Roeland Jago Douma
ee3dc57cbd
Merge pull request #26626 from J0WI/strict-security
...
Make Security module strict
2021-05-18 08:43:13 +02:00
Morris Jobke
393309b98f
Merge pull request #25714 from nextcloud/fix/23197/explicitly_check_hex2bin_input
...
Explicitly check hex2bin input
2021-04-22 13:23:39 +02:00
J0WI
ca7b37ce5a
Make Security module strict
...
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2021-04-19 17:31:12 +02:00
Lukas Reschke
e5a4236e68
Increase subnet matcher
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-04-07 12:28:59 +00:00
Roeland Jago Douma
16652ac6c6
Explicitly check hex2bin input
...
For #23197
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-02-18 20:12:20 +01:00
dependabot-preview[bot]
eb502c02ff
Bump nextcloud/coding-standard from 0.3.0 to 0.5.0
...
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard ) from 0.3.0 to 0.5.0.
- [Release notes](https://github.com/nextcloud/coding-standard/releases )
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md )
- [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2021-02-18 13:31:24 +01:00
Morris Jobke
24d436cb60
Remove unneeded casts that were found by Psalm
...
In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521 )
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2021-01-11 13:14:41 +01:00
Christoph Wurst
d89a75be0b
Update all license headers for Nextcloud 21
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-12-16 18:48:22 +01:00
Julius Härtl
f5501ca276
Avoid checking for brute force protection capabilities when upgrading
...
This might happen a releases that doesn't have this table yet
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-12-09 12:13:33 +01:00
Joas Schilling
5b5aebbf66
Replace the credentials table with one that can have empty user
...
Primary key columns on Oracle can not have empty strings
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-10 15:36:27 +01:00
Joas Schilling
1aa9c9164d
Fix comparing the empty string for global credentials
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-10 15:36:26 +01:00
Joas Schilling
8027dcbc6f
Don't leave cursors open when tests fail
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-09 12:28:17 +01:00
Roeland Jago Douma
54b9f639a6
Always return the default path if we can
...
Just check in the certifcate manager. So every part of the system that
request the certificatebundle gets the defaullt one (the 99% case) if we
can.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-03 00:13:01 +01:00
Morris Jobke
dc479aae2d
Improve CertificateManager to not be user context dependent
...
* removes the ability for users to import their own certificates (for external storage)
* reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions)
The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-11-03 00:13:01 +01:00
lynn-stephenson
648b60fa0e
Derive encryption key & MAC key from a single key.
...
Signed-off-by: lynn-stephenson <lynn.stephenson@protonmail.com>
2020-10-15 21:23:24 -08:00
Roeland Jago Douma
8fae2beece
Limit throttler to 48 hours
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-10-08 19:51:13 +02:00
Roeland Jago Douma
6c1b542def
Add cleanup job for old brutefoce attempts
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-10-08 19:51:13 +02:00
Christoph Wurst
d9015a8c94
Format code to a single space around binary operators
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-05 20:25:24 +02:00
Morris Jobke
99c9423766
Remove @suppress SqlInjectionChecker
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-09-16 15:53:56 +02:00
Joas Schilling
c25063dc07
Don't break when the IP is empty
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-09-10 14:20:27 +02:00
Christoph Wurst
2a054e6c04
Update the license headers for Nextcloud 20
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-08-24 14:54:25 +02:00
Joas Schilling
35a8519591
Fix CS
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
770381c0c6
Correctly return ms delay when at max
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
931aca2fee
Add missing default
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
d9c4c9eb99
Simplify array filter
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
dfeee3b850
Fix wrong doc + type hint
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
8376c4891f
Only throw when also the last 30 mins were attacking
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
6f751d01db
Make the throttling O(2^n) instead of O(n^n)
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
64539a6ee1
Make Throttler strict
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:36 +02:00
Joas Schilling
c8fea66d65
Split delay calculation from getting the attempts
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Joas Schilling
cdb36c8ead
Let the database count the entries
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Joas Schilling
e66bc4a8a7
Send "429 Too Many Requests" in case of brute force protection
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-08-19 11:20:35 +02:00
Morris Jobke
c0be7e329f
Prefer typed event over string based ones
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-10 15:22:55 +02:00
Morris Jobke
e57bca31ad
Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip
...
Implement occ command to reset bruteforce attemps from a given IP address
2020-05-25 14:04:18 +02:00
Morris Jobke
bd997a105c
Fix code style
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-05-25 14:03:21 +02:00
Roeland Jago Douma
35ff4aa1c6
Use random_bytes
...
Since we don't care if it is human readbale.
The code is backwards compatible with the old format.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-05-11 12:46:59 +02:00
MichaIng
229570badf
Apply Argon2 options for Argon2id hashing as well
...
Signed-off-by: MichaIng <micha@dietpi.com>
2020-05-01 11:42:13 +02:00
MichaIng
ad60619655
Fix Argon2 options checks
...
The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum.
Options are now applied the following way:
- If config.php contains the setting with an integer higher or equal to the minimum, it is applied.
- If config.php contains the setting with an integer lower than the minimum, the minimum is applied.
- If config.php does not contain the setting or with no integer value, the PHP default is applied.
Signed-off-by: MichaIng <micha@dietpi.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-04-30 10:18:46 +02:00
Christoph Wurst
cb057829f7
Update license headers for 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-29 11:57:22 +02:00
Arthur Schiwon
5437844b7e
fix credentialsManager documentation and ensure userId to be used as string
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-04-15 19:34:23 +02:00
Christoph Wurst
28f8eb5dba
Add visibility to all constants
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 16:54:27 +02:00
Christoph Wurst
caff1023ea
Format control structures, classes, methods and function
...
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 14:19:56 +02:00
Christoph Wurst
14c996d982
Use elseif instead of else if
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-10 10:35:09 +02:00
Christoph Wurst
afbd9c4e6e
Unify function spacing to PSR2 recommendation
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 13:54:22 +02:00
Christoph Wurst
41b5e5923a
Use exactly one empty line after the namespace declaration
...
For PSR2
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 11:48:10 +02:00
Christoph Wurst
2fbad1ed72
Fix (array) indent style to always use one tab
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-09 10:16:08 +02:00
Christoph Wurst
1a9330cd69
Update the license headers for Nextcloud 19
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-31 14:52:54 +02:00
Christoph Wurst
b80ebc9674
Use the short array syntax, everywhere
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-03-26 16:34:56 +01:00
Johannes Riedel
0c38569c83
Implement occ command security:bruteforceattemps:reset-for-ip
...
Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>
2020-03-19 16:20:22 +01:00
Pavel Krasikov
f11dee9bc4
fix safari useragent for versions with 3 digits
...
Signed-off-by: Pavel Krasikov <klonishe@gmail.com>
2020-03-14 16:47:28 +03:00