merge master into webdav-injection

15 files changed, 195 insertions, 153 deletions

diff --git a/core/css/mobile.css b/core/css/mobile.css
index c67ac3e5ecf..821da619295 100644
--- a/core/css/mobile.css
+++ b/core/css/mobile.css
@@ -19,6 +19,7 @@
 .searchbox input[type="search"]:focus,
 .searchbox input[type="search"]:active {
 	width: 155px;
+	max-width: 50%;
 }
 
 /* do not show display name on mobile when profile picture is present */
diff --git a/lib/private/connector/sabre/file.php b/lib/private/connector/sabre/file.php
index cbecd90b7d6..a9de41adf4d 100644
--- a/lib/private/connector/sabre/file.php
+++ b/lib/private/connector/sabre/file.php
@@ -191,7 +191,9 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 * @return mixed
 	 */
 	public function getContentType() {
-		return $this->info->getMimetype();
+		$mimeType = $this->info->getMimetype();
+
+		return \OC_Helper::getSecureMimeType($mimeType);
 	}
 
 	/**
diff --git a/lib/private/files/type/detection.php b/lib/private/files/type/detection.php
index 11e439032ce..8ee53917814 100644
--- a/lib/private/files/type/detection.php
+++ b/lib/private/files/type/detection.php
@@ -17,24 +17,40 @@ namespace OC\Files\Type;
  */
 class Detection {
 	protected $mimetypes = array();
+	protected $secureMimeTypes = array();
 
 	/**
-	 * add an extension -> mimetype mapping
+	 * Add an extension -> mimetype mapping
+	 *
+	 * $mimetype is the assumed correct mime type
+	 * The optional $secureMimeType is an alternative to send to send
+	 * to avoid potential XSS.
 	 *
 	 * @param string $extension
 	 * @param string $mimetype
+	 * @param string|null $secureMimeType
 	 */
-	public function registerType($extension, $mimetype) {
-		$this->mimetypes[$extension] = $mimetype;
+	public function registerType($extension, $mimetype, $secureMimeType = null) {
+		$this->mimetypes[$extension] = array($mimetype, $secureMimeType);
+		$this->secureMimeTypes[$mimetype] = $secureMimeType ?: $mimetype;
 	}
 
 	/**
-	 * add an array of extension -> mimetype mappings
+	 * Add an array of extension -> mimetype mappings
+	 *
+	 * The mimetype value is in itself an array where the first index is
+	 * the assumed correct mimetype and the second is either a secure alternative
+	 * or null if the correct is considered secure.
 	 *
 	 * @param array $types
 	 */
 	public function registerTypeArray($types) {
 		$this->mimetypes = array_merge($this->mimetypes, $types);
+
+		// Update the alternative mimetypes to avoid having to look them up each time.
+		foreach ($this->mimetypes as $mimeType) {
+			$this->secureMimeTypes[$mimeType[0]] = $mimeType[1] ?: $mimeType[0];
+		}
 	}
 
 	/**
@@ -48,7 +64,9 @@ class Detection {
 			//try to guess the type by the file extension
 			$extension = strtolower(strrchr(basename($path), "."));
 			$extension = substr($extension, 1); //remove leading .
-			return (isset($this->mimetypes[$extension])) ? $this->mimetypes[$extension] : 'application/octet-stream';
+			return (isset($this->mimetypes[$extension]) && isset($this->mimetypes[$extension][0]))
+				? $this->mimetypes[$extension][0]
+				: 'application/octet-stream';
 		} else {
 			return 'application/octet-stream';
 		}
@@ -123,4 +141,16 @@ class Detection {
 			return $mime;
 		}
 	}
+
+	/**
+	 * Get a secure mimetype that won't expose potential XSS.
+	 *
+	 * @param string $mimeType
+	 * @return string
+	 */
+	public function getSecureMimeType($mimeType) {
+		return isset($this->secureMimeTypes[$mimeType])
+			? $this->secureMimeTypes[$mimeType]
+			: 'application/octet-stream';
+	}
 }
diff --git a/lib/private/group/group.php b/lib/private/group/group.php
index a2b8a0dcbea..3efbb6e7023 100644
--- a/lib/private/group/group.php
+++ b/lib/private/group/group.php
@@ -172,12 +172,6 @@ class Group {
 		$users = array();
 		foreach ($this->backends as $backend) {
 			$userIds = $backend->usersInGroup($this->gid, $search, $limit, $offset);
-			if (!is_null($limit)) {
-				$limit -= count($userIds);
-			}
-			if (!is_null($offset)) {
-				$offset -= count($userIds);
-			}
 			$users += $this->getVerifiedUsers($userIds);
 			if (!is_null($limit) and $limit <= 0) {
 				return array_values($users);
@@ -223,12 +217,6 @@ class Group {
 			} else {
 				$userIds = $backend->usersInGroup($this->gid, $search, $limit, $offset);
 			}
-			if (!is_null($limit)) {
-				$limit -= count($userIds);
-			}
-			if (!is_null($offset)) {
-				$offset -= count($userIds);
-			}
 			$users = $this->getVerifiedUsers($userIds);
 			if (!is_null($limit) and $limit <= 0) {
 				return array_values($users);
diff --git a/lib/private/group/manager.php b/lib/private/group/manager.php
index 9b433b64fd4..f591bd32aba 100644
--- a/lib/private/group/manager.php
+++ b/lib/private/group/manager.php
@@ -134,12 +134,6 @@ class Manager extends PublicEmitter {
 		$groups = array();
 		foreach ($this->backends as $backend) {
 			$groupIds = $backend->getGroups($search, $limit, $offset);
-			if (!is_null($limit)) {
-				$limit -= count($groupIds);
-			}
-			if (!is_null($offset)) {
-				$offset -= count($groupIds);
-			}
 			foreach ($groupIds as $groupId) {
 				$groups[$groupId] = $this->getGroupObject($groupId);
 			}
diff --git a/lib/private/helper.php b/lib/private/helper.php
index da3d3cd1c6e..d5214823de9 100644
--- a/lib/private/helper.php
+++ b/lib/private/helper.php
@@ -431,6 +431,16 @@ class OC_Helper {
 	}
 
 	/**
+	 * Get a secure mimetype that won't expose potential XSS.
+	 *
+	 * @param string $mimeType
+	 * @return string
+	 */
+	static function getSecureMimeType($mimeType) {
+		return self::getMimetypeDetector()->getSecureMimeType($mimeType);
+	}
+
+	/**
 	 * get the mimetype form a data string
 	 *
 	 * @param string $data
diff --git a/lib/private/l10n.php b/lib/private/l10n.php
index 175360e27a3..a397945b829 100644
--- a/lib/private/l10n.php
+++ b/lib/private/l10n.php
@@ -419,6 +419,14 @@ class OC_L10N implements \OCP\IL10N {
 	}
 
 	/**
+	 * The given language is forced to be used while executing the current request
+	 * @param string $lang
+	 */
+	public static function forceLanguage($lang) {
+		self::$language = $lang;
+	}
+
+	/**
 	 * @brief find the best language
 	 * @param array|string $app details below
 	 * @returns string language
diff --git a/lib/private/mimetypes.list.php b/lib/private/mimetypes.list.php
index 91bcf584267..07e2391c116 100644
--- a/lib/private/mimetypes.list.php
+++ b/lib/private/mimetypes.list.php
@@ -22,111 +22,115 @@
 
 /**
  * Array mapping file extensions to mimetypes (in alphabetical order).
+ *
+ * The first index in the mime type array is the assumed correct mimetype
+ * and the second is either a secure alternative or null if the correct
+ * is considered secure.
  */
 return array(
-	'7z' => 'application/x-7z-compressed',
-	'accdb' => 'application/msaccess',
-	'ai' => 'application/illustrator',
-	'avi' => 'video/x-msvideo',
-	'bash' => 'text/x-shellscript',
-	'blend' => 'application/x-blender',
-	'bin' => 'application/x-bin',
-	'bmp' => 'image/bmp',
-	'cb7' => 'application/x-cbr',
-	'cba' => 'application/x-cbr',
-	'cbr' => 'application/x-cbr',
-	'cbt' => 'application/x-cbr',
-	'cbtc' => 'application/x-cbr',
-	'cbz' => 'application/x-cbr',
-	'cc' => 'text/x-c',
-	'cdr' => 'application/coreldraw',
-	'cpp' => 'text/x-c++src',
-	'css' => 'text/css',
-	'csv' => 'text/csv',
-	'cvbdl' => 'application/x-cbr',
-	'c' => 'text/x-c',
-	'c++' => 'text/x-c++src',
-	'deb' => 'application/x-deb',
-	'doc' => 'application/msword',
-	'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
-	'dot' => 'application/msword',
-	'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
-	'dv' => 'video/dv',
-	'eot' => 'application/vnd.ms-fontobject',
-	'epub' => 'application/epub+zip',
-	'exe' => 'application/x-ms-dos-executable',
-	'flac' => 'audio/flac',
-	'gif' => 'image/gif',
-	'gz' => 'application/x-gzip',
-	'gzip' => 'application/x-gzip',
-	'html' => 'text/html',
-	'htm' => 'text/html',
-	'ical' => 'text/calendar',
-	'ics' => 'text/calendar',
-	'impress' => 'text/impress',
-	'jpeg' => 'image/jpeg',
-	'jpg' => 'image/jpeg',
-	'js' => 'application/javascript',
-	'json' => 'application/json',
-	'keynote' => 'application/x-iwork-keynote-sffkey',
-	'kra' => 'application/x-krita',
-	'm2t' => 'video/mp2t',
-	'm4v' => 'video/mp4',
-	'markdown' => 'text/markdown',
-	'mdown' => 'text/markdown',
-	'md' => 'text/markdown',
-	'mdb' => 'application/msaccess',
-	'mdwn' => 'text/markdown',
-	'mkv' => 'video/x-matroska',
-	'mobi' => 'application/x-mobipocket-ebook',
-	'mov' => 'video/quicktime',
-	'mp3' => 'audio/mpeg',
-	'mp4' => 'video/mp4',
-	'mpeg' => 'video/mpeg',
-	'mpg' => 'video/mpeg',
-	'msi' => 'application/x-msi',
-	'numbers' => 'application/x-iwork-numbers-sffnumbers',
-	'odg' => 'application/vnd.oasis.opendocument.graphics',
-	'odp' => 'application/vnd.oasis.opendocument.presentation',
-	'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
-	'odt' => 'application/vnd.oasis.opendocument.text',
-	'oga' => 'audio/ogg',
-	'ogg' => 'audio/ogg',
-	'ogv' => 'video/ogg',
-	'otf' => 'font/opentype',
-	'pages' => 'application/x-iwork-pages-sffpages',
-	'pdf' => 'application/pdf',
-	'php' => 'application/x-php',
-	'pl' => 'application/x-perl',
-	'png' => 'image/png',
-	'ppt' => 'application/mspowerpoint',
-	'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
-	'psd' => 'application/x-photoshop',
-	'py' => 'text/x-python',
-	'rar' => 'application/x-rar-compressed',
-	'reveal' => 'text/reveal',
-	'sgf' => 'application/sgf',
-	'sh-lib' => 'text/x-shellscript',
-	'sh' => 'text/x-shellscript',
-	'svg' => 'image/svg+xml',
-	'swf' => 'application/x-shockwave-flash',
-	'tar' => 'application/x-tar',
-	'tar.gz' => 'application/x-compressed',
-	'tex' => 'application/x-tex',
-	'tgz' => 'application/x-compressed',
-	'tiff' => 'image/tiff',
-	'tif' => 'image/tiff',
-	'ttf' => 'application/x-font-ttf',
-	'txt' => 'text/plain',
-	'vcard' => 'text/vcard',
-	'vcf' => 'text/vcard',
-	'wav' => 'audio/wav',
-	'webm' => 'video/webm',
-	'woff' => 'application/font-woff',
-	'wmv' => 'video/x-ms-asf',
-	'xcf' => 'application/x-gimp',
-	'xls' => 'application/msexcel',
-	'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-	'xml' => 'application/xml',
-	'zip' => 'application/zip',
+	'7z' => array('application/x-7z-compressed', null),
+	'accdb' => array('application/msaccess', null),
+	'ai' => array('application/illustrator', null),
+	'avi' => array('video/x-msvideo', null),
+	'bash' => array('text/x-shellscript', null),
+	'blend' => array('application/x-blender', null),
+	'bin' => array('application/x-bin', null),
+	'bmp' => array('image/bmp', null),
+	'cb7' => array('application/x-cbr', null),
+	'cba' => array('application/x-cbr', null),
+	'cbr' => array('application/x-cbr', null),
+	'cbt' => array('application/x-cbr', null),
+	'cbtc' => array('application/x-cbr', null),
+	'cbz' => array('application/x-cbr', null),
+	'cc' => array('text/x-c', null),
+	'cdr' => array('application/coreldraw', null),
+	'cpp' => array('text/x-c++src', null),
+	'css' => array('text/css', null),
+	'csv' => array('text/csv', null),
+	'cvbdl' => array('application/x-cbr', null),
+	'c' => array('text/x-c', null),
+	'c++' => array('text/x-c++src', null),
+	'deb' => array('application/x-deb', null),
+	'doc' => array('application/msword', null),
+	'docx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.document', null),
+	'dot' => array('application/msword', null),
+	'dotx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.template', null),
+	'dv' => array('video/dv', null),
+	'eot' => array('application/vnd.ms-fontobject', null),
+	'epub' => array('application/epub+zip', null),
+	'exe' => array('application/x-ms-dos-executable', null),
+	'flac' => array('audio/flac', null),
+	'gif' => array('image/gif', null),
+	'gz' => array('application/x-gzip', null),
+	'gzip' => array('application/x-gzip', null),
+	'html' => array('text/html', 'text/plain'),
+	'htm' => array('text/html', 'text/plain'),
+	'ical' => array('text/calendar', null),
+	'ics' => array('text/calendar', null),
+	'impress' => array('text/impress', null),
+	'jpeg' => array('image/jpeg', null),
+	'jpg' => array('image/jpeg', null),
+	'js' => array('application/javascript', 'text/plain'),
+	'json' => array('application/json', 'text/plain'),
+	'keynote' => array('application/x-iwork-keynote-sffkey', null),
+	'kra' => array('application/x-krita', null),
+	'm2t' => array('video/mp2t', null),
+	'm4v' => array('video/mp4', null),
+	'markdown' => array('text/markdown', null),
+	'mdown' => array('text/markdown', null),
+	'md' => array('text/markdown', null),
+	'mdb' => array('application/msaccess', null),
+	'mdwn' => array('text/markdown', null),
+	'mkv' => array('video/x-matroska', null),
+	'mobi' => array('application/x-mobipocket-ebook', null),
+	'mov' => array('video/quicktime', null),
+	'mp3' => array('audio/mpeg', null),
+	'mp4' => array('video/mp4', null),
+	'mpeg' => array('video/mpeg', null),
+	'mpg' => array('video/mpeg', null),
+	'msi' => array('application/x-msi', null),
+	'numbers' => array('application/x-iwork-numbers-sffnumbers', null),
+	'odg' => array('application/vnd.oasis.opendocument.graphics', null),
+	'odp' => array('application/vnd.oasis.opendocument.presentation', null),
+	'ods' => array('application/vnd.oasis.opendocument.spreadsheet', null),
+	'odt' => array('application/vnd.oasis.opendocument.text', null),
+	'oga' => array('audio/ogg', null),
+	'ogg' => array('audio/ogg', null),
+	'ogv' => array('video/ogg', null),
+	'otf' => array('font/opentype', null),
+	'pages' => array('application/x-iwork-pages-sffpages', null),
+	'pdf' => array('application/pdf', null),
+	'php' => array('application/x-php', null),
+	'pl' => array('application/x-perl', null),
+	'png' => array('image/png', null),
+	'ppt' => array('application/mspowerpoint', null),
+	'pptx' => array('application/vnd.openxmlformats-officedocument.presentationml.presentation', null),
+	'psd' => array('application/x-photoshop', null),
+	'py' => array('text/x-python', null),
+	'rar' => array('application/x-rar-compressed', null),
+	'reveal' => array('text/reveal', null),
+	'sgf' => array('application/sgf', null),
+	'sh-lib' => array('text/x-shellscript', null),
+	'sh' => array('text/x-shellscript', null),
+	'svg' => array('image/svg+xml', 'text/plain'),
+	'swf' => array('application/x-shockwave-flash', 'application/octet-stream'),
+	'tar' => array('application/x-tar', null),
+	'tar.gz' => array('application/x-compressed', null),
+	'tex' => array('application/x-tex', null),
+	'tgz' => array('application/x-compressed', null),
+	'tiff' => array('image/tiff', null),
+	'tif' => array('image/tiff', null),
+	'ttf' => array('application/x-font-ttf', null),
+	'txt' => array('text/plain', null),
+	'vcard' => array('text/vcard', null),
+	'vcf' => array('text/vcard', null),
+	'wav' => array('audio/wav', null),
+	'webm' => array('video/webm', null),
+	'woff' => array('application/font-woff', null),
+	'wmv' => array('video/x-ms-asf', null),
+	'xcf' => array('application/x-gimp', null),
+	'xls' => array('application/msexcel', null),
+	'xlsx' => array('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', null),
+	'xml' => array('application/xml', 'text/plain'),
+	'zip' => array('application/zip', null),
 );
diff --git a/lib/private/user/manager.php b/lib/private/user/manager.php
index a2ad9d17702..14698452e88 100644
--- a/lib/private/user/manager.php
+++ b/lib/private/user/manager.php
@@ -175,13 +175,6 @@ class Manager extends PublicEmitter {
 			if (is_array($backendUsers)) {
 				foreach ($backendUsers as $uid) {
 					$users[] = $this->getUserObject($uid, $backend);
-					if (!is_null($limit)) {
-						$limit--;
-					}
-					if (!is_null($offset) and $offset > 0) {
-						$offset--;
-					}
-
 				}
 			}
 		}
@@ -211,13 +204,6 @@ class Manager extends PublicEmitter {
 			if (is_array($backendUsers)) {
 				foreach ($backendUsers as $uid => $displayName) {
 					$users[] = $this->getUserObject($uid, $backend);
-					if (!is_null($limit)) {
-						$limit--;
-					}
-					if (!is_null($offset) and $offset > 0) {
-						$offset--;
-					}
-
 				}
 			}
 		}
diff --git a/ocs/v1.php b/ocs/v1.php
index 62a3511e611..d69904fc495 100644
--- a/ocs/v1.php
+++ b/ocs/v1.php
@@ -30,6 +30,9 @@ try {
 	// load all apps to get all api routes properly setup
 	OC_App::loadApps();
 
+	// api calls always will return English
+	\OC_L10N::forceLanguage('en');
+
 	OC::$server->getRouter()->match('/ocs'.OC_Request::getRawPathInfo());
 } catch (ResourceNotFoundException $e) {
 	OC_API::setContentType();
diff --git a/search/css/results.css b/search/css/results.css
index 8a32b0b995d..6aa73f55c33 100644
--- a/search/css/results.css
+++ b/search/css/results.css
@@ -9,13 +9,14 @@
 	list-style:none;
 	max-height:80%;
 	overflow-x:hidden;
-	overflow-y: scroll;
+	overflow-y: auto;
 	padding-bottom:6px;
 	position:fixed;
 	right:0;
 	text-overflow:ellipsis;
 	top:45px;
 	width:380px;
+	max-width: 95%;
 	z-index:75;
 }
 
@@ -44,18 +45,21 @@
 
 #searchresults td {
 	padding:0 .3em;
-	height: 32px;
+	height: 44px;
 }
 #searchresults tr.template {
 	display: none;
 }
 
-#searchresults td.result {
-	width:250px;
+#searchresults .name,
+#searchresults .text {
+	white-space: nowrap;
+	overflow: hidden;
+	text-overflow: ellipsis;
 }
-#searchresults td.result div.text {
-	padding-left:1em;
-	white-space:nowrap;
+#searchresults .text {
+	padding-left: 16px;
+	color: #999;
 }
 
 #searchresults td.result * {
diff --git a/tests/lib/group/group.php b/tests/lib/group/group.php
index 147532f9947..990f8ecc1d5 100644
--- a/tests/lib/group/group.php
+++ b/tests/lib/group/group.php
@@ -287,7 +287,7 @@ class Group extends \PHPUnit_Framework_TestCase {
 			->will($this->returnValue(array('user2')));
 		$backend2->expects($this->once())
 			->method('usersInGroup')
-			->with('group1', 'user', 1, 0)
+			->with('group1', 'user', 2, 1)
 			->will($this->returnValue(array('user1')));
 
 		$users = $group->searchUsers('user', 2, 1);
diff --git a/tests/lib/group/manager.php b/tests/lib/group/manager.php
index 90f0e1b35e2..a03997c58eb 100644
--- a/tests/lib/group/manager.php
+++ b/tests/lib/group/manager.php
@@ -254,7 +254,7 @@ class Manager extends \PHPUnit_Framework_TestCase {
 		$backend2 = $this->getMock('\OC_Group_Database');
 		$backend2->expects($this->once())
 			->method('getGroups')
-			->with('1', 1, 0)
+			->with('1', 2, 1)
 			->will($this->returnValue(array('group12')));
 		$backend2->expects($this->any())
 			->method('groupExists')
diff --git a/tests/lib/helper.php b/tests/lib/helper.php
index 0943e6bc1b9..5d319e40f02 100644
--- a/tests/lib/helper.php
+++ b/tests/lib/helper.php
@@ -71,6 +71,18 @@ class Test_Helper extends PHPUnit_Framework_TestCase {
 		$this->assertEquals($result, $expected);
 	}
 
+	function testGetSecureMimeType() {
+		$dir=OC::$SERVERROOT.'/tests/data';
+
+		$result = OC_Helper::getSecureMimeType('image/svg+xml');
+		$expected = 'text/plain';
+		$this->assertEquals($result, $expected);
+
+		$result = OC_Helper::getSecureMimeType('image/png');
+		$expected = 'image/png';
+		$this->assertEquals($result, $expected);
+	}
+
 	function testGetFileNameMimeType() {
 		$this->assertEquals('text/plain', OC_Helper::getFileNameMimeType('foo.txt'));
 		$this->assertEquals('image/png', OC_Helper::getFileNameMimeType('foo.png'));
diff --git a/tests/lib/user/manager.php b/tests/lib/user/manager.php
index ad1ac9e12f2..8ca0f94c6fa 100644
--- a/tests/lib/user/manager.php
+++ b/tests/lib/user/manager.php
@@ -210,7 +210,7 @@ class Manager extends \PHPUnit_Framework_TestCase {
 		$backend2 = $this->getMock('\OC_User_Dummy');
 		$backend2->expects($this->once())
 			->method('getUsers')
-			->with($this->equalTo('fo'), $this->equalTo(1), $this->equalTo(0))
+			->with($this->equalTo('fo'), $this->equalTo(3), $this->equalTo(1))
 			->will($this->returnValue(array('foo3')));
 
 		$manager = new \OC\User\Manager();