Merge pull request #8323 from owncloud/stable5-backport-8183-and-co

Backport of #8183 and #8197

6 files changed, 185 insertions, 123 deletions

diff --git a/lib/base.php b/lib/base.php
index 3c3c13c8c47..a17cf19099b 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -245,6 +245,34 @@ class OC {
 		}
 	}
 
+	/*
+	* This function adds some security related headers to all requests served via base.php
+	* The implementation of this function has to happen here to ensure that all third-party
+	* components (e.g. SabreDAV) also benefit from this headers.
+	*/
+	public static function addSecurityHeaders() {
+		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+
+		// iFrame Restriction Policy
+		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+		if ($xFramePolicy) {
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+		}
+
+		// Content Security Policy
+		// If you change the standard policy, please also change it in config.sample.php
+		$policy = OC_Config::getValue('custom_csp_policy',
+			'default-src \'self\'; '
+			. 'script-src \'self\' \'unsafe-eval\'; '
+			. 'style-src \'self\' \'unsafe-inline\'; '
+			. 'frame-src *; '
+			. 'img-src *; '
+			. 'font-src \'self\' data:; '
+			. 'media-src *');
+		header('Content-Security-Policy:' . $policy);
+	}
+
 	public static function checkSSL() {
 		// redirect to https site if configured
 		if (OC_Config::getValue("forcessl", false)) {
@@ -479,6 +507,7 @@ class OC {
 		self::checkConfig();
 		self::checkInstalled();
 		self::checkSSL();
+		self::addSecurityHeaders();
 		self::initSession();
 
 		$errors = OC_Util::checkServer();
diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php
index d3974be15a3..e90f86baa84 100644
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@@ -164,10 +164,11 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 */
 	public function getContentType() {
 		if (isset($this->fileinfo_cache['mimetype'])) {
-			return $this->fileinfo_cache['mimetype'];
+			$mimeType = $this->fileinfo_cache['mimetype'];
+		} else {
+			$mimeType = \OC\Files\Filesystem::getMimeType($this->path);
 		}
 
-		return \OC\Files\Filesystem::getMimeType($this->path);
-
+		return \OC_Helper::getSecureMimeType($mimeType);
 	}
 }
diff --git a/lib/helper.php b/lib/helper.php
index 2d22f24ab38..3dd4b07ce8e 100644
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -26,6 +26,7 @@
  */
 class OC_Helper {
 	private static $mimetypes=array();
+	private static $secureMimeTypes = array();
 	private static $tmpFiles=array();
 	private static $mimetypeIcons = array();
 
@@ -399,11 +400,16 @@ class OC_Helper {
 		if(strpos($path, '.')) {
 			//try to guess the type by the file extension
 			if(!self::$mimetypes || self::$mimetypes != include 'mimetypes.list.php') {
-				self::$mimetypes=include 'mimetypes.list.php';
+				self::$mimetypes = include 'mimetypes.list.php';
+
+				// Update the alternative mimetypes to avoid having to look them up each time.
+				foreach (self::$mimetypes as $mimeType) {
+					self::$secureMimeTypes[$mimeType[0]] = $mimeType[1] ? : $mimeType[0];
+				}
 			}
 			$extension=strtolower(strrchr(basename($path), "."));
 			$extension=substr($extension, 1);//remove leading .
-			$mimeType=(isset(self::$mimetypes[$extension]))?self::$mimetypes[$extension]:'application/octet-stream';
+			$mimeType=(isset(self::$mimetypes[$extension]))?self::$mimetypes[$extension][0]:'application/octet-stream';
 		}else{
 			$mimeType='application/octet-stream';
 		}
@@ -443,6 +449,21 @@ class OC_Helper {
 	}
 
 	/**
+	 * Get a secure mimetype that won't expose potential XSS.
+	 *
+	 * @param string $mimeType
+	 * @return string
+	 */
+    public static function getSecureMimeType($mimeType) {
+		if (!self::$mimetypes) {
+			self::getMimeType('foo.txt'); // make sure the mimetypes are loaded
+		}
+		return isset(self::$secureMimeTypes[$mimeType])
+			? self::$secureMimeTypes[$mimeType]
+			: 'application/octet-stream';
+}
+
+	/**
 	 * get the mimetype form a data string
 	 * @param string $data
 	 * @return string
diff --git a/lib/json.php b/lib/json.php
index f929e958957..5e2c7620648 100644
--- a/lib/json.php
+++ b/lib/json.php
@@ -104,8 +104,6 @@ class OC_JSON{
 	* Encode and print $data in json format
 	*/
 	public static function encodedPrint($data, $setContentType=true) {
-		// Disable mimesniffing, don't move this to setContentTypeHeader!
-		header( 'X-Content-Type-Options: nosniff' );
 		if($setContentType) {
 			self::setContentTypeHeader();
 		}
diff --git a/lib/mimetypes.list.php b/lib/mimetypes.list.php
index 071e1604347..af5c3e3908c 100644
--- a/lib/mimetypes.list.php
+++ b/lib/mimetypes.list.php
@@ -1,101 +1,136 @@
 <?php
 /**
-* ownCloud
-*
-* @author Robin Appelman
-* @copyright 2011 Robin Appelman icewind1991@gmail.com
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
-* License as published by the Free Software Foundation; either
-* version 3 of the License, or any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
-*
-* You should have received a copy of the GNU Affero General Public
-* License along with this library.  If not, see <http://www.gnu.org/licenses/>.
-*
-*/
+ * ownCloud
+ *
+ * @author Robin Appelman
+ * @copyright 2011 Robin Appelman icewind1991@gmail.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
 
 /**
- * list of mimetypes by extension
+ * Array mapping file extensions to mimetypes (in alphabetical order).
+ *
+ * The first index in the mime type array is the assumed correct mimetype
+ * and the second is either a secure alternative or null if the correct
+ * is considered secure.
  */
-
 return array(
-	'css'=>'text/css',
-	'flac'=>'audio/flac',
-	'gif'=>'image/gif',
-	'gzip'=>'application/x-gzip',
-	'gz'=>'application/x-gzip',
-	'html'=>'text/html',
-	'htm'=>'text/html',
-	'ics'=>'text/calendar',
-	'ical'=>'text/calendar',
-	'jpeg'=>'image/jpeg',
-	'jpg'=>'image/jpeg',
-	'js'=>'application/javascript',
-	'oga'=>'audio/ogg',
-	'ogg'=>'audio/ogg',
-	'ogv'=>'video/ogg',
-	'pdf'=>'application/pdf',
-	'png'=>'image/png',
-	'svg'=>'image/svg+xml',
-	'tar'=>'application/x-tar',
-	'tgz'=>'application/x-compressed',
-	'tar.gz'=>'application/x-compressed',
-	'tif'=>'image/tiff',
-	'tiff'=>'image/tiff',
-	'txt'=>'text/plain',
-	'zip'=>'application/zip',
-	'wav'=>'audio/wav',
-	'odt'=>'application/vnd.oasis.opendocument.text',
-	'ods'=>'application/vnd.oasis.opendocument.spreadsheet',
-	'odg'=>'application/vnd.oasis.opendocument.graphics',
-	'odp'=>'application/vnd.oasis.opendocument.presentation',
-	'pages'=>'application/x-iwork-pages-sffpages',
-	'numbers'=>'application/x-iwork-numbers-sffnumbers',
-	'keynote'=>'application/x-iwork-keynote-sffkey',
-	'kra'=>'application/x-krita',
-	'mp3'=>'audio/mpeg',
-	'doc'=>'application/msword',
-	'docx'=>'application/msword',
-	'xls'=>'application/msexcel',
-	'xlsx'=>'application/msexcel',
-	'php'=>'application/x-php',
-	'exe'=>'application/x-ms-dos-executable',
-	'msi' => 'application/x-msi',
-	'pl'=>'application/x-pearl',
-	'py'=>'application/x-python',
-	'blend'=>'application/x-blender',
-	'xcf'=>'application/x-gimp',
-	'psd'=>'application/x-photoshop',
-	'xml'=>'application/xml',
-	'avi'=>'video/x-msvideo',
-	'dv'=>'video/dv',
-	'm2t'=>'video/mp2t',
-	'mp4'=>'video/mp4',
-	'm4v'=>'video/mp4',
-	'mpg'=>'video/mpeg',
-	'mpeg'=>'video/mpeg',
-	'mov'=>'video/quicktime',
-	'webm'=>'video/webm',
-	'wmv'=>'video/x-ms-asf',
-	'py'=>'text/x-script.phyton',
-	'vcf' => 'text/vcard',
-	'vcard' => 'text/vcard',
-	'doc'=>'application/msword',
-	'docx'=>'application/msword',
-	'xls'=>'application/msexcel',
-	'xlsx'=>'application/msexcel',
-	'ppt'=>'application/mspowerpoint',
-	'pptx'=>'application/mspowerpoint',
-	'sgf' => 'application/sgf',
-	'cdr' => 'application/coreldraw',
-	'impress' => 'text/impress',
-	'ai' => 'application/illustrator',
-	'epub' => 'application/epub+zip',
-	'mobi' => 'application/x-mobipocket-ebook'
+	'7z' => array('application/x-7z-compressed', null),
+	'accdb' => array('application/msaccess', null),
+	'ai' => array('application/illustrator', null),
+	'avi' => array('video/x-msvideo', null),
+	'bash' => array('text/x-shellscript', null),
+	'blend' => array('application/x-blender', null),
+	'bin' => array('application/x-bin', null),
+	'bmp' => array('image/bmp', null),
+	'cb7' => array('application/x-cbr', null),
+	'cba' => array('application/x-cbr', null),
+	'cbr' => array('application/x-cbr', null),
+	'cbt' => array('application/x-cbr', null),
+	'cbtc' => array('application/x-cbr', null),
+	'cbz' => array('application/x-cbr', null),
+	'cc' => array('text/x-c', null),
+	'cdr' => array('application/coreldraw', null),
+	'cpp' => array('text/x-c++src', null),
+	'css' => array('text/css', null),
+	'csv' => array('text/csv', null),
+	'cvbdl' => array('application/x-cbr', null),
+	'c' => array('text/x-c', null),
+	'c++' => array('text/x-c++src', null),
+	'deb' => array('application/x-deb', null),
+	'doc' => array('application/msword', null),
+	'docx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.document', null),
+	'dot' => array('application/msword', null),
+	'dotx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.template', null),
+	'dv' => array('video/dv', null),
+	'eot' => array('application/vnd.ms-fontobject', null),
+	'epub' => array('application/epub+zip', null),
+	'exe' => array('application/x-ms-dos-executable', null),
+	'flac' => array('audio/flac', null),
+	'gif' => array('image/gif', null),
+	'gz' => array('application/x-gzip', null),
+	'gzip' => array('application/x-gzip', null),
+	'html' => array('text/html', 'text/plain'),
+	'htm' => array('text/html', 'text/plain'),
+	'ical' => array('text/calendar', null),
+	'ics' => array('text/calendar', null),
+	'impress' => array('text/impress', null),
+	'jpeg' => array('image/jpeg', null),
+	'jpg' => array('image/jpeg', null),
+	'js' => array('application/javascript', 'text/plain'),
+	'json' => array('application/json', 'text/plain'),
+	'keynote' => array('application/x-iwork-keynote-sffkey', null),
+	'kra' => array('application/x-krita', null),
+	'm2t' => array('video/mp2t', null),
+	'm4v' => array('video/mp4', null),
+	'markdown' => array('text/markdown', null),
+	'mdown' => array('text/markdown', null),
+	'md' => array('text/markdown', null),
+	'mdb' => array('application/msaccess', null),
+	'mdwn' => array('text/markdown', null),
+	'mkv' => array('video/x-matroska', null),
+	'mobi' => array('application/x-mobipocket-ebook', null),
+	'mov' => array('video/quicktime', null),
+	'mp3' => array('audio/mpeg', null),
+	'mp4' => array('video/mp4', null),
+	'mpeg' => array('video/mpeg', null),
+	'mpg' => array('video/mpeg', null),
+	'msi' => array('application/x-msi', null),
+	'numbers' => array('application/x-iwork-numbers-sffnumbers', null),
+	'odg' => array('application/vnd.oasis.opendocument.graphics', null),
+	'odp' => array('application/vnd.oasis.opendocument.presentation', null),
+	'ods' => array('application/vnd.oasis.opendocument.spreadsheet', null),
+	'odt' => array('application/vnd.oasis.opendocument.text', null),
+	'oga' => array('audio/ogg', null),
+	'ogg' => array('audio/ogg', null),
+	'ogv' => array('video/ogg', null),
+	'otf' => array('font/opentype', null),
+	'pages' => array('application/x-iwork-pages-sffpages', null),
+	'pdf' => array('application/pdf', null),
+	'php' => array('application/x-php', null),
+	'pl' => array('application/x-perl', null),
+	'png' => array('image/png', null),
+	'ppt' => array('application/mspowerpoint', null),
+	'pptx' => array('application/vnd.openxmlformats-officedocument.presentationml.presentation', null),
+	'psd' => array('application/x-photoshop', null),
+	'py' => array('text/x-python', null),
+	'rar' => array('application/x-rar-compressed', null),
+	'reveal' => array('text/reveal', null),
+	'sgf' => array('application/sgf', null),
+	'sh-lib' => array('text/x-shellscript', null),
+	'sh' => array('text/x-shellscript', null),
+	'svg' => array('image/svg+xml', 'text/plain'),
+	'swf' => array('application/x-shockwave-flash', 'application/octet-stream'),
+	'tar' => array('application/x-tar', null),
+	'tar.gz' => array('application/x-compressed', null),
+	'tex' => array('application/x-tex', null),
+	'tgz' => array('application/x-compressed', null),
+	'tiff' => array('image/tiff', null),
+	'tif' => array('image/tiff', null),
+	'ttf' => array('application/x-font-ttf', null),
+	'txt' => array('text/plain', null),
+	'vcard' => array('text/vcard', null),
+	'vcf' => array('text/vcard', null),
+	'wav' => array('audio/wav', null),
+	'webm' => array('video/webm', null),
+	'woff' => array('application/font-woff', null),
+	'wmv' => array('video/x-ms-asf', null),
+	'xcf' => array('application/x-gimp', null),
+	'xls' => array('application/msexcel', null),
+	'xlsx' => array('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', null),
+	'xml' => array('application/xml', 'text/plain'),
+	'zip' => array('application/zip', null),
 );
diff --git a/lib/template.php b/lib/template.php
index 2f535335648..199e0f6e492 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -185,28 +185,6 @@ class OC_Template{
 		$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
 		$this->l10n = OC_L10N::get($parts[0]);
 
-		// Some headers to enhance security
-		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
-		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-
-		// iFrame Restriction Policy
-		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
-		if($xFramePolicy) {
-			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
-		}
-		
-		// Content Security Policy
-		// If you change the standard policy, please also change it in config.sample.php
-		$policy = OC_Config::getValue('custom_csp_policy',
-			'default-src \'self\'; '
-			.'script-src \'self\' \'unsafe-eval\'; '
-			.'style-src \'self\' \'unsafe-inline\'; '
-			.'frame-src *; '
-			.'img-src *; '
-			.'font-src \'self\' data:; '
-			.'media-src *');
-		header('Content-Security-Policy:'.$policy); // Standard
-
 		$this->findTemplate($name);
 	}