Commit Graph

28 Commits

Author SHA1 Message Date
Lukas Reschke bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Thomas Müller bcf3704645 Merge pull request #14458 from owncloud/revive/11157
Get the real protocol behind several proxies
2015-02-25 02:51:46 -08:00
Thomas Müller 799e144b04 Merge pull request #14151 from owncloud/update-sabre2.1
Sabre Update to 2.1
2015-02-25 02:21:55 -08:00
Lukas Reschke 9adcd15cb3 Use [0] instead of current as HHVM might have problems with that 2015-02-24 13:37:34 +01:00
Lukas Reschke 1c6eae9017 Get the real protocol behind several proxies
X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies.

This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
2015-02-24 12:24:55 +01:00
Vincent Petry 9f6dcb9d3e Sabre Update to 2.1
- VObject fixes for Sabre\VObject 3.3
- Remove VObject property workarounds
- Added prefetching for tags in sabre tags plugin
- Moved oc_properties logic to separate PropertyStorage backend (WIP)
- Fixed Sabre connector namespaces
- Improved files plugin to handle props on-demand
- Moved allowed props from server class to files plugin
- Fixed tags caching for files that are known to have no tags
  (less queries)
- Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin
- Replace OC\Connector\Sabre\Request with direct call to
  httpRequest->setUrl()
- Fix exception detection in DAV client when using Sabre\DAV\Client
- Added setETag() on Node instead of using the static FileSystem
- Also preload tags/props when depth is infinity
2015-02-23 22:27:23 +01:00
Thomas Müller 0a9b8242ee properly initialize OC::$WEBROOT and host name 2015-02-23 21:49:35 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke cebf9f6a5a Incorporate review changes 2015-02-16 22:13:03 +01:00
Lukas Reschke 992164446c Add blackmagic due to cyclic dependency 🙈 2015-02-16 22:13:01 +01:00
Lukas Reschke 9f91d64918 Make scrutinizer happy 2015-02-16 22:13:00 +01:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke 770fa761b8 Respect `mod_unique_id` and refactor `OC_Request::getRequestId`
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.

Testplan:

- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request

Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.

Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 11:53:11 +01:00
Bernhard Posselt bb0c88a577 always set url parameters when they are available in the app dispatch
prefer url parameters passed into the main method. If they are not present, use the containers urlParameters

add space
2015-01-15 15:22:52 +01:00
Lukas Reschke 41374986d3 Remove dead code 2014-09-29 17:20:29 +02:00
Bernhard Posselt 1d45239c65 adjust license headers to new mail address 2014-05-11 17:54:08 +02:00
Bernhard Posselt 62cce982bb default to GET request when no method is set to fix unittests, also set parsed json parameters on the post attribute 2014-04-12 16:17:49 +02:00
Bernhard Posselt e7fa2790f3 Correctly process request parameters other than GET or POST, dont use globals in the class but inject it 2014-04-12 15:02:19 +02:00
Jörn Friedrich Dreyer 2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Bart Visscher 21cbef0d2c passesCSRFCheck added to OCP\IRequest 2013-10-04 18:13:04 +02:00
Thomas Tanghus aedc427ffd Fix fix of POST :P 2013-10-03 03:56:37 +02:00
Thomas Tanghus 8a018d7a59 Fix POST decoding 2013-10-03 01:43:33 +02:00
Thomas Tanghus 965ce5719f Modified PUT behaviour
Now only non-parable PUT requests return a stream resource.
2013-10-02 22:13:40 +02:00
Thomas Tanghus 0f13ffb773 Remove JSON request parsing from Server 2013-10-01 20:15:04 +02:00
Thomas Tanghus 973bcccd7c Implement PUT an PATCH support 2013-10-01 20:13:13 +02:00
Thomas Tanghus bdad7697ac Check if accessor matched request method.
It's easier to find errors in the code if an exception is thrown.
2013-10-01 20:13:13 +02:00
Thomas Müller 9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00