In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.
While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
* instead of a static rendering inside PHP use the
JS OC.Notification.showTemporary to hide the
notification after 7 seconds automatically
* fixes#14811
If the asset is, for example, in an apps directory that is
outside the $SERVERROOT, we won't be able to get a relative
path. We shouldn't just fail hard in this case. Fall back to
using the absolute path instead (as we used to).
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.
This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.
Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.
Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
This allows the directory where CSS/JS asset collections are
written to be changed, in case SERVERROOT is not writeable. Note
it does *not* allow the expected URL to be changed: whatever
directory is used, the server must be configured to serve it
at WEBROOT/assets. It may be possible to add another config
parameter to allow the admin to specify a custom asset URL,
but I thought I'd keep the first implementation simple.
At some point SeparatorFilter should be included upstream
(kriswallsmith/assetic), then lib/private/assetic/separatorfilter.php can be
removed and the `use` in lib/private/templatelayout.php rewritten.
SeparatorFilter inserts a separator between assets, preventing issues when
files are incorrectly terminated. For JS this is a semicolon.
adding argument deleteSelf to rmdirr() - if false the directory itself will not be deleted only it's content
adding repair step to clean the asset cache after upgrade + coding style adjustments
Lukas Reschke
Thomas Müller
Morris Jobke
Clark Tomlinson
Jenkins for ownCloud
Adam Williamson
Joas Schilling
Robin McCorkell
Victor Dubiniuk
Vincent Petry
kondou
Remco Brenninkmeijer
Robin Appelman
Lukas Reschke
Jörn Friedrich Dreyer
Joas Schilling