Commit Graph

104 Commits

Author SHA1 Message Date
Roeland Jago Douma 387af7eb60 Use random_bytes
Since we don't care if it is human readbale.
The code is backwards compatible with the old format.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-05-11 12:23:02 +00:00
MichaIng 229570badf
Apply Argon2 options for Argon2id hashing as well
Signed-off-by: MichaIng <micha@dietpi.com>
2020-05-01 11:42:13 +02:00
MichaIng ad60619655
Fix Argon2 options checks
The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum.
Options are now applied the following way:
- If config.php contains the setting with an integer higher or equal to the minimum, it is applied.
- If config.php contains the setting with an integer lower than the minimum, the minimum is applied.
- If config.php does not contain the setting or with no integer value, the PHP default is applied.

Signed-off-by: MichaIng <micha@dietpi.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-04-30 10:18:46 +02:00
Christoph Wurst cb057829f7
Update license headers for 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +02:00
Arthur Schiwon 5437844b7e
fix credentialsManager documentation and ensure userId to be used as string
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-04-15 19:34:23 +02:00
Christoph Wurst 28f8eb5dba
Add visibility to all constants
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +02:00
Christoph Wurst caff1023ea
Format control structures, classes, methods and function
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.

This also removes and empty lines from method/function bodies at the
beginning and end.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst 14c996d982
Use elseif instead of else if
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 10:35:09 +02:00
Christoph Wurst afbd9c4e6e
Unify function spacing to PSR2 recommendation
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +02:00
Christoph Wurst 41b5e5923a
Use exactly one empty line after the namespace declaration
For PSR2

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst 2fbad1ed72
Fix (array) indent style to always use one tab
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +02:00
Christoph Wurst 1a9330cd69
Update the license headers for Nextcloud 19
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +02:00
Christoph Wurst b80ebc9674
Use the short array syntax, everywhere
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +01:00
Pavel Krasikov f11dee9bc4 fix safari useragent for versions with 3 digits
Signed-off-by: Pavel Krasikov <klonishe@gmail.com>
2020-03-14 16:47:28 +03:00
Roeland Jago Douma 12e1c469cf
Add Argon2id support
When available we should use argon2id for hashing.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-07 07:52:33 +01:00
Roeland Jago Douma 0d651f106c
Allow selecting the hashing algorithm
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-03 21:41:17 +01:00
Arthur Schiwon f92ba2cebe
ignore values that undershoot the minimum, go with default
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-22 16:04:57 +01:00
blizzz 56c3ba6ac7
use getSystemValueInt
Co-Authored-By: kesselb <mail@danielkesselberg.de>

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-21 09:04:53 +01:00
Arthur Schiwon 171bb98229
expose Argon2 options (as we did for bcrypt)
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-01-20 18:21:50 +01:00
Christoph Wurst 1b46621cd3
Update license headers for 18
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-20 09:23:25 +01:00
Konrad Bucheli f2d3e34c96 handle IPv6 addresses with an explict incoming interface at the end (e.g fe80::ae2d:d1e7:fe1e:9a8d%enp2s0)
Signed-off-by: Konrad Bucheli <konrad.bucheli@gmx.ch>
Signed-off-by: Konrad Bucheli <kb@open.ch>
2019-12-10 22:47:20 +01:00
Julius Härtl d05f131929
Move overwritehost check to isTrustedDomain
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-12-07 09:53:06 +01:00
Christoph Wurst 5bf3d1bb38
Update license headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +01:00
Roeland Jago Douma 68748d4f85
Some php-cs fixes
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Johannes Koenig 2df8d646c1 make TrustedDomainHelper case insensitive
Signed-off-by: Johannes Koenig <mail@jokoenig.de>
2019-10-06 20:43:55 +02:00
Roeland Jago Douma 2b98eea129
Harden identifyproof openssl code
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-09-14 13:52:10 +02:00
Roeland Jago Douma 7927aebdeb
Fix report of phpstan in Limiter
* unneeded arguments to constructor
* added return types
* let automatic DI do its work

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-19 19:38:43 +02:00
Roeland Jago Douma b8c5008acf
Add feature policy header
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma f94ee72507
Add form-action CSP element
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +02:00
Roeland Jago Douma 417fbb5d60
setting unsafe-eval is deprecated
This will be removed in a future version of Nextcloud.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-30 16:27:38 +02:00
Sam Bull ea935f65fd
Add support for CSP_NONCE server variable
Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.

Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-18 12:16:29 +02:00
Roeland Jago Douma 5ac857bcdc
Add an event to edit the CSP
This introduces and event that can be listend to when we actually use
the CSP. This means that apps no longer have to always inject their CSP
but only do so when it is required. Yay for being lazy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-08 20:35:15 +02:00
Morris Jobke d004164fcc
Merge pull request #13327 from nextcloud/allow-bracket-notation-for-remove-ipv6-address
Allow bracket IPv6 address format inside IPAdress Normalizer
2019-03-06 10:34:02 +01:00
Roeland Jago Douma f1ea56b502
Fix the thorrtler whitelist bitmask
Before we actually didn't check each bit of the bitmask. Now we do.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-11 23:22:20 +01:00
Thomas Citharel c9b588774b
Allow bracket IPv6 address format inside IPAdress Normalizer
When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2019-01-03 10:03:46 +01:00
Roeland Jago Douma 372f3d2a60
Remove deprecated functions from SecureRandom
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-07 19:33:32 +01:00
Roeland Jago Douma be5c050acc
Throw exception if decryption fails
For #11868

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-14 12:47:35 +01:00
Morris Jobke 39338aaa67
Merge pull request #11914 from nextcloud/csp/report-uri
Add report-uri to CSP
2018-10-23 16:42:24 +02:00
Roeland Jago Douma 0fdc65a15c
Add nonce for Safari 12+
As far as I can tell this should work now.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 20:48:12 +02:00
Roeland Jago Douma 579822b6a5
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma 8354c50911
Deprecate the childSrc functions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma c8fe4b4fc8
Add workerSrc to CSP
Fixes #11035

Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Mark Berezovsky ad66c6bf08 Fix #9864: Decrease $maxDelay in Throttler.php
Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>
2018-06-15 04:58:08 +03:00
Roeland Jago Douma 84316aec66
Add ARGON2I support to the hasher
When on php7.2 we can use the new and improved ARGON2I hashing.
This adds support for that to the hasher. When verifying an old hash
we'll update rehash to move all hashes eventually to the new hash
function.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-04-04 15:43:50 +02:00
Roeland Jago Douma d8332d43f8
Make \OC\Security\IdentityProof strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 19:33:16 +01:00
Roeland Jago Douma 5457373407
Merge pull request #8659 from nextcloud/csrf_token_strict
Make \OC\Security\CSRF strict
2018-03-05 19:28:10 +01:00
Roeland Jago Douma 4ed9b74a6b
Make OC\Security\CSP strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:27:05 +01:00
Roeland Jago Douma 2c8402aa17
Make \OC\Security\CSRF strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:01:02 +01:00
Morris Jobke 0a56d2185e
Return value immediately instead of assigning to a one-time variable
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-26 00:02:03 +01:00
Roeland Jago Douma 0e0db37658
Make OCP\Security stricter
* Add typehints
* Add return types
* Opcode opts from phpstorm
* Made strict
* Fixed tests: No need to test bogus values anymore strict typing fixes
this

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-16 22:01:19 +01:00