Commit Graph

656 Commits

Author SHA1 Message Date
Morris Jobke ab48d5e8cb
Cleanup unneeded code around database.xml
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2021-03-24 22:15:44 +01:00
Joas Schilling bb0c50717c
Bye bye database.xml
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-03-24 20:04:12 +01:00
Robin Appelman 9e3775618b
log full expection during repair step
Signed-off-by: Robin Appelman <robin@icewind.nl>
2021-03-18 08:45:17 +01:00
Roeland Jago Douma cc744740b7 Remove deprecated \OCP\API
Time to remove this forgood now.
Remaining constant moved over
The world is a tiny bit better

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-03-03 20:54:32 +01:00
dependabot-preview[bot] eb502c02ff
Bump nextcloud/coding-standard from 0.3.0 to 0.5.0
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-02-18 13:31:24 +01:00
Roeland Jago Douma 25f9203a70 Fix remaining #25359
As a wise man once said:

"I like PRs that pass tests before merging"
C. Wurst, Feb 9th 2021

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-02-10 15:41:25 +01:00
Christoph Wurst aabd73912e
Type the service registration
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-02-10 09:44:24 +01:00
John Molakvoæ (skjnldsv) 4f90766ba3
Skip template picker if none available
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2021-01-28 12:00:20 +01:00
Julius Härtl 7e6d69d166
Add templatedirectory config value to let admins have their custom templates by default
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-01-28 12:00:20 +01:00
Julius Härtl 4974404774
files: Create files from template API
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-01-28 11:59:46 +01:00
Roeland Jago Douma 6d4afca7ac Add support for webp
Including handling in OC_Image
But also a preview provider

Of course only works if your php actually supports webp

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-01-19 20:17:10 +01:00
Christoph Wurst 8b64e92b92
Bump doctrine/dbal from 2.12.0 to 3.0.0
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-01-08 11:45:19 +01:00
Christoph Wurst 287c26bda3
Replace patchwork/utf8 with symfony-polyfill-*
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-01-07 21:22:41 +01:00
Christoph Wurst 9ce3ea3368
Update license headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-30 14:07:05 +01:00
Roeland Jago Douma adc4f1a811
Merge pull request #22916 from J0WI/unifiy-links-to-php.net
Unify links to php.net
2020-12-22 09:53:31 +01:00
Christoph Wurst d89a75be0b
Update all license headers for Nextcloud 21
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-16 18:48:22 +01:00
Julius Härtl a4b5312729 Do not include non-required scripts on the upgrade page
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-12-15 21:14:07 +01:00
Lukas Reschke 8a8aa4f7dc Add sanitizers for JSON output
Those functions set proper content-types that prevent rendering of
data. Therefore it's safe to mark them as sanitizers.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-12-11 21:23:11 +00:00
Joas Schilling c8e0f3015f
Merge pull request #24398 from nextcloud/fix/do-not-update-incompatible-app
Do not update incompatible apps
2020-12-09 09:28:25 +01:00
Roeland Jago Douma 7f61535a1a
GD images
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-12-07 15:44:04 +01:00
Christoph Wurst cbb34af53f
Do not update incompatible apps
Previously there was no (platform) dependency check for an app that was
installed before. So Nextcloud happily upgraded an app that now requires
a php version newer than the current one. Which means in the lucky case
you see a failing upgrade due to the language incompatibility, or in the
unlucky case you see unexpected errors later in production.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-04 17:05:22 +01:00
Roeland Jago Douma c9cd633665
Fix the download of multiple files from the webUI
needed a setupFS call

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-12-03 13:20:01 +01:00
Christoph Wurst fd649afb1f
Remove the deprecated update.php
* It was documented as deprecated.
* The app code checker warned about it
* It's been three years

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-27 13:02:59 +01:00
Morris Jobke f4c1512bb7
Fix typo in @deprecated PHPDoc tag
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-24 00:13:09 +01:00
Roeland Jago Douma 032de4f333
Merge pull request #24269 from nextcloud/taint-specialize
Mark getAppPath as specialized taint
2020-11-22 13:39:46 +01:00
Lukas Reschke d25ca1976b Mark getAppPath as specialized taint
Should remove some false positives.

https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 01:15:15 +00:00
Lukas Reschke 98ddfdd1e8 Mark cleanAppId as sanitizer for include
Should remove a bunch of false positive code scanning results.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-21 00:57:25 +00:00
Lukas Reschke 47ac8e0028
Add Psalm Taint Flow Analysis
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/

Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-20 23:12:00 +01:00
Christoph Wurst d0f738fd59
Merge pull request #24112 from nextcloud/bugfix/24099/setup-fs-before-query-storage-in-settings
Set up FS before querying storage info in settings
2020-11-16 11:46:22 +01:00
Joas Schilling 91a3e439cb
Don't throw on SHOW VERSION query
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-16 08:43:48 +01:00
Vincent Petry 2143f2bb82
Set up FS before querying storage info in settings
The personal info section of the personal settings is querying the
storage quota information. For this it requires the FS to be setup which
is not always guaranteed.

This fixes an issue where refreshing the settings page would cause it to
fail after Redis caches are full. It is likely that when Redis cache is
populated, some code path is initializing the FS, so it works so far.
But when the cache is populated, that code path is skipped so the FS is
not guaranteed to be setup...

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2020-11-13 17:06:37 +01:00
Morris Jobke f23c2162ad
Merge pull request #23993 from nextcloud/bugfix/noid/close-cursors
Don't leave cursors open
2020-11-10 15:15:03 +01:00
Christoph Wurst 979b291a36
Show the full trace of an exception
Because often we catch the exception at some point and then the trace is
misleading. What's really interesting is the trace of the *previous*
exception.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-11-10 10:35:08 +01:00
Joas Schilling 8027dcbc6f
Don't leave cursors open when tests fail
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-09 12:28:17 +01:00
Roeland Jago Douma d8637c62e0
Reduce the getAppPath and autoloader calls
The getAppPath will always return the same data for the same appId. It
is actually already cached. However we do some cleanup of the appId
(again). Same for the autoloading it is actually already checked.

This just removes the unneeded calls. Which can add up if you have a lot
of incomming shares.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-07 17:24:41 +01:00
Morris Jobke 9981ffd784
Merge pull request #23922 from nextcloud/bugfix/noid/fix-query-type-detection
Improve query type detection
2020-11-06 22:18:14 +01:00
Morris Jobke b70cf435a7
Merge pull request #23940 from nextcloud/enh/skip_already_loaded_apps
Skip already loaded apps in loadApps
2020-11-06 21:58:44 +01:00
Roeland Jago Douma 0dece78617
Skip already loaded apps in loadApps
Otherwise you might end up calling a lot of functions unneeded.
And while the individual calls are cheap if you multiply them by 20k
they still get somewhat expensive.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-06 14:56:06 +01:00
Joas Schilling a847aea19c
Deprecate OC_DB::prepare and OC_DB::executeAudited as they leak cursors
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-06 10:37:37 +01:00
Joas Schilling 3d2f71cfa9
Improve query type detection
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-06 08:38:56 +01:00
Morris Jobke fc403135d1
Use lib instead if core as l10n module in OC_Files
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-10-27 15:37:57 +01:00
Joas Schilling c1834bac7d
Only use index of mount point when it is there
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-10-21 13:37:56 +02:00
Christoph Wurst d9015a8c94
Format code to a single space around binary operators
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-05 20:25:24 +02:00
Robin Appelman 0dfdf3ee99
add mount point to quota warning message
makes it more clear to the user what the quota applies to

Signed-off-by: Robin Appelman <robin@icewind.nl>
2020-10-04 11:02:32 +02:00
J0WI 68ce17e59b Unify links to php.net
Update all links to https://www.php.net/

Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2020-09-17 17:40:04 +02:00
Morris Jobke 46525f8639
Change 0 to null to properly encode image to BMP if the first pixel is black
Ref #22288

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-09-10 12:08:01 +02:00
Robin Appelman c077c15875
show better quota warning for group folders and external storage
instead of showing the generic 'Your storage is full' message, better explain that it's the group folder/external storage that is full

Signed-off-by: Robin Appelman <robin@icewind.nl>
2020-08-25 16:05:16 +02:00
Christoph Wurst 2a054e6c04
Update the license headers for Nextcloud 20
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-08-24 14:54:25 +02:00
Joas Schilling b09620651c
Don't use deprecated getIniWrapper() anymore
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-20 16:35:38 +02:00
Morris Jobke 4c6eb96471
Merge pull request #22280 from nextcloud/bugfix/noid/429-on-brute-force-maximum
Send "429 Too Many Requests" in case of brute force protection
2020-08-19 18:21:01 +02:00