nextcloud

Commit Graph

Author	SHA1	Message	Date
Christoph Wurst	463b388589	Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports Remove unused imports	2020-03-27 17:14:08 +01:00
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-26 16:34:56 +01:00
Christoph Wurst	2ee65f177e	Use the shorter phpunit syntax for mocked return values Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:21:27 +01:00
Christoph Wurst	74936c49ea	Remove unused imports Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:08:08 +01:00
Roeland Jago Douma	12e1c469cf	Add Argon2id support When available we should use argon2id for hashing. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-02-07 07:52:33 +01:00
Roeland Jago Douma	0d651f106c	Allow selecting the hashing algorithm Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-02-03 21:41:17 +01:00
Julius Härtl	d05f131929	Move overwritehost check to isTrustedDomain Signed-off-by: Julius Härtl <jus@bitgrid.net>	2019-12-07 09:53:06 +01:00
Roeland Jago Douma	3a7cf40aaa	Mode to modern phpunit Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-27 15:27:18 +01:00
Roeland Jago Douma	c007ca624f	Make phpunit8 compatible Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-27 13:34:41 +01:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +01:00
Johannes Koenig	2df8d646c1	make TrustedDomainHelper case insensitive Signed-off-by: Johannes Koenig <mail@jokoenig.de>	2019-10-06 20:43:55 +02:00
Roeland Jago Douma	2b98eea129	Harden identifyproof openssl code Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-09-14 13:52:10 +02:00
Roeland Jago Douma	7927aebdeb	Fix report of phpstan in Limiter * unneeded arguments to constructor * added return types * let automatic DI do its work Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-19 19:38:43 +02:00
Roeland Jago Douma	f81817b47d	Add tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 19:40:13 +02:00
Roeland Jago Douma	cf647451e5	Update CSP test cases to handle the new form-action Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-31 15:16:10 +02:00
Sam Bull	ea935f65fd	Add support for CSP_NONCE server variable Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-18 12:16:29 +02:00
Roeland Jago Douma	5ac857bcdc	Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-08 20:35:15 +02:00
Morris Jobke	d004164fcc	Merge pull request #13327 from nextcloud/allow-bracket-notation-for-remove-ipv6-address Allow bracket IPv6 address format inside IPAdress Normalizer	2019-03-06 10:34:02 +01:00
Roeland Jago Douma	f1ea56b502	Fix the thorrtler whitelist bitmask Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-11 23:22:20 +01:00
Roeland Jago Douma	ad676c0102	Set default frame-ancestors to 'self' For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-08 15:36:40 +01:00
Roeland Jago Douma	64244e1a4f	CSP: Allow fonts to be provided in data Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-07 15:07:06 +01:00
Thomas Citharel	c9b588774b	Allow bracket IPv6 address format inside IPAdress Normalizer When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any. Signed-off-by: Thomas Citharel <tcit@tcit.fr>	2019-01-03 10:03:46 +01:00
Roeland Jago Douma	5b61ef9213	Disallow unsafe-eval by default Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-14 20:45:34 +02:00
Roeland Jago Douma	362e6b2903	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-05-14 13:30:22 +02:00
Roeland Jago Douma	84316aec66	Add ARGON2I support to the hasher When on php7.2 we can use the new and improved ARGON2I hashing. This adds support for that to the hasher. When verifying an old hash we'll update rehash to move all hashes eventually to the new hash function. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-04-04 15:43:50 +02:00
Joas Schilling	bf2be08c9f	Fix risky tests without assertions Signed-off-by: Joas Schilling <coding@schilljs.com>	2018-01-25 11:33:25 +01:00
Roeland Jago Douma	0e0db37658	Make OCP\Security stricter * Add typehints * Add return types * Opcode opts from phpstorm * Made strict * Fixed tests: No need to test bogus values anymore strict typing fixes this Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-16 22:01:19 +01:00
Roeland Jago Douma	cf0a339997	Make OC\Security\RateLimiting strict * Add return types * Add scalar argument types * Made strict * Cleaned up phpstorm inspections Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-01-14 21:08:23 +01:00
Roeland Jago Douma	094d41937a	Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-12-18 21:06:52 +01:00
Morris Jobke	c733cdaa65	Use ::class in test mocks of encryption app Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-26 13:56:56 +02:00
Morris Jobke	43e498844e	Use ::class in test mocks Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-10-24 17:45:32 +02:00
Bjoern Schiessle	bae5be3dc1	add prefix to user and system keys to avoid name collisions Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-08-10 14:27:35 +02:00
Bjoern Schiessle	9524badccc	extend the identity proof manager to allow system wide key pairs Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>	2017-08-10 14:27:35 +02:00
Roeland Jago Douma	6a1f2ac076	Add bruteforce capabilities Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-13 11:23:08 +02:00
Roeland Jago Douma	04f2090698	Write cert bundle to tmp file first Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-07-12 19:24:20 +02:00
Joas Schilling	ca39940614	Automatic creation of Identity manager Signed-off-by: Joas Schilling <coding@schilljs.com>	2017-05-10 09:45:11 +02:00
Lukas Reschke	dd03fdebec	Add missing space Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-05-01 20:36:25 +02:00
Lukas Reschke	a5ccb31e85	Mark IP as whitelisted if brute force protection is disabled Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling. This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-05-01 18:31:45 +02:00
Lukas Reschke	e39e6d0605	Remove expired attempts Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:18 +02:00
Lukas Reschke	66835476b5	Add support for ratelimiting via annotations This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-04-13 12:00:16 +02:00
Roeland Jago Douma	be674c19a5	Respect bruteforce settings in the Throttler Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2017-04-02 21:13:50 +02:00
Morris Jobke	f9bc53146d	Fix unit tests Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-03-28 21:00:12 -06:00
Lukas Reschke	adfd1e63f6	Add base-uri to CSP policy As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2017-03-16 15:16:20 +01:00
Robin Appelman	817e974c5f	dont write a certificate bundle if the shipped ca bundle is empty Signed-off-by: Robin Appelman <robin@icewind.nl>	2017-01-09 16:51:27 +01:00
Roeland Jago Douma	72f9920a58	Add Identityproof tests * Add tests for Key * Add tests for Manager * Add tests for Signer * Removed URLGenerator from Signer Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2016-11-24 21:50:19 +01:00
Lukas Reschke	fb91bf6a5b	Add a signer class for signing Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2016-11-21 11:30:00 +01:00
Lukas Reschke	a8b7df9cc1	Add tests Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2016-11-02 21:10:51 +01:00
Joas Schilling	2c4035e806	Inject config and logger Signed-off-by: Joas Schilling <coding@schilljs.com>	2016-11-02 20:30:37 +01:00
Leon Klingele	e5d78a3523	Fix CSRF token generation / validation Operate on raw bytes instead of base64-encoded strings. Issue was introduced in `a977465` Signed-off-by: Leon Klingele <git@leonklingele.de>	2016-11-02 10:38:05 +01:00
Roeland Jago Douma	e351ba56f1	Move browserSupportsCspV3 to CSPNonceManager Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2016-10-25 22:03:10 +02:00

1 2

59 Commits