Commit Graph

45 Commits

Author SHA1 Message Date
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
2016-01-28 18:36:46 +01:00
Lukas Reschke a977465af5 Add new CSRF manager for unit testing purposes
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
2016-01-25 20:03:40 +01:00
Robin McCorkell da4127d23b Introduce CredentialsManager for storage of credentials in DB
CredentialsManager performs a simple role, of storing and retrieving
encrypted credentials from the database. Credentials are stored by user
ID (which may be null) and credentials identifier. Credentials
themselves may be of any type that can be JSON encoded.

The rationale behind this is to avoid further (mis)use of
oc_preferences, which was being used for all manner of data not related
to user preferences.
2016-01-18 11:10:41 +01:00
Morris Jobke 73dd8c17de Fix usage of PHP method within namespace
* introduced wiht 045ea4eb
2016-01-14 09:24:21 +01:00
Thomas Müller c5a200c419 Merge pull request #21653 from owncloud/update-license-headers-2016
Update license headers 2016
2016-01-13 08:29:42 +01:00
Thomas Müller 682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Robin Appelman c15cab7ed6 Allow admins to add system wide root certificates 2016-01-12 12:50:59 +01:00
Roeland Jago Douma 98c4951f45 getLowStrengthGenerator does not do anything anymore 2016-01-11 19:59:15 +01:00
Lukas Reschke f3360d51c6 Use PHP polyfills 2015-12-11 08:47:36 +01:00
Lukas Reschke 8289943a0f Do not trust casting 2015-12-08 08:50:00 +01:00
Lukas Reschke 6ea7410041 Remove legacy check
This one is not required anymore as we have the RepairConfig repair step since November 2014.
2015-12-08 08:44:42 +01:00
Lukas Reschke 045ea4eb2b Use native CSPRNG if available
Unfortunately only PHP 7…
2015-11-09 15:04:22 +01:00
Morris Jobke b945d71384 update licence headers via script 2015-10-05 21:15:52 +02:00
Lukas Reschke a8e8a9dfb9 Move certificate bundle into resources/config/ 2015-09-22 16:43:28 +02:00
Bjoern Schiessle 37513f9411 don't read certificates if ownCloud is not installed 2015-08-30 19:00:03 +02:00
Lukas Reschke 90a11efecd Remove "use" statement
Ref https://bugs.php.net/bug.php?id=66773
2015-08-05 09:31:21 +02:00
Andreas Fischer 3b803db6d8 Update phpseclib to 2.0 2015-08-03 09:43:45 +02:00
Lukas Reschke d0363fe396 Fix type annotation
Obviously should be an int
2015-04-27 13:31:18 +02:00
Lukas Reschke 1cc2aefa46 Proper return types 2015-04-20 13:00:02 +02:00
Lukas Reschke 9f61cf60d4 Verify if returned object is an array
The error has to be thrown at this point as otherwise errors and notices are thrown since the time cannot be parsed in L60 and L61
2015-04-20 12:58:57 +02:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Lukas Reschke 5f044ebf1b Add wrapper for Guzzle 2015-03-25 16:04:41 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke 9f91d64918 Make scrutinizer happy 2015-02-16 22:13:00 +01:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke 025110821f URLEncode logout attribute
Otherwise logout can fail if the requesttoken contains a +
2015-02-13 12:08:23 +01:00
Bjoern Schiessle 5ba19ba7fc certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-26 16:58:52 +01:00
Bjoern Schiessle 67da1f7e5a certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-26 16:58:52 +01:00
Bjoern Schiessle 24993280ed Next step in server-to-server sharing next generation, see #12285
Beside some small improvements and bug fixes this will probably the final state for OC8.

To test this you need to set up two ownCloud instances. Let's say:

URL: myPC/firstOwnCloud user: user1
URL: myPC/secondOwnCloud user: user2
Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud".

The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined.

If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him.
2014-12-19 15:20:24 +01:00
Lukas Reschke ee1f8b0242 Remove workaround for 5.3
Function is natively available with 5.4
2014-12-04 11:17:33 +01:00
Morris Jobke 146cb920c9 Merge pull request #12218 from owncloud/issue/10991-fixes
Issue/10991 Make unit tests pass on windows
2014-11-17 16:44:45 +01:00
Joas Schilling 39ae569c5c Correctly close handle of directory when listing certificates 2014-11-17 10:48:14 +01:00
Lukas Reschke 24ca2d858f Add OCP\Security\IHasher
Public interface for hashing which also works with legacy ownCloud hashes and supports updating the legacy hash via a passed reference.

Follow-up of https://github.com/owncloud/core/pull/10219#issuecomment-61624662
Requires https://github.com/owncloud/3rdparty/pull/136
2014-11-06 15:16:14 +01:00
Lukas Reschke d07d5915c9 Remove unused and overflowing function
Resolves https://github.com/owncloud/core/issues/10991 failure 4
2014-09-18 10:21:28 +02:00
Lukas Reschke 5ff999d69d Return false in case one of the values is null 2014-09-12 13:34:45 +02:00
Lukas Reschke 1973275adc Add custom hex2bin implementation for 5.3
Fixes https://github.com/owncloud/core/issues/11004
2014-09-11 09:51:45 +02:00
Lukas Reschke 373d1c5e9f Merge pull request #10642 from owncloud/securityutils
Add some security utilities
2014-09-03 15:28:42 +02:00
Lukas Reschke 50b430ee7c Add char consts, hash the specified password for the HMAC 2014-09-03 11:03:27 +02:00
Robin Appelman bfa0c4b78a Explicitly set the timezones 2014-08-31 11:06:18 +02:00
Lukas Reschke 4efe6f6240 Add unit tests and fix rootcerts creation bug 2014-08-31 10:47:50 +02:00
Robin Appelman e64aa330fd check for blacklisted file certificate filenames 2014-08-31 10:47:50 +02:00
Robin Appelman 79d896e830 Rename namespace 2014-08-31 10:47:50 +02:00
Lukas Reschke 3329e0f2b2 Use DI 2014-08-27 00:49:53 +02:00
Lukas Reschke d26a9c3c58 Add some security utilities
This adds some security utilities to core including:
- A library for basic crypto operations (e.g. to encrypt passwords)
- A better library for cryptographic actions which allows you to specify the charset
- A library for secure string comparisions

Remove .htaccess

Remove .htaccess

Fix typo

Add public API

Use timing constant comparision

Remove CBC constant

Adjust code

Remove confusing $this
2014-08-27 00:18:04 +02:00