mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 984 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44299 Commits
375 Branches
Tree: b0a296e2e1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b0a296e2e1'
${ noResults }
nextcloud/lib/private/legacy/response.php

response.php 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Andreas Fischer <bantu@owncloud.com>

  6.  * @author Bart Visscher <bartv@thisnet.nl>

  7.  * @author Joas Schilling <coding@schilljs.com>

  8.  * @author Jörn Friedrich Dreyer <jfd@butonic.de>

  9.  * @author Lukas Reschke <lukas@statuscode.ch>

  10.  * @author Morris Jobke <hey@morrisjobke.de>

  11.  * @author Robin McCorkell <robin@mccorkell.me.uk>

  12.  * @author Sergio Bertolín <sbertolin@solidgear.es>

  13.  * @author Stefan Weil <sw@weilnetz.de>

  14.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  15.  * @author Vincent Petry <pvince81@owncloud.com>

  16.  *

  17.  * @license AGPL-3.0

  18.  *

  19.  * This code is free software: you can redistribute it and/or modify

  20.  * it under the terms of the GNU Affero General Public License, version 3,

  21.  * as published by the Free Software Foundation.

  22.  *

  23.  * This program is distributed in the hope that it will be useful,

  24.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  25.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  26.  * GNU Affero General Public License for more details.

  27.  *

  28.  * You should have received a copy of the GNU Affero General Public License, version 3,

  29.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  30.  *

  31.  */

  32. 

  33. class OC_Response {

  34. 	/**

  35. 	 * Sets the content disposition header (with possible workarounds)

  36. 	 * @param string $filename file name

  37. 	 * @param string $type disposition type, either 'attachment' or 'inline'

  38. 	 */

  39. 	static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {

  40. 		if (\OC::$server->getRequest()->isUserAgent(

  41. 			[

  42. 				\OC\AppFramework\Http\Request::USER_AGENT_IE,

  43. 				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,

  44. 				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,

  45. 			])) {

  46. 			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );

  47. 		} else {

  48. 			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )

  49. 												 . '; filename="' . rawurlencode( $filename ) . '"' );

  50. 		}

  51. 	}

  52. 

  53. 	/**

  54. 	 * Sets the content length header (with possible workarounds)

  55. 	 * @param string|int|float $length Length to be sent

  56. 	 */

  57. 	static public function setContentLengthHeader($length) {

  58. 		if (PHP_INT_SIZE === 4) {

  59. 			if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {

  60. 				// Apache PHP SAPI casts Content-Length headers to PHP integers.

  61. 				// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit

  62. 				// platforms). So, if the length is greater than PHP_INT_MAX,

  63. 				// we just do not send a Content-Length header to prevent

  64. 				// bodies from being received incompletely.

  65. 				return;

  66. 			}

  67. 			// Convert signed integer or float to unsigned base-10 string.

  68. 			$lfh = new \OC\LargeFileHelper;

  69. 			$length = $lfh->formatUnsignedInteger($length);

  70. 		}

  71. 		header('Content-Length: '.$length);

  72. 	}

  73. 

  74. 	/**

  75. 	 * This function adds some security related headers to all requests served via base.php

  76. 	 * The implementation of this function has to happen here to ensure that all third-party

  77. 	 * components (e.g. SabreDAV) also benefit from this headers.

  78. 	 */

  79. 	public static function addSecurityHeaders() {

  80. 		/**

  81. 		 * FIXME: Content Security Policy for legacy ownCloud components. This

  82. 		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework

  83. 		 * is used everywhere.

  84. 		 * @see \OCP\AppFramework\Http\Response::getHeaders

  85. 		 */

  86. 		$policy = 'default-src \'self\'; '

  87. 			. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '

  88. 			. 'style-src \'self\' \'unsafe-inline\'; '

  89. 			. 'frame-src *; '

  90. 			. 'img-src * data: blob:; '

  91. 			. 'font-src \'self\' data:; '

  92. 			. 'media-src *; ' 

  93. 			. 'connect-src *; '

  94. 			. 'object-src \'none\'; '

  95. 			. 'base-uri \'self\'; ';

  96. 		header('Content-Security-Policy:' . $policy);

  97. 		header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains

  98. 

  99. 		// Send fallback headers for installations that don't have the possibility to send

  100. 		// custom headers on the webserver side

  101. 		if(getenv('modHeadersAvailable') !== 'true') {

  102. 			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters

  103. 			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE

  104. 			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

  105. 			header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

  106. 			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

  107. 		}

  108. 	}

  109. 

  110. }