Due to a security hardening in 8.1 a missing value of empty trusted domains in the config would provoke an error as this was misused by a lot of users.
This caused a problem where the initial installation happened from another domain than 127.0.0.1 as in this case the domain was considered untrusted as no value was defined. However, this special case should not get intercepted.
To test:
- [ ] Installing ownCloud on 127.0.0.1 works
- [ ] Installing ownCloud on another domain / IP works
- [ ] When setting up ownCloud from 127.0.0.1 and accessing it from the domain above the trusted domain error should be shown if not specified in the config
Fixes https://github.com/owncloud/core/issues/14320
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.
This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.
Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.
Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support 🙈
Fixes https://github.com/owncloud/core/issues/14196 for core
The current behaviour of the authenticion logic in base.php prevents REST APIs in ownCloud applications to work.
Because `!self::$CLI` is usually always a true statement the previously above block was entered which returned, thus the authentication logic for this part does not trigger in.
This can be reproduced by installing apps such as the News app and issuing the following command:
`curl -u admin:admin http://localhost/index.php/apps/news/api/v1-2/feeds`
The following parts needs to get throughly tested:
- [ ] OCS
- [ ] remote.php's DAV features
- [ ] Regular login features
This bug affects master and stable7. I'd propose that we merge this for 8.0 since this has the potential to break every component that relies on Basic Auth features. A backport would also be very nice.
Remark to myself: We really need to move out the authentication code for 8.1 out of base.php - I already have a local branch that does that somewhere which I will get in shape for 8.1... - This untested code is a night-mare.
Fixes itself.
Potentially fixes https://github.com/owncloud/core/issues/12915 and opens the door for potential other bugs...
Please test very carefully, this includes:
- Testing from OCS via cURL (as in #12915)
- Testing from OCS via browser (Open the "Von Dir geteilt" shares overview)
- WebDAV
- CalDAV
- CardDAV
The codepath that is executed when executing ownCloud via CLI is different than via browser. Specifically, the config is created by the user session already in `OC_Util::getInstanceId()` by a call to `setValue`. That said, this seems to be quite a bad side-effect, but for the sake of "not breaking whatever might break if we touch this" let's keep it that way for now.
When executing the autoconfig via `php -f index.php` the said session was not setup and thus no `config/config.php` file was created resulting in an installation error.
To reproduce this try to setup ownCloud via `php -f index.php` with and without that patch. (ensure to delete all existing configs before and don't access ownCloud with a browser in the meantime)
Fixes itself.
Workaround required for IIS setups running ownCloud to prevent dataloss.
Long-term solution would be to move some configuration settings to the database
This PR removes phpass and migrates to the new Hasher interface.
Please notice that due to https://github.com/owncloud/core/issues/10671 old hashes are not updated but the hashes are backwards compatible so this shouldn't hurt.
Once the sharing classes have a possibility to update the passwords of single shares those methods should be used within the newHash if block.
Moved search result type translations to search.js
Load JS translations earlier
Translations need to be loaded earlier to make sure that some JS files
like search.js get access to translations at this time.
This requires the template initialization to be moved to after session
initialization, because only after the session we have access to the
current language.
Added addTranslations and fixed de.js file
Fixed de.js to use OC.L10N.register() and use to correct expected
format.
Added JS unit tests for OC.L10N class
Include translations JS script for all apps
Composer's autoloader is rather better than the OwnCloud autoloader's
handling of non-OC classes. Plus we can rely on upstream Composer to
maintain it and not worry about it ourselves.
With this change, we drop the bits of OwnCloud's autoloader that
handled non-OC classes, and register the classes that were being
handled by that code with Composer's autoloader instead. As these
dependencies are converted to actually being managed by Composer,
the explicit registrations can be dropped as they won't be needed
any more.
Since OwnCloud's autoloader isn't going to handle non-OC classes any
more, we no longer need to test to make sure it does it right.
drop unneeded registerPrefix() and registerClass() from autoloader
Now we're not handling anything but OC's own classes, these are
unnecessary.
error out if composer autoloader is not found (thanks bantu)
We're never going to be able to work without the autoloader, if it's not
there we should just throw our hands up and surrender.
This commit will make the supported DBs for installation configurable within config.php. By default the following databases are tested: "sqlite", "mysql", "pgsql". The reason behind this is that there might be instances where we want to prevent SQLite to be used by mistake.
To test this play around with the new configuration parameter "supportedDatabases".
Previously a JSON error page was shown to the user in-case the CSRF token was not valid. This was confusing and prevented people from login.
With this at least the login page is shown again and not a JSON error message. I consider this as sufficient since adding a new error page just for this sake would uneededly make lib/base.php even more cluttered and this is a edge-case which optimally should anyways not happen that often.
This can be tested by opening the login page, then clearing the cookies, and trying to login.
At the previous point not all apps were initialized. Now the basic auth check happens together at the same location as all others.
Fixes https://github.com/owncloud/core/issues/11129
Using status.php for this.
I modified status.php to also show, whether we're in maintenance.
Checks every 20 seconds if maintenance is over, if yes: reload.
handleRequest() is not called from remote.php or public.php which made these files party available but all included apps in there produced errors.
As the expected behaviour is anyways that a trusted domain warning is shown I moved this to init()
Fixes https://github.com/owncloud/core/issues/10064
maintain deprecated \OC::$session when getting or setting the session via the server container or UserSession
restore order os OC::$session and OC::$CLI
remove unneded initialization of dummy session
write back session when $useCustomSession is true
log warning when deprecated app is used
Adds a little button to the trusted domain warning, if an admin clicks on the warning he will be redirected to ownCloud and asked whether he want to trust this domain.
By far not the cleanest code, or clean at all, but does the job and I don't see a reason to make a lot of changes for this little improvement.
Hopefully this will stop people from copying the sample config. I'm so annoyed by all those wrong bug reports...
Add some explanation about this switch
Move check to init
Users should not be able to enable debug mode on their own by setting a cookie. Using debug mode might leak too much information about the environment or have other unexpected behaviour.
We should backport this.
This `strip_tags` seems to be completely unneeded and will cause problems with passwords containing stripped characters. (e.g. `<` or `>`)
Needs https://github.com/owncloud/core/pull/9735 to be merged first.
This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way.
Port of https://github.com/owncloud/core/pull/9033
The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application.
This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app.
Testplan:
[x] Installation works
[x] Login with DB works
[x] Logout works
[x] Login with alternate backend works (tested with user_webdavauth)
[x] Other apps are accessible
[x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled)
[x] Personal settings are accessible
[x] Admin settings are accessible
[x] Sharing files works
[x] DAV works
[x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications
Some headers were currently only added to the templates but not to other components (e.g. SabreDAV / JSON / etc...)
The migration to base.php ensures that the headers are served to all requests passing base.php
- added karma utility to run jasmine unit tests
- added Sinon library (for stubs/mocks/fakeserver)
- added a few unit tests for core and files
- added autotest-js.sh script
On the update page, config.js was missing which caused oc_webroot to not
be available. That would trigger the faulty oc_webroot fallback that
didn't take URLs like "/owncloud/index.php/files/apps" into account.
This fix adds config.js in the update page and also a fix for the
oc_webroot fallback, in case it is used elsewhere.
commit ae1f68ac54cf2878d265b2bbce13bd600d2d0719
Author: Thomas Müller <thomas.mueller@tmit.eu>
Date: Thu Aug 22 11:45:27 2013 +0200
fixing undefined variable
commit 982f327ca10eea0a2222eae3e74210648591fd8a
Author: Thomas Müller <thomas.mueller@tmit.eu>
Date: Wed Aug 7 12:00:14 2013 +0200
adding login.php as alternative for index.php/login
commit da0d7e1d096fb80789524b01f0f96fe08d147943
Author: Thomas Müller <thomas.mueller@tmit.eu>
Date: Wed Aug 7 11:36:12 2013 +0200
adding a route for web login
commit 8e2a01160485cf7e9a2eb8bf46f06fae73956e8e
Author: Karl Beecher <karl@endocode.com>
Date: Tue Aug 6 17:00:28 2013 +0200
Login attempt returns true instead of exiting immediately
commit fd89d55de9e71e986e03a0de9aad9407b632e22f
Author: Karl Beecher <karl@endocode.com>
Date: Mon Aug 5 15:31:30 2013 +0200
Further abstraction.
This change introduces the ApacheBackend interface for backends that
depend on Apache authentication and session management. There are no
longer references to specific backends in OC_User.
commit 469cfd98aea5a37985722cf5f9e00ece0ce38178
Author: Karl Beecher <karl@endocode.com>
Date: Thu Aug 1 15:46:36 2013 +0200
Make login attempt function protected.
commit d803515f19ff086e2028fcaa51afae579685e596
Author: Karl Beecher <karl@endocode.com>
Date: Wed Jul 31 16:00:22 2013 +0200
Amends the login link
When using a Shibboleth login, clicking logout displays a message to the
user instead of ending the session.
commit aa8c1fcea05c8268f26a10b21c4e0bc547c3414f
Author: Karl Beecher <karl@endocode.com>
Date: Tue Jul 30 13:15:59 2013 +0200
Abstract Shibboleth authentication into an Apache authentication method
commit 69082f2ebcab267f6e8eceb1a252f84c52236546
Author: Karl Beecher <karl@endocode.com>
Date: Tue Jul 30 11:22:26 2013 +0200
Convert spaces -> tabs
commit 5a80861d86855eec5906fd5e235ac4ff12efb0f2
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 17:40:48 2013 +0200
Separate the authentication methods
SABRE authentication and base authentication have slightly different
workings right now. They should be refactored into a common method
later, but time pressure requires us to reinvent the wheel slightly.
commit dc20a9f8764b103b7d8c5b713f2bcdae18708b65
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 17:07:07 2013 +0200
Authenicate calls to WebDAV against Shibboleth.
When using WebDAV, the OC_Connector_Sabre_Auth::authenticate method is
normally called without trying the Shibboleth authentication... thus the
session is not established.
The method now tries Shib authentication, setting up a session if the
user has already authenticated.
commit 091e4861b2246c4084c9b30e232289fde4ba1abf
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 14:04:54 2013 +0200
Sets up the Shibboleth login attempt.
commit bae710ec0579ef99b23022cc12f6876c5fe6b0d5
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 12:36:44 2013 +0200
Add a method for attempting shibboleth login.
If the PHP_AUTH_USER and EPPN environment variables are set, attempt a
Shibboleth (passwordless) login.
commit 667d0710a7854e58fb109201d9cee6ec064e793a
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 11:38:04 2013 +0200
Revert "Adds the apps2 folder with user_shibboleth backend."
This reverts commit 7abbdb64676d667b0c69aca37becdc47e56dc7ef.
commit 7abbdb64676d667b0c69aca37becdc47e56dc7ef
Author: Karl Beecher <karl@endocode.com>
Date: Mon Jul 29 11:28:06 2013 +0200
Adds the apps2 folder with user_shibboleth backend.
Conflicts:
core/templates/layout.user.php
lib/base.php
This update works for a standard setup, when using a proxy for the server one can probably use the X-forwarded-for header
instead of the remote address.