/*
* Copyright (c) 2014
*
* This file is licensed under the Affero General Public License version 3
* or later.
*
* See the COPYING-README file.
*
*/
(function() {
OC.SetupChecks = {
/* Message types */
MESSAGE_TYPE_INFO:0,
MESSAGE_TYPE_WARNING:1,
MESSAGE_TYPE_ERROR:2,
/**
* Check whether the WebDAV connection works.
*
* @return $.Deferred object resolved with an array of error messages
*/
checkWebDAV: function() {
var deferred = $.Deferred();
var afterCall = function(xhr) {
var messages = [];
if (xhr.status !== 207 && xhr.status !== 401) {
messages.push({
msg: t('core', 'Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
deferred.resolve(messages);
};
$.ajax({
type: 'PROPFIND',
url: OC.linkToRemoteBase('webdav'),
data: '' +
'php.ini
:',
{
docLink: data.phpOpcacheDocumentation,
}
) + "
opcache.enable=On\nopcache.enable_cli=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1
",
type: OC.SetupChecks.MESSAGE_TYPE_INFO
});
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
deferred.resolve(messages);
};
$.ajax({
type: 'GET',
url: OC.generateUrl('settings/ajax/checksetup'),
allowAuthErrors: true
}).then(afterCall, afterCall);
return deferred.promise();
},
/**
* Runs generic checks on the server side, the difference to dedicated
* methods is that we use the same XHR object for all checks to save
* requests.
*
* @return $.Deferred object resolved with an array of error messages
*/
checkGeneric: function() {
var self = this;
var deferred = $.Deferred();
var afterCall = function(data, statusText, xhr) {
var messages = [];
messages = messages.concat(self._checkSecurityHeaders(xhr));
messages = messages.concat(self._checkSSL(xhr));
deferred.resolve(messages);
};
$.ajax({
type: 'GET',
url: OC.generateUrl('heartbeat'),
allowAuthErrors: true
}).then(afterCall, afterCall);
return deferred.promise();
},
checkDataProtected: function() {
var deferred = $.Deferred();
if(oc_dataURL === false){
return deferred.resolve([]);
}
var afterCall = function(xhr) {
var messages = [];
// .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
if (xhr.status === 200 && xhr.responseText === '') {
messages.push({
msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
deferred.resolve(messages);
};
$.ajax({
type: 'GET',
url: OC.linkTo('', oc_dataURL+'/.ocdata?t=' + (new Date()).getTime()),
complete: afterCall,
allowAuthErrors: true
});
return deferred.promise();
},
/**
* Runs check for some generic security headers on the server side
*
* @param {Object} xhr
* @return {Array} Array with error messages
*/
_checkSecurityHeaders: function(xhr) {
var messages = [];
if (xhr.status === 200) {
var securityHeaders = {
'X-XSS-Protection': '1; mode=block',
'X-Content-Type-Options': 'nosniff',
'X-Robots-Tag': 'none',
'X-Frame-Options': 'SAMEORIGIN',
'X-Download-Options': 'noopen',
'X-Permitted-Cross-Domain-Policies': 'none',
};
for (var header in securityHeaders) {
if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
messages.push({
msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
return messages;
},
/**
* Runs check for some SSL configuration issues on the server side
*
* @param {Object} xhr
* @return {Array} Array with error messages
*/
_checkSSL: function(xhr) {
var messages = [];
if (xhr.status === 200) {
var tipsUrl = OC.generateUrl('settings/admin/tips-tricks');
if(OC.getProtocol() === 'https') {
// Extract the value of 'Strict-Transport-Security'
var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
var firstComma = transportSecurityValidity.indexOf(";");
if(firstComma !== -1) {
transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
} else {
transportSecurityValidity = transportSecurityValidity.substring(8);
}
}
var minimumSeconds = 15552000;
if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push({
msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.', {'seconds': minimumSeconds, docUrl: tipsUrl}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
} else {
messages.push({
msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our security tips.', {docUrl: tipsUrl}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
} else {
messages.push({
msg: t('core', 'Error occurred while checking server setup'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
});
}
return messages;
}
};
})();