Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
Breaking change for 8.1 wiki (Security > Administrators):
The log format for failed logins has changed and uses now the remote address and is considering reverse proxies for such scenarios when configured correctly.
This has no other reason than preventing some insane automated scanners from reporting this as security bug (which it obviously isn't as the cookie contains nothing of value)
Thus it generally results in an happier Lukas and hopefully less reports to our support and security mail addresses...
The existing method is deprecated and just a wrapper around the manager method. Since in the future other code paths might call this function instead we need to perform that check here.
Related to http://owncloud.org/security/advisory/?id=oc-sa-2014-020
This adds a "backend" type filter to the index REST route which is a pre-requisite for https://github.com/owncloud/core/issues/12620
For example when calling `index.php/settings/users/users?offset=0&limit=10&gid=&pattern=&backend=OC_User_Database` only users within the backend `OC_User_Database` would be shown. (requires sending a CSRF token as well)
Depends upon https://github.com/owncloud/core/pull/12711
This change will expose the user backend via the REST API which is a pre-requisite for https://github.com/owncloud/core/issues/12620.
For example:
````json
[{"name":"9707A09E-CA9A-4ABE-A66A-3F632F16C409","displayname":"Document Conversion User Account","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/9707A09E-CA9A-4ABE-A66A-3F632F16C409","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"ED86733E-745C-4E4D-90CB-278A9737DB3C","displayname":"Hacker","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/ED86733E-745C-4E4D-90CB-278A9737DB3C","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"71CDF45B-E125-450D-983C-D9192F36EC88","displayname":"admin","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/71CDF45B-E125-450D-983C-D9192F36EC88","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"admin","displayname":"admin","groups":["admin"],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/admin","lastLogin":"1418057287","backend":"OC_User_Database"},{"name":"test","displayname":"test","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/test","lastLogin":0,"backend":"OC_User_Database"}]
```
First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future.
the current implementation limits number of possible backed actions
to 8 as it uses pow of 16 for constants. This change introduces pow
of two and allows up-to 32 actions to be defined.
The old values are preserved for backward compatibility.
We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)
Get final redirect manually using get_headers()
Migrate to HTTPHelper class and add unit tests
maintain deprecated \OC::$session when getting or setting the session via the server container or UserSession
restore order os OC::$session and OC::$CLI
remove unneded initialization of dummy session
write back session when $useCustomSession is true
log warning when deprecated app is used
Conflicts:
apps/files_sharing/lib/sharedstorage.php
tests/lib/group/manager.php
removed hasFilesSharedWith from lib/public/share.php and
sharedstorage.php to fix merge
backends. This is a port to master from PR #7745
remove OC_GROUP_BACKEND_GET_DISPLAYNAME option for group backends
Conflicts:
lib/private/group/backend.php
LDAP: getDisplayNamesInGroup is not an option for group backends anymore
Conflicts:
apps/user_ldap/group_ldap.php
apps/user_ldap/group_proxy.php
clean up group backends
Conflicts:
lib/private/group/database.php
remove now unnecessary test
implement getDisplayNames in group manager
adjust user manager tests
test for group manager's displayNamesInGroup
trim must not be used in empty in PHP < 5.5
keep the constant to not provoke PHP warnings
Conflicts:
lib/private/group/backend.php
Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
Lukas Reschke
Morris Jobke
Robin McCorkell
Jenkins for ownCloud
Robin Appelman
Bernhard Posselt
Joas Schilling
Thomas Müller
michag86
Bjoern Schiessle
Tigran Mkrtchyan
Arthur Schiwon
Jörn Friedrich Dreyer
Bart Visscher
Lukas Reschke
Victor Dubiniuk
Volkan Gezer
adrien
nishiki
Scrutinizer Auto-Fixer
NARUKAWA Hiroki