Commit Graph

20 Commits

Author SHA1 Message Date
Lukas Reschke 8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke 770fa761b8 Respect `mod_unique_id` and refactor `OC_Request::getRequestId`
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.

Testplan:

- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request

Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.

Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 11:53:11 +01:00
Morris Jobke bf1b62a34a PHP < 5.4 is not supported anymore - see #12606 2014-12-04 11:05:45 +01:00
Morris Jobke 2c5e4b3d3f Remove last traces of travis integration 2014-12-04 10:09:13 +01:00
Lukas Reschke 048139074d Add functions to modify cookies to response class
Currently there is no AppFramework way to modify cookies, which makes it unusable for quite some use-cases or results in untestable code.

This PR adds some basic functionalities to add and invalidate cookies.

Usage:
```php
$response = new TemplateResponse(...);
$response->addCookie('foo', 'bar');
$response->invalidateCookie('foo');
$response->addCookie('bar', 'foo', new \DateTime('2015-01-01 00:00'));
```

Existing cookies can be accessed with the AppFramework using `$this->request->getCookie($name)`.
2014-11-27 14:19:00 +01:00
Joas Schilling 6202ca33ba Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
Bernhard Posselt 0696099bad add dataresponse
fix docstrings

adjust copyright date

another copyright date update

another header update

implement third headers argument, fix indention, fix docstrings

fix docstrings
2014-10-29 09:43:47 +01:00
Morris Jobke e717833b07 mark tests as skipped - TODO travis
* swift causes some timeouts and test failures
2014-08-05 18:35:47 +02:00
Bernhard Posselt a152e320f6 make it possible to omit parameters and use the default parameters from the controller method 2014-05-13 10:40:49 +02:00
Bernhard Posselt 1d45239c65 adjust license headers to new mail address 2014-05-11 17:54:08 +02:00
Bernhard Posselt cb666c18d6 rename formatter to responder, formatResponse to buildResponse 2014-05-11 17:54:08 +02:00
Bernhard Posselt d8da79cab0 add test for not failing when adding more comments after type parameters, do not limit x-www-form-urlencoded to POST 2014-05-11 17:54:08 +02:00
Bernhard Posselt 80648da431 implement most of the basic stuff that was suggested in #8290 2014-05-11 17:54:08 +02:00
Scrutinizer Auto-Fixer adaee6a5a1 Scrutinizer Auto-Fixes
This patch was automatically generated as part of the following inspection:
https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720

Enabled analysis tools:
 - PHP Analyzer
 - JSHint
 - PHP Copy/Paste Detector
 - PHP PDepend
2014-02-19 09:31:54 +01:00
Thomas Tanghus ad017285e1 Fix namespace for OCP\Appframework\Http
To avoid having to use OCP\Appframework\Http\Http in the public - and stable
- API OCP\Appframework\Http is now both a class and a namespace.
2013-10-23 05:57:34 +02:00
Thomas Tanghus d75d80ba13 OCP\AppFramework\Controller\Controller => OCP\AppFramework\Controller 2013-10-11 10:07:57 +02:00
Thomas Müller 1e5012fc1d fixing all appframework unit tests 2013-10-07 11:25:50 +02:00
Thomas Müller 33db8a3089 kill superfluent classloader from tests - this approach might be of interest within the apps 2013-08-21 00:41:20 +02:00
Thomas Müller fde9cabe97 initial import of appframework 2013-08-17 11:16:48 +02:00