87aeae21e3
The CSP nonce is based on the CSRF token. This token does not change, unless you log in (or out). In case of the session data being lost, e.g. because php gets rid of old sessions, a new CSRF token is gen- erated. While this is fine in theory, it actually caused some annoying problems where the browser restored a tab and Nextcloud js was blocked due to an outdated nonce. The main problem here is that, while processing the request, we write out security headers relatively early. At that point the CSRF token is known/generated and transformed into a CSP nonce. During this request, however, we also log the user in because the session information was lost. At that point we also refresh the CSRF token, which eventually causes the browser to block any scripts as the nonce in the header does not match the one which is used to include scripts. This patch adds a flag to indicate whether the CSRF token should be refreshed or not. It is assumed that refreshing is only necessary if we want to re-generate the session id too. To my knowledge, this case only happens on fresh logins, not when we recover from a deleted session file. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> |
||
---|---|---|
.github | ||
.idea | ||
3rdparty@2bae53c7cf | ||
apps | ||
build | ||
config | ||
contribute | ||
core | ||
l10n | ||
lib | ||
ocs | ||
ocs-provider | ||
resources | ||
settings | ||
tests | ||
themes | ||
.bowerrc | ||
.codecov.yml | ||
.drone.yml | ||
.gitignore | ||
.gitmodules | ||
.htaccess | ||
.jshintrc | ||
.lgtm | ||
.mailmap | ||
.scrutinizer.yml | ||
.tag | ||
.user.ini | ||
AUTHORS | ||
CHANGELOG.md | ||
CONTRIBUTING.md | ||
COPYING | ||
COPYING-README | ||
README.md | ||
autotest-checkers.sh | ||
autotest-external.sh | ||
autotest-hhvm.sh | ||
autotest-js.sh | ||
autotest.sh | ||
bower.json | ||
buildjsdocs.sh | ||
composer.json | ||
console.php | ||
cron.php | ||
index.html | ||
index.php | ||
issue_template.md | ||
occ | ||
public.php | ||
remote.php | ||
robots.txt | ||
status.php | ||
version.php |
README.md
Nextcloud Server
A safe home for all your data.
Why is this so awesome?
- 📁 Access your Data You can store your files, contacts, calendars and more on a server of your choosing.
- 📦 Sync your Data You keep your files, contacts, calendars and more synchronized amongst your devices.
- 🔄 Share your Data …by giving others access to the stuff you want them to see or to collaborate with.
- 🚀 Expandable with dozens of Apps ...like Calendar, Contacts, Mail and all those you can discover in our App Store
- 🔒 Security with our encryption mechanisms, HackerOne bounty program and two-factor authentification.
You want to learn more about how you can use Nextcloud to access, share and protect your files, calendars, contacts, communication & more at home and at your Enterprise? Learn about all our Features.
Get your Nextcloud
- Install a server by yourself on your own hardware or by using one of our ready to use Appliances
- Buy one of the awesome devices coming with a preinstalled Nextcloud
- Find a service provider who is hosting Nextcloud for you or your company
Enterprise? Public Sector or Education user? You may want to have a look into the Enterprise Support Subscription provided by the Nextcloud GmbH
Get in touch
…learn more about how to get support for Nextcloud here!
Contribution Guidelines
All contributions to this repository from June, 16 2016 on are considered to be licensed under the AGPLv3 or any later version.
Nextcloud doesn't require a CLA (Contributor License Agreement). The copyright belongs to all the individual contributors. Therefore we recommend that every contributor adds following line to the header of a file, if they changed it substantially:
@copyright Copyright (c) <year>, <your name> (<your email address>)
Please read the Code of Conduct. This document offers some guidance to ensure Nextcloud participants can cooperate effectively in a positive and inspiring atmosphere, and to explain how together we can strengthen and support each other.
Please review the guidelines for contributing to this repository.
More information how to contribute: https://nextcloud.com/contribute/
Running master checkouts
Third-party components are handled as git submodules which have to be initialized first. So aside from the regular git checkout invoking git submodule update --init
or a similar command is needed, for details see Git documentation.
Several apps by default included in regular releases like firstrunwizard or gallery are missing in master
and have to be installed manually as required.
That aside Git checkouts can be handled the same as release archives.
Note they should never be used on production systems.