summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2017-01-19 15:57:49 +0100
committerGitHub <noreply@github.com>2017-01-19 15:57:49 +0100
commit13a5c5d64c3ef0942225f02e8d812e0a4f621aa9 (patch)
tree16ba770e4d3d3b8121204ca1a7b3000b733b3a92
parente9badb9f83743dc644e19eef59a76c1691c3b65f (diff)
parent3882a8d648cd97226b784f54fa544b756308679b (diff)
downloadnextcloud-server-13a5c5d64c3ef0942225f02e8d812e0a4f621aa9.tar.gz
nextcloud-server-13a5c5d64c3ef0942225f02e8d812e0a4f621aa9.zip
Merge pull request #3152 from nextcloud/add-brute-force-protection
Add brute force protection to some public APIs
-rw-r--r--apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php46
-rw-r--r--core/Controller/LostController.php1
2 files changed, 28 insertions, 19 deletions
diff --git a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
index 55329338a92..3c399268124 100644
--- a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
+++ b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
@@ -25,18 +25,24 @@
namespace OCA\FederatedFileSharing\Controller;
+use OC\Files\Filesystem;
use OC\HintException;
+use OC\Share\Helper;
use OCA\FederatedFileSharing\AddressHandler;
+use OCA\FederatedFileSharing\DiscoveryManager;
use OCA\FederatedFileSharing\FederatedShareProvider;
+use OCA\Files_Sharing\External\Manager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse;
+use OCP\Files\StorageInvalidException;
use OCP\Http\Client\IClientService;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Share\IManager;
+use OCP\Util;
/**
* Class MountPublicLinkController
@@ -107,6 +113,7 @@ class MountPublicLinkController extends Controller {
*
* @NoCSRFRequired
* @PublicPage
+ * @BruteForceProtection publicLink2FederatedShare
*
* @param string $shareWith
* @param string $token
@@ -226,22 +233,22 @@ class MountPublicLinkController extends Controller {
private function legacyMountPublicLink($token, $remote, $password, $name, $owner, $ownerDisplayName) {
// Check for invalid name
- if (!\OCP\Util::isValidFileName($name)) {
+ if (!Util::isValidFileName($name)) {
return new JSONResponse(['message' => $this->l->t('The mountpoint name contains invalid characters.')], Http::STATUS_BAD_REQUEST);
}
$currentUser = $this->userSession->getUser()->getUID();
$currentServer = $this->addressHandler->generateRemoteURL();
- if (\OC\Share\Helper::isSameUserOnSameServer($owner, $remote, $currentUser, $currentServer)) {
+ if (Helper::isSameUserOnSameServer($owner, $remote, $currentUser, $currentServer)) {
return new JSONResponse(['message' => $this->l->t('Not allowed to create a federated share with the owner.')], Http::STATUS_BAD_REQUEST);
}
- $discoveryManager = new \OCA\FederatedFileSharing\DiscoveryManager(
+ $discoveryManager = new DiscoveryManager(
\OC::$server->getMemCacheFactory(),
\OC::$server->getHTTPClientService()
);
- $externalManager = new \OCA\Files_Sharing\External\Manager(
+ $externalManager = new Manager(
\OC::$server->getDatabaseConnection(),
- \OC\Files\Filesystem::getMountManager(),
- \OC\Files\Filesystem::getLoader(),
+ Filesystem::getMountManager(),
+ Filesystem::getLoader(),
\OC::$server->getHTTPClientService(),
\OC::$server->getNotificationManager(),
$discoveryManager,
@@ -249,7 +256,8 @@ class MountPublicLinkController extends Controller {
);
// check for ssl cert
- if (substr($remote, 0, 5) === 'https') {
+
+ if (strpos($remote, 'https') === 0) {
try {
$client = $this->clientService->newClient();
$client->get($remote, [
@@ -268,19 +276,19 @@ class MountPublicLinkController extends Controller {
try {
// check if storage exists
$storage->checkStorageAvailability();
- } catch (\OCP\Files\StorageInvalidException $e) {
+ } catch (StorageInvalidException $e) {
// note: checkStorageAvailability will already remove the invalid share
- \OCP\Util::writeLog(
+ Util::writeLog(
'federatedfilesharing',
'Invalid remote storage: ' . get_class($e) . ': ' . $e->getMessage(),
- \OCP\Util::DEBUG
+ Util::DEBUG
);
return new JSONResponse(['message' => $this->l->t('Could not authenticate to remote share, password might be wrong')], Http::STATUS_BAD_REQUEST);
} catch (\Exception $e) {
- \OCP\Util::writeLog(
+ Util::writeLog(
'federatedfilesharing',
'Invalid remote storage: ' . get_class($e) . ': ' . $e->getMessage(),
- \OCP\Util::DEBUG
+ Util::DEBUG
);
$externalManager->removeShare($mount->getMountPoint());
return new JSONResponse(['message' => $this->l->t('Storage not valid')], Http::STATUS_BAD_REQUEST);
@@ -295,27 +303,27 @@ class MountPublicLinkController extends Controller {
'legacyMount' => '1'
]
);
- } catch (\OCP\Files\StorageInvalidException $e) {
- \OCP\Util::writeLog(
+ } catch (StorageInvalidException $e) {
+ Util::writeLog(
'federatedfilesharing',
'Invalid remote storage: ' . get_class($e) . ': ' . $e->getMessage(),
- \OCP\Util::DEBUG
+ Util::DEBUG
);
return new JSONResponse(['message' => $this->l->t('Storage not valid')], Http::STATUS_BAD_REQUEST);
} catch (\Exception $e) {
- \OCP\Util::writeLog(
+ Util::writeLog(
'federatedfilesharing',
'Invalid remote storage: ' . get_class($e) . ': ' . $e->getMessage(),
- \OCP\Util::DEBUG
+ Util::DEBUG
);
return new JSONResponse(['message' => $this->l->t('Couldn\'t add remote share')], Http::STATUS_BAD_REQUEST);
}
} else {
$externalManager->removeShare($mount->getMountPoint());
- \OCP\Util::writeLog(
+ Util::writeLog(
'federatedfilesharing',
'Couldn\'t add remote share',
- \OCP\Util::DEBUG
+ Util::DEBUG
);
return new JSONResponse(['message' => $this->l->t('Couldn\'t add remote share')], Http::STATUS_BAD_REQUEST);
}
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php
index a0ef87e50d8..8a8a50343ed 100644
--- a/core/Controller/LostController.php
+++ b/core/Controller/LostController.php
@@ -202,6 +202,7 @@ class LostController extends Controller {
/**
* @PublicPage
+ * @BruteForceProtection passwordResetEmail
*
* @param string $user
* @return array