mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1000 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37838 Commits
378 Branches
Tree: bff6c8aafc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bff6c8aafc'
${ noResults }
nextcloud/lib/private/legacy/response.php

response.php 8.9KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Andreas Fischer <bantu@owncloud.com>

  6.  * @author Bart Visscher <bartv@thisnet.nl>

  7.  * @author Jörn Friedrich Dreyer <jfd@butonic.de>

  8.  * @author Lukas Reschke <lukas@statuscode.ch>

  9.  * @author Morris Jobke <hey@morrisjobke.de>

  10.  * @author Robin McCorkell <robin@mccorkell.me.uk>

  11.  * @author Stefan Weil <sw@weilnetz.de>

  12.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  13.  * @author Vincent Petry <pvince81@owncloud.com>

  14.  *

  15.  * @license AGPL-3.0

  16.  *

  17.  * This code is free software: you can redistribute it and/or modify

  18.  * it under the terms of the GNU Affero General Public License, version 3,

  19.  * as published by the Free Software Foundation.

  20.  *

  21.  * This program is distributed in the hope that it will be useful,

  22.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  23.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  24.  * GNU Affero General Public License for more details.

  25.  *

  26.  * You should have received a copy of the GNU Affero General Public License, version 3,

  27.  * along with this program.  If not, see <http://www.gnu.org/licenses/>

  28.  *

  29.  */

  30. 

  31. class OC_Response {

  32. 	const STATUS_FOUND = 304;

  33. 	const STATUS_NOT_MODIFIED = 304;

  34. 	const STATUS_TEMPORARY_REDIRECT = 307;

  35. 	const STATUS_BAD_REQUEST = 400;

  36. 	const STATUS_FORBIDDEN = 403;

  37. 	const STATUS_NOT_FOUND = 404;

  38. 	const STATUS_INTERNAL_SERVER_ERROR = 500;

  39. 	const STATUS_SERVICE_UNAVAILABLE = 503;

  40. 

  41. 	/**

  42. 	* Enable response caching by sending correct HTTP headers

  43. 	* @param integer $cache_time time to cache the response

  44. 	*  >0		cache time in seconds

  45. 	*  0 and <0	enable default browser caching

  46. 	*  null		cache indefinitely

  47. 	*/

  48. 	static public function enableCaching($cache_time = null) {

  49. 		if (is_numeric($cache_time)) {

  50. 			header('Pragma: public');// enable caching in IE

  51. 			if ($cache_time > 0) {

  52. 				self::setExpiresHeader('PT'.$cache_time.'S');

  53. 				header('Cache-Control: max-age='.$cache_time.', must-revalidate');

  54. 			}

  55. 			else {

  56. 				self::setExpiresHeader(0);

  57. 				header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

  58. 			}

  59. 		}

  60. 		else {

  61. 			header('Cache-Control: cache');

  62. 			header('Pragma: cache');

  63. 		}

  64. 

  65. 	}

  66. 

  67. 	/**

  68. 	* disable browser caching

  69. 	* @see enableCaching with cache_time = 0

  70. 	*/

  71. 	static public function disableCaching() {

  72. 		self::enableCaching(0);

  73. 	}

  74. 

  75. 	/**

  76. 	* Set response status

  77. 	* @param int $status a HTTP status code, see also the STATUS constants

  78. 	*/

  79. 	static public function setStatus($status) {

  80. 		$protocol = \OC::$server->getRequest()->getHttpProtocol();

  81. 		switch($status) {

  82. 			case self::STATUS_NOT_MODIFIED:

  83. 				$status = $status . ' Not Modified';

  84. 				break;

  85. 			case self::STATUS_TEMPORARY_REDIRECT:

  86. 				if ($protocol == 'HTTP/1.1') {

  87. 					$status = $status . ' Temporary Redirect';

  88. 					break;

  89. 				} else {

  90. 					$status = self::STATUS_FOUND;

  91. 					// fallthrough

  92. 				}

  93. 			case self::STATUS_FOUND;

  94. 				$status = $status . ' Found';

  95. 				break;

  96. 			case self::STATUS_NOT_FOUND;

  97. 				$status = $status . ' Not Found';

  98. 				break;

  99. 			case self::STATUS_INTERNAL_SERVER_ERROR;

  100. 				$status = $status . ' Internal Server Error';

  101. 				break;

  102. 			case self::STATUS_SERVICE_UNAVAILABLE;

  103. 				$status = $status . ' Service Unavailable';

  104. 				break;

  105. 		}

  106. 		header($protocol.' '.$status);

  107. 	}

  108. 

  109. 	/**

  110. 	* Send redirect response

  111. 	* @param string $location to redirect to

  112. 	*/

  113. 	static public function redirect($location) {

  114. 		self::setStatus(self::STATUS_TEMPORARY_REDIRECT);

  115. 		header('Location: '.$location);

  116. 	}

  117. 

  118. 	/**

  119. 	* Set response expire time

  120. 	* @param string|DateTime $expires date-time when the response expires

  121. 	*  string for DateInterval from now

  122. 	*  DateTime object when to expire response

  123. 	*/

  124. 	static public function setExpiresHeader($expires) {

  125. 		if (is_string($expires) && $expires[0] == 'P') {

  126. 			$interval = $expires;

  127. 			$expires = new DateTime('now');

  128. 			$expires->add(new DateInterval($interval));

  129. 		}

  130. 		if ($expires instanceof DateTime) {

  131. 			$expires->setTimezone(new DateTimeZone('GMT'));

  132. 			$expires = $expires->format(DateTime::RFC2822);

  133. 		}

  134. 		header('Expires: '.$expires);

  135. 	}

  136. 

  137. 	/**

  138. 	* Checks and set ETag header, when the request matches sends a

  139. 	* 'not modified' response

  140. 	* @param string $etag token to use for modification check

  141. 	*/

  142. 	static public function setETagHeader($etag) {

  143. 		if (empty($etag)) {

  144. 			return;

  145. 		}

  146. 		$etag = '"'.$etag.'"';

  147. 		if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&

  148. 		    trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {

  149. 			self::setStatus(self::STATUS_NOT_MODIFIED);

  150. 			exit;

  151. 		}

  152. 		header('ETag: '.$etag);

  153. 	}

  154. 

  155. 	/**

  156. 	* Checks and set Last-Modified header, when the request matches sends a

  157. 	* 'not modified' response

  158. 	* @param int|DateTime|string $lastModified time when the response was last modified

  159. 	*/

  160. 	static public function setLastModifiedHeader($lastModified) {

  161. 		if (empty($lastModified)) {

  162. 			return;

  163. 		}

  164. 		if (is_int($lastModified)) {

  165. 			$lastModified = gmdate(DateTime::RFC2822, $lastModified);

  166. 		}

  167. 		if ($lastModified instanceof DateTime) {

  168. 			$lastModified = $lastModified->format(DateTime::RFC2822);

  169. 		}

  170. 		if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&

  171. 		    trim($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified) {

  172. 			self::setStatus(self::STATUS_NOT_MODIFIED);

  173. 			exit;

  174. 		}

  175. 		header('Last-Modified: '.$lastModified);

  176. 	}

  177. 

  178. 	/**

  179. 	 * Sets the content disposition header (with possible workarounds)

  180. 	 * @param string $filename file name

  181. 	 * @param string $type disposition type, either 'attachment' or 'inline'

  182. 	 */

  183. 	static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {

  184. 		if (\OC::$server->getRequest()->isUserAgent(

  185. 			[

  186. 				\OC\AppFramework\Http\Request::USER_AGENT_IE,

  187. 				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,

  188. 				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,

  189. 			])) {

  190. 			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );

  191. 		} else {

  192. 			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )

  193. 												 . '; filename="' . rawurlencode( $filename ) . '"' );

  194. 		}

  195. 	}

  196. 

  197. 	/**

  198. 	 * Sets the content length header (with possible workarounds)

  199. 	 * @param string|int|float $length Length to be sent

  200. 	 */

  201. 	static public function setContentLengthHeader($length) {

  202. 		if (PHP_INT_SIZE === 4) {

  203. 			if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {

  204. 				// Apache PHP SAPI casts Content-Length headers to PHP integers.

  205. 				// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit

  206. 				// platforms). So, if the length is greater than PHP_INT_MAX,

  207. 				// we just do not send a Content-Length header to prevent

  208. 				// bodies from being received incompletely.

  209. 				return;

  210. 			}

  211. 			// Convert signed integer or float to unsigned base-10 string.

  212. 			$lfh = new \OC\LargeFileHelper;

  213. 			$length = $lfh->formatUnsignedInteger($length);

  214. 		}

  215. 		header('Content-Length: '.$length);

  216. 	}

  217. 

  218. 	/**

  219. 	 * Send file as response, checking and setting caching headers

  220. 	 * @param string $filepath of file to send

  221. 	 * @deprecated 8.1.0 - Use \OCP\AppFramework\Http\StreamResponse or another AppFramework controller instead

  222. 	 */

  223. 	static public function sendFile($filepath) {

  224. 		$fp = fopen($filepath, 'rb');

  225. 		if ($fp) {

  226. 			self::setLastModifiedHeader(filemtime($filepath));

  227. 			self::setETagHeader(md5_file($filepath));

  228. 

  229. 			self::setContentLengthHeader(filesize($filepath));

  230. 			fpassthru($fp);

  231. 		}

  232. 		else {

  233. 			self::setStatus(self::STATUS_NOT_FOUND);

  234. 		}

  235. 	}

  236. 

  237. 	/**

  238. 	 * This function adds some security related headers to all requests served via base.php

  239. 	 * The implementation of this function has to happen here to ensure that all third-party

  240. 	 * components (e.g. SabreDAV) also benefit from this headers.

  241. 	 */

  242. 	public static function addSecurityHeaders() {

  243. 		/**

  244. 		 * FIXME: Content Security Policy for legacy ownCloud components. This

  245. 		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework

  246. 		 * is used everywhere.

  247. 		 * @see \OCP\AppFramework\Http\Response::getHeaders

  248. 		 */

  249. 		$policy = 'default-src \'self\'; '

  250. 			. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '

  251. 			. 'style-src \'self\' \'unsafe-inline\'; '

  252. 			. 'frame-src *; '

  253. 			. 'img-src * data: blob:; '

  254. 			. 'font-src \'self\' data:; '

  255. 			. 'media-src *; ' 

  256. 			. 'connect-src *';

  257. 		header('Content-Security-Policy:' . $policy);

  258. 		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains

  259. 

  260. 		// Send fallback headers for installations that don't have the possibility to send

  261. 		// custom headers on the webserver side

  262. 		if(getenv('modHeadersAvailable') !== 'true') {

  263. 			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters

  264. 			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE

  265. 			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

  266. 			header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

  267. 			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

  268. 		}

  269. 	}

  270. 

  271. }