Roeland Jago Douma
c21a976bc4
Allow to specify the cookie type for appframework responses
...
In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.
Helps with #21474
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-06-22 11:02:50 +00:00
Clement Wong
21f8cc584c
Fix http cache test
...
Signed-off-by: Clement Wong <git@clement.hk>
2020-05-13 06:34:22 +00:00
Christoph Wurst
1584c9ae9c
Add visibility to all methods and position of static keyword
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:51:06 +02:00
Christoph Wurst
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst
14c996d982
Use elseif instead of else if
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 10:35:09 +02:00
Christoph Wurst
44577e4345
Remove trailing and in between spaces
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 16:07:47 +02:00
Christoph Wurst
afbd9c4e6e
Unify function spacing to PSR2 recommendation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +02:00
Christoph Wurst
2a529e453a
Use a blank line after the opening tag
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:50:14 +02:00
Christoph Wurst
41b5e5923a
Use exactly one empty line after the namespace declaration
...
For PSR2
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +02:00
Christoph Wurst
463b388589
Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports
...
Remove unused imports
2020-03-27 17:14:08 +01:00
Christoph Wurst
b80ebc9674
Use the short array syntax, everywhere
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +01:00
Christoph Wurst
2ee65f177e
Use the shorter phpunit syntax for mocked return values
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 22:21:27 +01:00
Christoph Wurst
74936c49ea
Remove unused imports
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-25 22:08:08 +01:00
Daniel Kesselberg
8331d8296b
Make getServerHost more robust to faulty user input
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2020-01-16 11:26:29 +01:00
Daniel Kesselberg
d393b1612b
Modify regex to match some other chromium browsers
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2019-12-27 17:24:52 +01:00
Roeland Jago Douma
3a7cf40aaa
Mode to modern phpunit
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-27 15:27:18 +01:00
Roeland Jago Douma
c007ca624f
Make phpunit8 compatible
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-27 13:34:41 +01:00
Roeland Jago Douma
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Roeland Jago Douma
f81817b47d
Add tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 19:40:13 +02:00
Roeland Jago Douma
b8c5008acf
Add feature policy header
...
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma
cf647451e5
Update CSP test cases to handle the new form-action
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +02:00
Roeland Jago Douma
7276735eb4
Set empty CSP by default
...
For #14179
By default responses should have the strictest (and simplest) CSP
possible. Only template responses should require an actual CSP.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-04-16 14:09:39 +02:00
Roeland Jago Douma
ad676c0102
Set default frame-ancestors to 'self'
...
For #13042
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +01:00
Roeland Jago Douma
64244e1a4f
CSP: Allow fonts to be provided in data
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +01:00
Roeland Jago Douma
514426e27d
Only trust the X-FORWARDED-HOST header for trusted proxies
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 15:54:45 +01:00
Oliver Wegner
401ca28f07
Adding handling of CIDR notation to trusted_proxies for IPv4
...
Signed-off-by: Oliver Wegner <void1976@gmail.com>
2018-10-30 09:15:42 +01:00
Roeland Jago Douma
579822b6a5
Add report-uri to CSP
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma
5b61ef9213
Disallow unsafe-eval by default
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +02:00
Roeland Jago Douma
a34495933e
Move caching logic to response
...
This avoids having to do it at all the places we want cached responses.
We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 08:48:54 +02:00
Roeland Jago Douma
d179186430
Remove testcase
...
Since a token now always requires a string we don't need to test for
null
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 16:14:46 +01:00
Julius Härtl
5a4aa2b7dd
Add test for PublicTemplateResponse
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Roeland Jago Douma
0ee45d3d20
Fix proper types
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
ca9f364fd4
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Joas Schilling
870023365c
Fix "Undefined method setExpectedException()"
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-24 18:10:16 +01:00
Morris Jobke
c70927eaa0
Remove not needed 3rdparty app disabling during upgrade for PHP 5.x
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-19 14:00:27 +01:00
Joas Schilling
7bc9a69c3f
Remove deprecated core API
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 17:54:50 +01:00
Bjoern Schiessle
f0202245ee
allow 'Nextcloud' in the user agent string of Android
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-12 12:16:01 +01:00
Morris Jobke
43e498844e
Use ::class in test mocks
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 17:45:32 +02:00
Roeland Jago Douma
c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Thomas Citharel
ecf347bd1a
Add CSP frame-ancestors support
...
Didn't set the @since annotation yet.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
...
Fixes https://github.com/nextcloud/server/issues/5891
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever
...
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.
Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Roeland Jago Douma
2a9192334e
Don't try to parse empty body if there is no body
...
Fixes #3890
If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.
See RFC 2616 Section 4.3
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Morris Jobke
f9bc53146d
Fix unit tests
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-28 21:00:12 -06:00
Lukas Reschke
5f8f29508f
Adjust tests to include base-uri
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 18:12:10 +01:00
Lukas Reschke
adfd1e63f6
Add base-uri to CSP policy
...
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 15:16:20 +01:00
Robin Appelman
9a8cef965f
add test for skipping cookie checks for ocs
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-10 14:11:00 +01:00
Christoph Wurst
5e728d0eda
oc_token should be nc_token
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Christoph Wurst
e3815b382d
fix data response test expected cache headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-10 10:13:08 +01:00