ab9ea97d3a
Catch not existing User-Agent header
...
In case of an not sent UA header consider the client as valid
2015-04-23 16:33:51 +02:00
155ae44bc6
Fix collision on temporary files + adjust permissions
...
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.
**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html )**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".
Effectively this leaves us with:
1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647
Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.
This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.
**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html )**
Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.
**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html )**
Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
f8f354b351
[tx-robot] updated from transifex
2015-04-23 01:54:51 -04:00
676e86b314
Improve error messge text for app upgrade try ( #15375 )
2015-04-22 13:24:11 +02:00
3e8f6cdba9
Merge pull request #15635 from owncloud/issue/15634-empty-txt-previews
...
Scale up the font on larger previews
2015-04-20 15:55:32 +02:00
ce2c8533d9
Merge pull request #15735 from owncloud/fix-visibility
...
Fix visibility of interfaces in \OCP
2015-04-20 14:39:15 +02:00
3959f8ac4e
Merge pull request #15637 from owncloud/migrate-certificate-stuff
...
Migrate personal certificate handling to AppFramework controllers
2015-04-20 13:56:35 +02:00
e9d6807c5c
Merge pull request #15733 from owncloud/remove-oc_backgroundjob
...
Removed OC_BackgroundJob - reduce class overhead
2015-04-20 13:17:58 +02:00
1cc2aefa46
Proper return types
2015-04-20 13:00:02 +02:00
9f61cf60d4
Verify if returned object is an array
...
The error has to be thrown at this point as otherwise errors and notices are thrown since the time cannot be parsed in L60 and L61
2015-04-20 12:58:57 +02:00
ed0b465cf9
Use 403 instead a 50x response
2015-04-20 12:53:40 +02:00
6da9e1a742
Fix visibility of public API methods
2015-04-20 12:52:40 +02:00
4ea205e262
Block old legacy clients
...
This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance.
This has multiple reasons:
1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse
2. Old ownCloud client versions tend to be horrible buggy
In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
2015-04-20 11:12:17 +02:00
a98b819366
Add version to deprecation notice
...
As requested by @MorrisJobke
2015-04-20 10:30:16 +02:00
f672e120fc
Deprecate unused `\OCP\Response::sendFile`
...
This function is unused in our own code and can be better achieved using the AppFramework. Also very easy to do grave mistaked using this function.
2015-04-20 10:02:34 +02:00
9cb260d310
Merge pull request #15717 from owncloud/issue/15716-fixing-ocp-api-namespace-usage
...
Fixing OCS API namespace usage
2015-04-20 09:43:19 +02:00
75bf03a605
[tx-robot] updated from transifex
2015-04-20 01:54:44 -04:00
d4ac7ac723
Merge pull request #15739 from DavidPrevot/symfony-2.7
...
Replace `_method` requirement by {g,s}etMethods()
2015-04-19 23:46:21 +02:00
8f51efc49e
get rid of OC_Geo
2015-04-19 20:16:56 +02:00
7f2f92847b
Replace `_method` requirement by {g,s}etMethods()
...
Make the call compatible with future Symfony version, and avoid
E_USER_DEPRECATED as thrown by the current 2.7.0-beta1:
The "_method" requirement is deprecated since version 2.2 and will be
removed in 3.0. Use getMethods() instead. at
…/Symfony/Component/Routing/Route.php#554
The "_method" requirement is deprecated since version 2.2 and will be
removed in 3.0. Use the setMethods() method instead or the "methods"
option in the route definition. at
…/Symfony/Component/Routing/Route.php#662
2015-04-19 12:08:29 -04:00
d877c1f1e1
Merge pull request #15736 from owncloud/remove-dependency-on-legacy-code-in-ocp
...
Reduce call of legacy wrapper by call the OCP directly
2015-04-19 15:42:07 +02:00
3cb5dd68e6
Merge pull request #15737 from owncloud/add-deprecated-version
...
Add version to @deprecated tags
2015-04-19 15:40:53 +02:00
80b892e7ed
Merge pull request #15729 from owncloud/remove-unused-variables
...
Remove unused variables
2015-04-19 12:38:29 +01:00
fd3c1484ad
[tx-robot] updated from transifex
2015-04-19 01:54:41 -04:00
c056c52010
Add version to @deprecated tags
2015-04-19 01:04:59 +02:00
9b8ebdadf7
Reduce call of legacy wrapper by call the OCP directly
...
* ref #15734
* reduces the call depth, because the private methods just call OCP stuff
2015-04-19 00:29:09 +02:00
96a5b65484
Fix visibility of interfaces in \OCP
2015-04-19 00:26:17 +02:00
60b8aa2a83
Removed OC_BackgroundJob - reduce class overhead
...
* method code is now in the static public namespace (5 sloc)
2015-04-18 23:37:32 +02:00
f6807337a8
Add @since tag to public namespace constants
2015-04-18 23:19:35 +02:00
cdf82909b8
Merge pull request #15718 from owncloud/issue/15694-display-name-of-encryption-modules
...
Issue/15694 display name of encryption modules
2015-04-18 22:51:15 +02:00
b7a4972218
Merge pull request #15728 from owncloud/update-iurlgenerator-doc
...
IUrlGenerator - document linkTo properly
2015-04-18 22:48:09 +02:00
d2a31bcd93
Merge pull request #15727 from owncloud/cleanup-db-interface
...
DB: remove unused parameter - was forgotten during the migration to doct...
2015-04-18 22:47:40 +02:00
c922b09f26
Merge pull request #15725 from owncloud/l10n-public-interface
...
IL10n - add PHPDoc for $options
2015-04-18 22:46:50 +02:00
e837927ad5
fix followup issues with unneeded parameters
2015-04-18 17:02:39 +02:00
ccf47f40aa
Remove unused variables
...
* should make scrutinizer a lot more happy
* reduces maybe memory footprint
2015-04-18 16:35:19 +02:00
eb62e7cc27
IUrlGenerator - document linkTo properly
...
* parameter $args was there since 6.0.0
* see 61a9098b7d
2015-04-18 16:03:37 +02:00
47ecfd98a3
DB: remove unused parameter - was forgotten during the migration to doctrine
...
* 377e9a8677
2015-04-18 15:57:13 +02:00
9ffac12986
IL10n - add PHPDoc for $options
...
* added in #11549
* undocumented in the public interface
2015-04-18 15:50:17 +02:00
f72dabb4eb
fix wrong variable names in PHPDoc
2015-04-18 14:31:28 +02:00
11f29f6d95
add visibility of methods in server container and interface
2015-04-18 14:19:22 +02:00
3f3f8c2f99
Fix usage of deprecated private constants
2015-04-18 10:30:02 +02:00
4d238c3949
Fix display name of encryption modules
2015-04-18 10:18:58 +02:00
6ce1abfa5c
Deprecate the OC_API constants in favor of the OCP ones
2015-04-18 09:29:52 +02:00
4e58f4892a
Move constants to OCP\API so apps can use them
2015-04-18 09:29:51 +02:00
8cb0d97b10
Merge pull request #15692 from owncloud/log-exception-type-master
...
Write the type of exception to the log - really helpful for exceptions w...
2015-04-18 09:28:48 +02:00
5acda185bd
Correctly prefix OC_API with \ since its not in the namespace
2015-04-18 09:12:42 +02:00
37a871127b
[tx-robot] updated from transifex
2015-04-18 01:55:19 -04:00
7ab1f807fb
Merge pull request #15691 from owncloud/vobject-sabre2.1
...
Get rid of the obsolete OC_VObject class
2015-04-17 22:33:00 +02:00
d9990c2b4e
Delay initialization of the OC\Encryption\Update - introducing 'OC\Encryption\HookManager'
2015-04-17 13:55:31 +02:00
d671f13f26
Write the type of exception to the log - really helpful for exceptions which hold no message
2015-04-17 13:10:10 +02:00
b7e5884b54
Get rid of the obsolete OC_VObject class
...
The class isn't needed any more since the update to Sabre 2.1
2015-04-17 12:55:31 +02:00
7d4b1b52d0
always create a new instance of the encryption module
2015-04-17 10:31:33 +02:00
f32d97750c
Merge pull request #15679 from owncloud/fix-private-member-access
...
Fix private member access of parent class in ocsresponse
2015-04-17 09:13:54 +02:00
852cc6f2c6
Merge pull request #15680 from owncloud/add-since-tags-to-public-namespace
...
Add @since tags to all methods in public namespace
2015-04-17 09:13:04 +02:00
da44df2cfa
[tx-robot] updated from transifex
2015-04-17 01:55:37 -04:00
7644950b48
Add @since tags to all methods in public namespace
...
* enhance the app development experience - you can look up the
method introduction right inside the code without searching
via git blame
* easier to write apps for multiple versions
2015-04-16 17:00:08 +02:00
1d30efdd73
Fix private member access of parent class in ocsresponse
...
* noticed while checking PHPDoc
2015-04-16 16:54:01 +02:00
1174ad0681
Merge pull request #15445 from owncloud/enc2_migration
...
add migration script from old encryption to new one
2015-04-16 09:34:47 -04:00
c7e5e30b86
Merge pull request #15674 from owncloud/fix-console-check-output
...
Convert error and hint to string before writing to the output
2015-04-16 14:51:29 +02:00
b25c06f576
detect system wide mount points correctly
2015-04-16 14:15:04 +02:00
67500d5f2f
if we start writing a file from the beginning, size should start by zero; result of floor needs to be casted to int in order to compare it with ->size
2015-04-16 14:15:04 +02:00
e3d77c4b01
add migration script from old encryption to new one
2015-04-16 14:15:04 +02:00
07243f0482
Convert error and hint to string before writing to the output - fixes https://mailman.owncloud.org/pipermail/devel/2015-April/001184.html
2015-04-16 12:32:17 +02:00
bcf65d9c13
Using TRANSACTION_READ_COMMITTED
2015-04-16 11:49:12 +02:00
2e06cf49a5
Merge pull request #15623 from t3chguy/master
...
Redis DB Index via Select
2015-04-16 09:30:07 +02:00
8606b7ca66
[tx-robot] updated from transifex
2015-04-16 01:54:43 -04:00
903d52d45f
Merge pull request #15809 from owncloud/view-null-root
...
dont allow using null as view root
2015-04-22 18:10:26 +02:00
bd57902d1d
typo
2015-04-22 16:24:37 +02:00
750f0bc489
Merge pull request #15799 from owncloud/fix-enc-folder-move
...
Fix enc folder move
2015-04-22 16:04:29 +02:00
f391f88d7f
dont allow using null as view root
2015-04-22 14:51:02 +02:00
42d9ba0f83
Merge pull request #15787 from owncloud/trash-partfiles
...
Do not trash part files, delete directly
2015-04-22 14:10:26 +02:00
a971fa8a90
Merge pull request #15549 from owncloud/jcf-fix-cache-update
...
don't update identical values
2015-04-22 13:34:08 +02:00
0042bdd2e7
fix PHPDoc
2015-04-22 13:12:52 +02:00
225cde2183
pass KeyStorage via ctor
2015-04-22 13:09:42 +02:00
987bc138df
calling renameKeys() on directory level as well - fixes #15778
2015-04-22 12:12:27 +02:00
fc4127dd62
add $encryptionModuleId to methods of Keys/IStorage
2015-04-22 11:53:05 +02:00
570718fb6b
Merge pull request #15757 from owncloud/enc-fixfeofforlastblock
...
Fix encryption feof to not return too early
2015-04-22 11:32:21 +02:00
40fcc7480c
Merge pull request #15734 from owncloud/add-deprecate-tags
...
Add @deprecated to all methods with a proper method in \OCP
2015-04-21 23:57:49 +02:00
ffc796edcb
Do not trash part files, delete directly
2015-04-21 18:28:15 +02:00
19e8c4fcb1
get dirname from sharePath
2015-04-21 14:58:01 +02:00
b0fcf0fa0e
Merge pull request #15636 from owncloud/enc2_performance_improvement
...
[encryption2] set size and unencrypted size to zero at the beginning of a write operation
2015-04-21 11:01:33 +02:00
a13088818a
Merge pull request #15748 from owncloud/fixing-enc-filesize-once-more
...
Introduce Storage::getData() to allow storage implementations more contr...
2015-04-20 18:36:23 +02:00
76dad297ff
Fix encryption feof to not return too early
...
This is because stream_read will pre-cache the next block which causes
feof($this->source) to return true prematurely. So we cannot rely on it.
Fixed encryption stream wrapper unit tests to actually simulate 6k/8k
blocks to make sure we cover the matching logic.
Added two data files with 8192 and 8193 bytes.
2015-04-20 18:32:40 +02:00
fe2cbc3795
Merge pull request #15744 from owncloud/fix-inverted-path-in-resourcenotfound
...
Fix wrong path generation
2015-04-20 16:55:36 +02:00
32995ace1c
move permission related code into getMetaData()
2015-04-20 16:50:12 +02:00
23f1bdc3d4
Introduce Storage::getMetaData() to allow storage implementations more control over the data array
2015-04-20 14:54:54 +02:00
92b60e36de
Introduce Storage::getData() to allow storage implementations more control over the data array
2015-04-20 14:25:39 +02:00
0a594cd3a5
Add @deprecated to all methods with a proper method in \OCP
2015-04-20 13:15:45 +02:00
7fe0e09d14
set size and unencrypted size to zero on fopen
2015-04-20 11:06:13 +02:00
80be3b0c47
Fix wrong path generation
...
* fixes #15742
2015-04-20 11:01:33 +02:00
8ebf9de3f8
Memcache\Redis Add DB Select Functionality
2015-04-15 21:24:38 +01:00
1592f25ed0
Scale up the font on larger previews
2015-04-15 14:03:40 +02:00
e33e5b425a
Merge pull request #12006 from owncloud/dav-put-storage
...
Work directly on the storage when uploading over webdav
2015-04-15 03:08:52 +02:00
7f3f191ee9
[tx-robot] updated from transifex
2015-04-14 18:19:31 -04:00
70480423ff
Merge pull request #15597 from oparoz/another-fallback-for-findbinarypath
...
Adding a final fallback for findBinaryPath
2015-04-15 00:16:56 +02:00
1aa368effe
Merge pull request #15592 from owncloud/fix-15590-master
...
Avoid php message "Invalid argument supplied for foreach()"
2015-04-15 00:14:08 +02:00
4f0437fbde
Merge pull request #15598 from owncloud/fix-enc-file-size-master
...
Fix file size of encrypted files
2015-04-14 16:48:04 +02:00
eeecca04e6
Keep phpdoc updated.
2015-04-14 16:25:52 +02:00
308af8b909
pass a stream to the tests
2015-04-14 15:25:52 +02:00
82cab25762
Merge pull request #13360 from owncloud/cross-storage-move
...
Proper copy/move between multiple local storages
2015-04-14 14:35:08 +02:00
Lukas Reschke
Jenkins for ownCloud
Martin
Morris Jobke
Joas Schilling
Georg Ehrke
David Prévot
Roeland Douma
Robin McCorkell
Thomas Müller
Joas Schilling
Vincent Petry
Bjoern Schiessle
Clark Tomlinson
Jörn Friedrich Dreyer
Robin Appelman
Björn Schießle
Michael Telatynski
Robin Appelman