved to the position immediately after the header. Reading the header again (invoked by stream_read) will cause an error, writing the header again (invoked by stream_write) will corrupt the file. Reading/writing the header should therefore happen when opening the file rather than upon read or write. Note that a side-effect of this PR is that empty files will still get an encryption header; I think that is OK, but it is different from how it was originally implemented.
2015-04-24 16:43:16 +02:00
Joas Schilling 4334e77035 Merge pull request #15839 from owncloud/enc_fix_moving_shared_files
[encryption] fix moving files to a shared folder
2015-04-24 15:07:36 +02:00
Joas Schilling 1592be117a Use public interfaces for type hinting 2015-04-24 13:06:03 +02:00
Bjoern Schiessle 24128d1384 only update share keys if the file was encrypted 2015-04-24 10:19:09 +02:00
Bjoern Schiessle 2646bccb83 update share keys if file gets copied 2015-04-23 17:18:48 +02:00
Bjoern Schiessle 2990b0e07e update share keys if a file is moved to a shared folder 2015-04-23 17:18:48 +02:00
Thomas Müller b1bb6a3d36 Ignore test folders when checking the code for compliance 2015-04-23 16:59:26 +02:00
Lukas Reschke ab9ea97d3a Catch not existing User-Agent header
In case of an not sent UA header consider the client as valid
2015-04-23 16:33:51 +02:00
Lukas Reschke 155ae44bc6 Fix collision on temporary files + adjust permissions
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.

**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".

Effectively this leaves us with:

1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647

Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.

This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.

**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)**

Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.

**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)**

Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
Martin 676e86b314 Improve error messge text for app upgrade try (#15375) 2015-04-22 13:24:11 +02:00
Morris Jobke 3e8f6cdba9 Merge pull request #15635 from owncloud/issue/15634-empty-txt-previews
Scale up the font on larger previews
2015-04-20 15:55:32 +02:00
Morris Jobke ce2c8533d9 Merge pull request #15735 from owncloud/fix-visibility
Fix visibility of interfaces in \OCP
2015-04-20 14:39:15 +02:00
Lukas Reschke 3959f8ac4e Merge pull request #15637 from owncloud/migrate-certificate-stuff
Migrate personal certificate handling to AppFramework controllers
2015-04-20 13:56:35 +02:00
Lukas Reschke e9d6807c5c Merge pull request #15733 from owncloud/remove-oc_backgroundjob
Removed OC_BackgroundJob - reduce class overhead
2015-04-20 13:17:58 +02:00
Lukas Reschke 1cc2aefa46 Proper return types 2015-04-20 13:00:02 +02:00
Lukas Reschke 9f61cf60d4 Verify if returned object is an array
The error has to be thrown at this point as otherwise errors and notices are thrown since the time cannot be parsed in L60 and L61
2015-04-20 12:58:57 +02:00
Lukas Reschke ed0b465cf9 Use 403 instead a 50x response 2015-04-20 12:53:40 +02:00
Joas Schilling 6da9e1a742 Fix visibility of public API methods 2015-04-20 12:52:40 +02:00
Lukas Reschke 4ea205e262 Block old legacy clients
This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance.

This has multiple reasons:

1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse
2. Old ownCloud client versions tend to be horrible buggy

In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-20 11:12:17 +02:00
Lukas Reschke a98b819366 Add version to deprecation notice
As requested by @MorrisJobke
2015-04-20 10:30:16 +02:00
Lukas Reschke f672e120fc Deprecate unused `\OCP\Response::sendFile`
This function is unused in our own code and can be better achieved using the AppFramework. Also very easy to do grave mistaked using this function.
2015-04-20 10:02:34 +02:00
Morris Jobke 9cb260d310 Merge pull request #15717 from owncloud/issue/15716-fixing-ocp-api-namespace-usage
Fixing OCS API namespace usage
2015-04-20 09:43:19 +02:00
Morris Jobke d4ac7ac723 Merge pull request #15739 from DavidPrevot/symfony-2.7
Replace `_method` requirement by {g,s}etMethods()
2015-04-19 23:46:21 +02:00
Georg Ehrke 8f51efc49e get rid of OC_Geo 2015-04-19 20:16:56 +02:00
David Prévot 7f2f92847b Replace `_method` requirement by {g,s}etMethods()
Make the call compatible with future Symfony version, and avoid
E_USER_DEPRECATED as thrown by the current 2.7.0-beta1:

The "_method" requirement is deprecated since version 2.2 and will be
removed in 3.0. Use getMethods() instead. at
…/Symfony/Component/Routing/Route.php#554

The "_method" requirement is deprecated since version 2.2 and will be
removed in 3.0. Use the setMethods() method instead or the "methods"
option in the route definition. at
…/Symfony/Component/Routing/Route.php#662
2015-04-19 12:08:29 -04:00
Robin McCorkell 80b892e7ed Merge pull request #15729 from owncloud/remove-unused-variables
Remove unused variables
2015-04-19 12:38:29 +01:00
Morris Jobke 60b8aa2a83 Removed OC_BackgroundJob - reduce class overhead
* method code is now in the static public namespace (5 sloc)
2015-04-18 23:37:32 +02:00
Thomas Müller cdf82909b8 Merge pull request #15718 from owncloud/issue/15694-display-name-of-encryption-modules
Issue/15694 display name of encryption modules
2015-04-18 22:51:15 +02:00
Thomas Müller d2a31bcd93 Merge pull request #15727 from owncloud/cleanup-db-interface
DB: remove unused parameter - was forgotten during the migration to doct...
2015-04-18 22:47:40 +02:00
Morris Jobke e837927ad5 fix followup issues with unneeded parameters 2015-04-18 17:02:39 +02:00
Morris Jobke ccf47f40aa Remove unused variables
* should make scrutinizer a lot more happy
* reduces maybe memory footprint
2015-04-18 16:35:19 +02:00
Morris Jobke 47ecfd98a3 DB: remove unused parameter - was forgotten during the migration to doctrine
* 377e9a8677 <- doctrine merge
2015-04-18 15:57:13 +02:00
Morris Jobke 11f29f6d95 add visibility of methods in server container and interface 2015-04-18 14:19:22 +02:00
Joas Schilling 3f3f8c2f99 Fix usage of deprecated private constants 2015-04-18 10:30:02 +02:00
Joas Schilling 4d238c3949 Fix display name of encryption modules 2015-04-18 10:18:58 +02:00
Joas Schilling 6ce1abfa5c Deprecate the OC_API constants in favor of the OCP ones 2015-04-18 09:29:52 +02:00
Morris Jobke 7ab1f807fb Merge pull request #15691 from owncloud/vobject-sabre2.1
Get rid of the obsolete OC_VObject class
2015-04-17 22:33:00 +02:00
Thomas Müller d9990c2b4e Delay initialization of the OC\Encryption\Update - introducing 'OC\Encryption\HookManager' 2015-04-17 13:55:31 +02:00
Vincent Petry b7e5884b54 Get rid of the obsolete OC_VObject class
The class isn't needed any more since the update to Sabre 2.1
2015-04-17 12:55:31 +02:00
Bjoern Schiessle 7d4b1b52d0 always create a new instance of the encryption module 2015-04-17 10:31:33 +02:00
Clark Tomlinson 1174ad0681 Merge pull request #15445 from owncloud/enc2_migration
add migration script from old encryption to new one
2015-04-16 09:34:47 -04:00
Joas Schilling c7e5e30b86 Merge pull request #15674 from owncloud/fix-console-check-output
Convert error and hint to string before writing to the output
2015-04-16 14:51:29 +02:00
Bjoern Schiessle b25c06f576 detect system wide mount points correctly 2015-04-16 14:15:04 +02:00
Bjoern Schiessle 67500d5f2f if we start writing a file from the beginning, size should start by zero; result of floor needs to be casted to int in order to compare it with ->size 2015-04-16 14:15:04 +02:00