summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2018-01-29 16:12:10 +0100
committerGitHub <noreply@github.com>2018-01-29 16:12:10 +0100
commit4fcdfbf5de5496cf1fc683b6a2f4c55764de8e02 (patch)
tree2daf3982a94dec5538b5defaecf5f86280ddad6c
parent01482b32a171bb8529bc8baacbe764107e52e14c (diff)
parent5dbf73339542977698e1f3ae6d22624fab74fe3e (diff)
downloadnextcloud-server-4fcdfbf5de5496cf1fc683b6a2f4c55764de8e02.tar.gz
nextcloud-server-4fcdfbf5de5496cf1fc683b6a2f4c55764de8e02.zip
Merge pull request #8078 from nextcloud/theming-validate-scss
SCSS hardening
-rw-r--r--apps/theming/css/theming.scss18
-rw-r--r--apps/theming/lib/ThemingDefaults.php4
-rw-r--r--apps/theming/tests/ThemingDefaultsTest.php10
-rw-r--r--lib/private/Template/SCSSCacher.php57
-rw-r--r--tests/lib/Template/SCSSCacherTest.php18
5 files changed, 69 insertions, 38 deletions
diff --git a/apps/theming/css/theming.scss b/apps/theming/css/theming.scss
index 63d466542e1..3cb8ee2584d 100644
--- a/apps/theming/css/theming.scss
+++ b/apps/theming/css/theming.scss
@@ -91,18 +91,20 @@
}
/* override styles for login screen in guest.css */
-#header .logo {
- background-image: url(#{$image-logo});
- @if $theming-logo-mime != '' {
+@if variable_exists('theming-logo-mime') {
+ #header .logo {
+ background-image: url(#{$image-logo});
background-size: contain;
}
}
-#body-login,
-#firstrunwizard .firstrunwizard-header,
-#theming-preview {
- background-image: url(#{$image-login-background});
- background-color: $color-primary;
+@if variable_exists('theming-background-mime') {
+ #body-login,
+ #firstrunwizard .firstrunwizard-header,
+ #theming-preview {
+ background-image: url(#{$image-login-background});
+ background-color: $color-primary;
+ }
}
input.primary,
diff --git a/apps/theming/lib/ThemingDefaults.php b/apps/theming/lib/ThemingDefaults.php
index 9dcc981817e..94abb4e288a 100644
--- a/apps/theming/lib/ThemingDefaults.php
+++ b/apps/theming/lib/ThemingDefaults.php
@@ -242,8 +242,8 @@ class ThemingDefaults extends \OC_Defaults {
'theming-background-mime' => "'" . $this->config->getAppValue('theming', 'backgroundMime', '') . "'"
];
- $variables['image-logo'] = "'".$this->urlGenerator->getAbsoluteURL($this->getLogo())."'";
- $variables['image-login-background'] = "'".$this->urlGenerator->getAbsoluteURL($this->getBackground())."'";
+ $variables['image-logo'] = "'".$this->getLogo()."'";
+ $variables['image-login-background'] = "'".$this->getBackground()."'";
$variables['image-login-plain'] = 'false';
if ($this->config->getAppValue('theming', 'color', null) !== null) {
diff --git a/apps/theming/tests/ThemingDefaultsTest.php b/apps/theming/tests/ThemingDefaultsTest.php
index d0dc6587f74..1a4679a2993 100644
--- a/apps/theming/tests/ThemingDefaultsTest.php
+++ b/apps/theming/tests/ThemingDefaultsTest.php
@@ -517,18 +517,12 @@ class ThemingDefaultsTest extends TestCase {
['theming.Theming.getLoginBackground', [], 'custom-background'],
]);
- $this->urlGenerator->expects($this->exactly(2))
- ->method('getAbsoluteURL')
- ->willReturnCallback(function ($path) {
- return 'absolute-' . $path;
- });
-
$expected = [
'theming-cachebuster' => '\'0\'',
'theming-logo-mime' => '\'jpeg\'',
'theming-background-mime' => '\'jpeg\'',
- 'image-logo' => "'absolute-custom-logo?v=0'",
- 'image-login-background' => "'absolute-custom-background?v=0'",
+ 'image-logo' => "'custom-logo?v=0'",
+ 'image-login-background' => "'custom-background?v=0'",
'color-primary' => $this->defaults->getColorPrimary(),
'color-primary-text' => '#ffffff',
'image-login-plain' => 'false',
diff --git a/lib/private/Template/SCSSCacher.php b/lib/private/Template/SCSSCacher.php
index a4604425544..8830a651f36 100644
--- a/lib/private/Template/SCSSCacher.php
+++ b/lib/private/Template/SCSSCacher.php
@@ -57,12 +57,18 @@ class SCSSCacher {
/** @var IConfig */
protected $config;
+ /** @var \OC_Defaults */
+ private $defaults;
+
/** @var string */
protected $serverRoot;
/** @var ICache */
protected $depsCache;
+ /** @var null|string */
+ private $injectedVariables;
+
/**
* @param ILogger $logger
* @param Factory $appDataFactory
@@ -90,12 +96,14 @@ class SCSSCacher {
/**
* Process the caching process if needed
+ *
* @param string $root Root path to the nextcloud installation
* @param string $file
* @param string $app The app name
* @return boolean
+ * @throws NotPermittedException
*/
- public function process($root, $file, $app) {
+ public function process(string $root, string $file, string $app): bool {
$path = explode('/', $root . '/' . $file);
$fileNameSCSS = array_pop($path);
@@ -123,7 +131,7 @@ class SCSSCacher {
* @param $fileName
* @return ISimpleFile
*/
- public function getCachedCSS($appName, $fileName) {
+ public function getCachedCSS(string $appName, string $fileName): ISimpleFile {
$folder = $this->appData->getFolder($appName);
return $folder->getFile($this->prependBaseurlPrefix($fileName));
}
@@ -134,7 +142,7 @@ class SCSSCacher {
* @param ISimpleFolder $folder
* @return boolean
*/
- private function isCached($fileNameCSS, ISimpleFolder $folder) {
+ private function isCached(string $fileNameCSS, ISimpleFolder $folder) {
try {
$cachedFile = $folder->getFile($fileNameCSS);
if ($cachedFile->getSize() > 0) {
@@ -148,13 +156,14 @@ class SCSSCacher {
}
$deps = json_decode($deps, true);
- foreach ($deps as $file=>$mtime) {
+ foreach ((array)$deps as $file=>$mtime) {
if (!file_exists($file) || filemtime($file) > $mtime) {
return false;
}
}
+ return true;
}
- return true;
+ return false;
} catch(NotFoundException $e) {
return false;
}
@@ -164,7 +173,7 @@ class SCSSCacher {
* Check if the variables file has changed
* @return bool
*/
- private function variablesChanged() {
+ private function variablesChanged(): bool {
$injectedVariables = $this->getInjectedVariables();
if($this->config->getAppValue('core', 'scss.variables') !== md5($injectedVariables)) {
$this->resetCache();
@@ -176,14 +185,16 @@ class SCSSCacher {
/**
* Cache the file with AppData
+ *
* @param string $path
* @param string $fileNameCSS
* @param string $fileNameSCSS
* @param ISimpleFolder $folder
* @param string $webDir
* @return boolean
+ * @throws NotPermittedException
*/
- private function cache($path, $fileNameCSS, $fileNameSCSS, ISimpleFolder $folder, $webDir) {
+ private function cache(string $path, string $fileNameCSS, string $fileNameSCSS, ISimpleFolder $folder, string $webDir) {
$scss = new Compiler();
$scss->setImportPaths([
$path,
@@ -250,13 +261,14 @@ class SCSSCacher {
* We need to regenerate all files when variables change
*/
private function resetCache() {
+ $this->injectedVariables = null;
$appDirectory = $this->appData->getDirectoryListing();
if(empty($appDirectory)){
return;
}
foreach ($appDirectory as $folder) {
foreach ($folder->getDirectoryListing() as $file) {
- if (substr($file->getName(), -3) === "css" || substr($file->getName(), -4) === "deps") {
+ if (substr($file->getName(), -3) === 'css' || substr($file->getName(), -4) === 'deps') {
$file->delete();
}
}
@@ -266,11 +278,24 @@ class SCSSCacher {
/**
* @return string SCSS code for variables from OC_Defaults
*/
- private function getInjectedVariables() {
+ private function getInjectedVariables(): string {
+ if ($this->injectedVariables !== null) {
+ return $this->injectedVariables;
+ }
$variables = '';
foreach ($this->defaults->getScssVariables() as $key => $value) {
$variables .= '$' . $key . ': ' . $value . ';';
}
+
+ // check for valid variables / otherwise fall back to defaults
+ try {
+ $scss = new Compiler();
+ $scss->compile($variables);
+ $this->injectedVariables = $variables;
+ } catch (ParserException $e) {
+ $this->logger->error($e, ['app' => 'core']);
+ }
+
return $variables;
}
@@ -280,8 +305,8 @@ class SCSSCacher {
* @param string $webDir
* @return string
*/
- private function rebaseUrls($css, $webDir) {
- $re = '/url\([\'"]([\.\w?=\/-]*)[\'"]\)/x';
+ private function rebaseUrls(string $css, string $webDir): string {
+ $re = '/url\([\'"]([^\/][\.\w?=\/-]*)[\'"]\)/x';
$subst = 'url(\''.$webDir.'/$1\')';
return preg_replace($re, $subst, $css);
}
@@ -292,20 +317,20 @@ class SCSSCacher {
* @param string $fileName
* @return string
*/
- public function getCachedSCSS($appName, $fileName) {
+ public function getCachedSCSS(string $appName, string $fileName): string {
$tmpfileLoc = explode('/', $fileName);
$fileName = array_pop($tmpfileLoc);
$fileName = $this->prependBaseurlPrefix(str_replace('.scss', '.css', $fileName));
- return substr($this->urlGenerator->linkToRoute('core.Css.getCss', array('fileName' => $fileName, 'appName' => $appName)), strlen(\OC::$WEBROOT) + 1);
+ return substr($this->urlGenerator->linkToRoute('core.Css.getCss', ['fileName' => $fileName, 'appName' => $appName]), strlen(\OC::$WEBROOT) + 1);
}
/**
* Prepend hashed base url to the css file
- * @param $cssFile
+ * @param string$cssFile
* @return string
*/
- private function prependBaseurlPrefix($cssFile) {
+ private function prependBaseurlPrefix(string $cssFile): string {
$frontendController = ($this->config->getSystemValue('htaccess.IgnoreFrontController', false) === true || getenv('front_controller_active') === 'true');
return substr(md5($this->urlGenerator->getBaseUrl() . $frontendController), 0, 8) . '-' . $cssFile;
}
@@ -318,7 +343,7 @@ class SCSSCacher {
* @param string $webRoot the nextcloud installation root path
* @return string the webDir
*/
- private function getWebDir($path, $appName, $serverRoot, $webRoot) {
+ private function getWebDir(string $path, string $appName, string $serverRoot, string $webRoot): string {
// Detect if path is within server root AND if path is within an app path
if ( strpos($path, $serverRoot) === false && $appWebPath = \OC_App::getAppWebPath($appName)) {
// Get the file path within the app directory
diff --git a/tests/lib/Template/SCSSCacherTest.php b/tests/lib/Template/SCSSCacherTest.php
index fca9500810e..7b5300b99a9 100644
--- a/tests/lib/Template/SCSSCacherTest.php
+++ b/tests/lib/Template/SCSSCacherTest.php
@@ -351,11 +351,21 @@ class SCSSCacherTest extends \Test\TestCase {
$this->assertFalse($actual);
}
- public function testRebaseUrls() {
+ public function dataRebaseUrls() {
+ return [
+ ['#id { background-image: url(\'../img/image.jpg\'); }','#id { background-image: url(\'/apps/files/css/../img/image.jpg\'); }'],
+ ['#id { background-image: url("../img/image.jpg"); }','#id { background-image: url(\'/apps/files/css/../img/image.jpg\'); }'],
+ ['#id { background-image: url(\'/img/image.jpg\'); }','#id { background-image: url(\'/img/image.jpg\'); }'],
+ ['#id { background-image: url("http://example.com/test.jpg"); }','#id { background-image: url("http://example.com/test.jpg"); }'],
+ ];
+ }
+
+ /**
+ * @dataProvider dataRebaseUrls
+ */
+ public function testRebaseUrls($scss, $expected) {
$webDir = '/apps/files/css';
- $css = '#id { background-image: url(\'../img/image.jpg\'); }';
- $actual = self::invokePrivate($this->scssCacher, 'rebaseUrls', [$css, $webDir]);
- $expected = '#id { background-image: url(\'/apps/files/css/../img/image.jpg\'); }';
+ $actual = self::invokePrivate($this->scssCacher, 'rebaseUrls', [$scss, $webDir]);
$this->assertEquals($expected, $actual);
}