mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 994 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60230 Commits
362 Branches
Tree: 3631789651
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3631789651'
${ noResults }
nextcloud/lib/private/legacy/OC_Response.php

OC_Response.php 4.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Andreas Fischer <bantu@owncloud.com>

  6.  * @author Bart Visscher <bartv@thisnet.nl>

  7.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  8.  * @author J0WI <J0WI@users.noreply.github.com>

  9.  * @author Lukas Reschke <lukas@statuscode.ch>

  10.  * @author Morris Jobke <hey@morrisjobke.de>

  11.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  12.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  13.  * @author Vincent Petry <vincent@nextcloud.com>

  14.  *

  15.  * @license AGPL-3.0

  16.  *

  17.  * This code is free software: you can redistribute it and/or modify

  18.  * it under the terms of the GNU Affero General Public License, version 3,

  19.  * as published by the Free Software Foundation.

  20.  *

  21.  * This program is distributed in the hope that it will be useful,

  22.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  23.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  24.  * GNU Affero General Public License for more details.

  25.  *

  26.  * You should have received a copy of the GNU Affero General Public License, version 3,

  27.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  28.  *

  29.  */

  30. class OC_Response {

  31. 	/**

  32. 	 * Sets the content disposition header (with possible workarounds)

  33. 	 * @param string $filename file name

  34. 	 * @param string $type disposition type, either 'attachment' or 'inline'

  35. 	 */

  36. 	public static function setContentDispositionHeader($filename, $type = 'attachment') {

  37. 		if (\OC::$server->getRequest()->isUserAgent(

  38. 			[

  39. 				\OC\AppFramework\Http\Request::USER_AGENT_IE,

  40. 				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,

  41. 				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,

  42. 			])) {

  43. 			header('Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode($filename) . '"');

  44. 		} else {

  45. 			header('Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode($filename)

  46. 												 . '; filename="' . rawurlencode($filename) . '"');

  47. 		}

  48. 	}

  49. 

  50. 	/**

  51. 	 * Sets the content length header (with possible workarounds)

  52. 	 * @param string|int|float $length Length to be sent

  53. 	 */

  54. 	public static function setContentLengthHeader($length) {

  55. 		if (PHP_INT_SIZE === 4) {

  56. 			if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {

  57. 				// Apache PHP SAPI casts Content-Length headers to PHP integers.

  58. 				// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit

  59. 				// platforms). So, if the length is greater than PHP_INT_MAX,

  60. 				// we just do not send a Content-Length header to prevent

  61. 				// bodies from being received incompletely.

  62. 				return;

  63. 			}

  64. 			// Convert signed integer or float to unsigned base-10 string.

  65. 			$lfh = new \OC\LargeFileHelper;

  66. 			$length = $lfh->formatUnsignedInteger($length);

  67. 		}

  68. 		header('Content-Length: '.$length);

  69. 	}

  70. 

  71. 	/**

  72. 	 * This function adds some security related headers to all requests served via base.php

  73. 	 * The implementation of this function has to happen here to ensure that all third-party

  74. 	 * components (e.g. SabreDAV) also benefit from this headers.

  75. 	 */

  76. 	public static function addSecurityHeaders() {

  77. 		/**

  78. 		 * FIXME: Content Security Policy for legacy ownCloud components. This

  79. 		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework

  80. 		 * is used everywhere.

  81. 		 * @see \OCP\AppFramework\Http\Response::getHeaders

  82. 		 */

  83. 		$policy = 'default-src \'self\'; '

  84. 			. 'script-src \'self\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '

  85. 			. 'style-src \'self\' \'unsafe-inline\'; '

  86. 			. 'frame-src *; '

  87. 			. 'img-src * data: blob:; '

  88. 			. 'font-src \'self\' data:; '

  89. 			. 'media-src *; '

  90. 			. 'connect-src *; '

  91. 			. 'object-src \'none\'; '

  92. 			. 'base-uri \'self\'; ';

  93. 		header('Content-Security-Policy:' . $policy);

  94. 

  95. 		// Send fallback headers for installations that don't have the possibility to send

  96. 		// custom headers on the webserver side

  97. 		if (getenv('modHeadersAvailable') !== 'true') {

  98. 			header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/

  99. 			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE

  100. 			header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

  101. 			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains

  102. 			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

  103. 			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

  104. 			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters

  105. 		}

  106. 	}

  107. }