Instead of prepending the token as username in the URL, use the
Authorization header instead. This is because IE9 considers this a
cross-domain call and refuses to do it in the first place.
When clicking on the unshare link (trash icon), the correct link element
needs to be used instead of whatever child was clicked. Then, that
element might contain a visible loading icon.
This fixes the spinner detection and also prevents a full page reload in
case the spinner was visible.
Whenever link share is not allowed, it was outputting a bogus sharing
field which name would conflict with the regular sharing field.
This fix makes sure that the bogus sharing field with "Resharing not
allowed" message only appears when triggered by removed share
permissions.
Old code first dit an ajax request to the avatar. Then a new image
object with the same src was created and since we do not cache avatars
yet :( this resulted in 2 sequential requests to the exact same URL
Now if you set the displayname it will first set the placeholder and
then load the avatar in the background. Only once this time!
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.
Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.
Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjPhttp://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/
Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.
Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.
Code signing basically happens the following way:
- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID.
- The command generates a signature.json file of the following format:
```json
{
"hashes": {
"/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
"/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
},
"certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
"signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.
Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates
**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:
```
➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```
Then increase the version and you should see something like the following:
![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)
As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.
For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
When exiting the password field in the share dialog, IE9 would
mistakenly think that the password has changed and would send the
placeholder.
This fix prevents changing the password whenever the placeholder is set
as value.
All IE versions are not able to properly upscale SVG icons unless the
said SVG files contain a "viewBox" attribute, which is not always the
case. Also we cannot guarantee that all third party apps will have this
attribute in their icons.
So for now, app icons will not be displayed in IE instead of broken
ones.
- Rely on class names instead of global ids
- When global ids are needed for label+checkbox, append the view id
(cid) to the element's id
This fixes the checkboxes when multiple sidebars exist in the DOM.
If the password is enforced we can't create a link share right away but
just show the password field. Untoggling the link sharing should not try
to remove the share.
* Added unit test
We used to display the response from the server. Which is in non ISO8601
format. Now this is weird since the datepickers shows us 'DD-MM-YYYY'
once a date is chosen.
Now use momentJS to properly format the date.
* Unit tests updated
- calculate multiselect header width to exclude scrollbar
- call FileList._onResize() when sidebar is toggled ("appresized"), this
also updates the breadcrumb width
- moved global getScrollBarWidth() to OC.Util namespace
Added hack that uses a "filter" CSS with explicit URL to fix the "New"
menu by scaling down icons and also fix the folder/filetype icon in the sidebar
by scaling it up.
The shares array is based on what the server returns and can contain
share info for parent folders.
hasUserShares is now fixed to ignore parent folders and only checks for
shares on the current item.
If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
Controls bar calculation needs to take the sidebar visibility into
account.
Recalculation is now triggered when sidebar is toggled, using a new
app-content event "appresized".
Default renderer like the favorite icon can decide whether to use the
permanent class or not.
Fixed sharing code to properly update the icon according to sharing
state modifications.
In some cases the ajax/share.php will return the share time as string.
If this is the case it would get parsed completely wrong and cause the
share dropdown to not work anymore. This change will properly cast the
string to an interger and also fallback if this is not possible.
Tipsy also supported the `fallback` element which will now not work anymore. To enhance compatibility we shall also implement it in the shim.
Fixes https://github.com/owncloud/core/issues/17870
These should be used in the future instead of location.*.
It will make it possible to stub these methods for writing unit tests
and simulating different URL schemes.
This makes it possible to retrieve the icon for mimetypes in javascript.
It makes no additional queries to the server to retrieve the mimetype.
* config/mimetypealiases.json added
* mimetype.js: this is where the logic resides to convert from mimetype
to icon url
* mimetypelist.js: generated file with a list of mimetype mapping (aliases)
and the list of icon files
* ./occ maintenance:mimetypesjs : new command for occ to gernerate
mimetypes.js
* unit tests updated and still work
* javascript tests added
* theming support
* folder of the theme is now present in javascript (OC.theme.folder)
This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well.
Fixes https://github.com/owncloud/core/issues/16673
* A list of recipients can now be properly formatted with remote shares.
Before the shares where simply shown in full in the "Shared with others"
section.
* Unit tests updated and added
Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system:
1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop
2. MTRand: chr((mt_rand() ^ mt_rand()) % 256)
3. Rand: chr((rand() ^ rand()) % 256)
4. UniqId: Plain uniqid()
An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour.
One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface.
Thanks to David Black from d1b.org for bringing this again to our attention.
This did not happen correctly when the password was enforced since a
different code path was taken.
* moved generation of the default date string to separate function
* added unit test
Calculating the URL is error-prone as it doesn't work when for example `public.php` is requested and might even be harmful as it could leak sensitive information.
Since `oc.js` is even available when maintenance mode is available it is better to use the global `OC.webroot` that is not controlled by any user.
* instead of a static rendering inside PHP use the
JS OC.Notification.showTemporary to hide the
notification after 7 seconds automatically
* fixes#14811
* fix XMLHttpRequest - send after callback is registered
* check for correct type of value - it's a boolean
* return correct content-type in status.php
Added option to disable autoscan of external storages
Mount option file system scan is now an int
Move priority field to avoid undefined field in storage options
All input elements inside the storage options block get parsed into
storage options.
Moving the priority field outside prevents it to appear in the storage
config, as expected. It is still parsed by special code.
- Added StorageConfig class to replace ugly arrays
- Implemented StorageService and StorageController for Global and User
storages
- Async status checking for storages (from Xenopathic)
- Auto-generate id for external storage configs (not the same as
storage_id)
- Refactor JS classes for external storage settings, this mostly
moves/encapsulated existing global event handlers into the
MountConfigListView class.
- Added some JS unit tests for the external storage UI
* Avatar for "xxxx share with you..." to the left
* Avatars for groups and remote shares (use default placeholder)
* Modified and added unit tests
* Use the same css for all the avatars in the dropdown
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
This function is often used in a wrong and potential dangerous way... Thus we should escape the URL per default and offer developers to disable the automatic escaping via an option parameter if they really want that behaviour.
Might break some things, however, those things are then easy to fix and we really have a ton of bugs caused by this...
Fixes https://github.com/owncloud/core/issues/14228
*Changes:*
* "… is not yet properly setup" in line 24 is changed to " … is not yet set up properly" (better word order and space in the middle of "set up", as it is a participle of the verb "to set up").
* "internet" is corrected to "Internet" with a capitalized "I" in lines 54 and 59.
* Also in line 54: "3rd party" is changed to "third-party" to for a more coherent spelling across the different ownCloud components.
* "… apps don´t work" is corrected to "… apps won't work" (with a proper (and hopefully correctly escaped) (apostrophe)[http://en.wikipedia.org/wiki/Apostrophe#Typographic_form] instead of the (acute accent)[http://en.wikipedia.org/wiki/Acute_accent]).
* Still in line 54: The negation is corrected from "… might also not work" to "… might not work, either".