diff options
author | Morris Jobke <hey@morrisjobke.de> | 2016-10-26 00:20:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-26 00:20:27 +0200 |
commit | 9a70c137d2afa3dc1a6f6361c3fa36d5a9ca4f71 (patch) | |
tree | bdfcaaca14022c13bcc2088b791ce2a16dd562db | |
parent | 1b6ba5ad322cb3d6e2139393798d243f1d4cc68a (diff) | |
parent | 015affb082a7c9bbfeef552b3c74e5ae77e01ab3 (diff) | |
download | nextcloud-server-9a70c137d2afa3dc1a6f6361c3fa36d5a9ca4f71.tar.gz nextcloud-server-9a70c137d2afa3dc1a6f6361c3fa36d5a9ca4f71.zip |
Merge pull request #1917 from nextcloud/ocjs_inline
Inline oc.js when possible!
-rw-r--r-- | core/Controller/OCJSController.php | 92 | ||||
-rw-r--r-- | core/routes.php | 4 | ||||
-rw-r--r-- | core/templates/layout.base.php | 5 | ||||
-rw-r--r-- | core/templates/layout.guest.php | 5 | ||||
-rw-r--r-- | core/templates/layout.user.php | 5 | ||||
-rw-r--r-- | lib/composer/composer/autoload_classmap.php | 2 | ||||
-rw-r--r-- | lib/composer/composer/autoload_static.php | 2 | ||||
-rw-r--r-- | lib/private/AppFramework/DependencyInjection/DIContainer.php | 3 | ||||
-rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 27 | ||||
-rw-r--r-- | lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 30 | ||||
-rw-r--r-- | lib/private/Server.php | 3 | ||||
-rw-r--r-- | lib/private/Template/JSConfigHelper.php | 243 | ||||
-rw-r--r-- | lib/private/TemplateLayout.php | 18 | ||||
-rw-r--r-- | tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php | 15 | ||||
-rw-r--r-- | tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php | 4 |
15 files changed, 426 insertions, 32 deletions
diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php new file mode 100644 index 00000000000..b1c2208377e --- /dev/null +++ b/core/Controller/OCJSController.php @@ -0,0 +1,92 @@ +<?php +/** + * @copyright Copyright (c) 2016, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +namespace OC\Core\Controller; + +use bantu\IniGetWrapper\IniGetWrapper; +use OC\Template\JSConfigHelper; +use OCP\App\IAppManager; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\DataDisplayResponse; +use OCP\IConfig; +use OCP\IGroupManager; +use OCP\IL10N; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\IUserSession; + +class OCJSController extends Controller { + + /** @var JSConfigHelper */ + private $helper; + + /** + * OCJSController constructor. + * + * @param string $appName + * @param IRequest $request + * @param IL10N $l + * @param \OC_Defaults $defaults + * @param IAppManager $appManager + * @param IUserSession $session + * @param IConfig $config + * @param IGroupManager $groupManager + * @param IniGetWrapper $iniWrapper + * @param IURLGenerator $urlGenerator + */ + public function __construct($appName, + IRequest $request, + IL10N $l, + \OC_Defaults $defaults, + IAppManager $appManager, + IUserSession $session, + IConfig $config, + IGroupManager $groupManager, + IniGetWrapper $iniWrapper, + IURLGenerator $urlGenerator) { + parent::__construct($appName, $request); + + $this->helper = new JSConfigHelper( + $l, + $defaults, + $appManager, + $session->getUser(), + $config, + $groupManager, + $iniWrapper, + $urlGenerator + ); + } + + /** + * @NoCSRFRequired + * @PublicPage + * + * @return DataDisplayResponse + */ + public function getConfig() { + $data = $this->helper->getConfig(); + + return new DataDisplayResponse($data, Http::STATUS_OK, ['Content-type' => 'text/javascript']); + } +} diff --git a/core/routes.php b/core/routes.php index 3ca83815ad4..7978001af7d 100644 --- a/core/routes.php +++ b/core/routes.php @@ -51,6 +51,7 @@ $application->registerRoutes($this, [ ['name' => 'TwoFactorChallenge#selectChallenge', 'url' => '/login/selectchallenge', 'verb' => 'GET'], ['name' => 'TwoFactorChallenge#showChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'GET'], ['name' => 'TwoFactorChallenge#solveChallenge', 'url' => '/login/challenge/{challengeProviderId}', 'verb' => 'POST'], + ['name' => 'OCJS#getConfig', 'url' => '/core/js/oc.js', 'verb' => 'GET'], ], 'ocs' => [ ['root' => '/cloud', 'name' => 'OCS#getCapabilities', 'url' => '/capabilities', 'verb' => 'GET'], @@ -66,9 +67,6 @@ $application->registerRoutes($this, [ // Search $this->create('search_ajax_search', '/core/search') ->actionInclude('core/search/ajax/search.php'); -// oC JS config -$this->create('js_config', '/core/js/oc.js') - ->actionInclude('core/js/config.php'); // Routing $this->create('core_ajax_preview', '/core/preview') ->actionInclude('core/ajax/preview.php'); diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php index 3f13523afcb..d6d70f31362 100644 --- a/core/templates/layout.base.php +++ b/core/templates/layout.base.php @@ -18,6 +18,11 @@ <?php foreach($_['printcssfiles'] as $cssfile): ?> <link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print"> <?php endforeach; ?> + <?php if (isset($_['inline_ocjs'])): ?> + <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript"> + <?php print_unescaped($_['inline_ocjs']); ?> + </script> + <?php endif; ?> <?php foreach ($_['jsfiles'] as $jsfile): ?> <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script> <?php endforeach; ?> diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php index 6d46ac6cf2c..1692e4268d4 100644 --- a/core/templates/layout.guest.php +++ b/core/templates/layout.guest.php @@ -19,6 +19,11 @@ <?php foreach($_['printcssfiles'] as $cssfile): ?> <link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print"> <?php endforeach; ?> + <?php if (isset($_['inline_ocjs'])): ?> + <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript"> + <?php print_unescaped($_['inline_ocjs']); ?> + </script> + <?php endif; ?> <?php foreach($_['jsfiles'] as $jsfile): ?> <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script> <?php endforeach; ?> diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index d258e3582d0..bc8edf085d0 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -26,6 +26,11 @@ <?php foreach($_['printcssfiles'] as $cssfile): ?> <link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print"> <?php endforeach; ?> + <?php if (isset($_['inline_ocjs'])): ?> + <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript"> + <?php print_unescaped($_['inline_ocjs']); ?> + </script> + <?php endif; ?> <?php foreach($_['jsfiles'] as $jsfile): ?> <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script> <?php endforeach; ?> diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 0d2a782a867..1332a570a27 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -402,6 +402,7 @@ return array( 'OC\\Core\\Controller\\AvatarController' => $baseDir . '/core/Controller/AvatarController.php', 'OC\\Core\\Controller\\LoginController' => $baseDir . '/core/Controller/LoginController.php', 'OC\\Core\\Controller\\LostController' => $baseDir . '/core/Controller/LostController.php', + 'OC\\Core\\Controller\\OCJSController' => $baseDir . '/core/Controller/OCJSController.php', 'OC\\Core\\Controller\\OCSController' => $baseDir . '/core/Controller/OCSController.php', 'OC\\Core\\Controller\\SetupController' => $baseDir . '/core/Controller/SetupController.php', 'OC\\Core\\Controller\\TwoFactorChallengeController' => $baseDir . '/core/Controller/TwoFactorChallengeController.php', @@ -752,6 +753,7 @@ return array( 'OC\\TemplateLayout' => $baseDir . '/lib/private/TemplateLayout.php', 'OC\\Template\\Base' => $baseDir . '/lib/private/Template/Base.php', 'OC\\Template\\CSSResourceLocator' => $baseDir . '/lib/private/Template/CSSResourceLocator.php', + 'OC\\Template\\JSConfigHelper' => $baseDir . '/lib/private/Template/JSConfigHelper.php', 'OC\\Template\\JSResourceLocator' => $baseDir . '/lib/private/Template/JSResourceLocator.php', 'OC\\Template\\ResourceLocator' => $baseDir . '/lib/private/Template/ResourceLocator.php', 'OC\\Template\\ResourceNotFoundException' => $baseDir . '/lib/private/Template/ResourceNotFoundException.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index 43e3fc3de34..c9bdc5305fe 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -432,6 +432,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\Core\\Controller\\AvatarController' => __DIR__ . '/../../..' . '/core/Controller/AvatarController.php', 'OC\\Core\\Controller\\LoginController' => __DIR__ . '/../../..' . '/core/Controller/LoginController.php', 'OC\\Core\\Controller\\LostController' => __DIR__ . '/../../..' . '/core/Controller/LostController.php', + 'OC\\Core\\Controller\\OCJSController' => __DIR__ . '/../../..' . '/core/Controller/OCJSController.php', 'OC\\Core\\Controller\\OCSController' => __DIR__ . '/../../..' . '/core/Controller/OCSController.php', 'OC\\Core\\Controller\\SetupController' => __DIR__ . '/../../..' . '/core/Controller/SetupController.php', 'OC\\Core\\Controller\\TwoFactorChallengeController' => __DIR__ . '/../../..' . '/core/Controller/TwoFactorChallengeController.php', @@ -782,6 +783,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\TemplateLayout' => __DIR__ . '/../../..' . '/lib/private/TemplateLayout.php', 'OC\\Template\\Base' => __DIR__ . '/../../..' . '/lib/private/Template/Base.php', 'OC\\Template\\CSSResourceLocator' => __DIR__ . '/../../..' . '/lib/private/Template/CSSResourceLocator.php', + 'OC\\Template\\JSConfigHelper' => __DIR__ . '/../../..' . '/lib/private/Template/JSConfigHelper.php', 'OC\\Template\\JSResourceLocator' => __DIR__ . '/../../..' . '/lib/private/Template/JSResourceLocator.php', 'OC\\Template\\ResourceLocator' => __DIR__ . '/../../..' . '/lib/private/Template/ResourceLocator.php', 'OC\\Template\\ResourceNotFoundException' => __DIR__ . '/../../..' . '/lib/private/Template/ResourceNotFoundException.php', diff --git a/lib/private/AppFramework/DependencyInjection/DIContainer.php b/lib/private/AppFramework/DependencyInjection/DIContainer.php index 97faa0edf49..8fe9b4dca03 100644 --- a/lib/private/AppFramework/DependencyInjection/DIContainer.php +++ b/lib/private/AppFramework/DependencyInjection/DIContainer.php @@ -380,7 +380,8 @@ class DIContainer extends SimpleContainer implements IAppContainer { $app->isLoggedIn(), $app->isAdminUser(), $app->getServer()->getContentSecurityPolicyManager(), - $app->getServer()->getCsrfTokenManager() + $app->getServer()->getCsrfTokenManager(), + $app->getServer()->getContentSecurityPolicyNonceManager() ); }); diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index 6c33c0023ea..183e55740ea 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -36,6 +36,7 @@ use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException; use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Security\CSP\ContentSecurityPolicyManager; +use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSRF\CsrfTokenManager; use OCP\AppFramework\Http\ContentSecurityPolicy; use OCP\AppFramework\Http\EmptyContentSecurityPolicy; @@ -80,6 +81,8 @@ class SecurityMiddleware extends Middleware { private $contentSecurityPolicyManager; /** @var CsrfTokenManager */ private $csrfTokenManager; + /** @var ContentSecurityPolicyNonceManager */ + private $cspNonceManager; /** * @param IRequest $request @@ -92,6 +95,7 @@ class SecurityMiddleware extends Middleware { * @param bool $isAdminUser * @param ContentSecurityPolicyManager $contentSecurityPolicyManager * @param CSRFTokenManager $csrfTokenManager + * @param ContentSecurityPolicyNonceManager $cspNonceManager */ public function __construct(IRequest $request, ControllerMethodReflector $reflector, @@ -102,7 +106,8 @@ class SecurityMiddleware extends Middleware { $isLoggedIn, $isAdminUser, ContentSecurityPolicyManager $contentSecurityPolicyManager, - CsrfTokenManager $csrfTokenManager) { + CsrfTokenManager $csrfTokenManager, + ContentSecurityPolicyNonceManager $cspNonceManager) { $this->navigationManager = $navigationManager; $this->request = $request; $this->reflector = $reflector; @@ -113,6 +118,7 @@ class SecurityMiddleware extends Middleware { $this->isAdminUser = $isAdminUser; $this->contentSecurityPolicyManager = $contentSecurityPolicyManager; $this->csrfTokenManager = $csrfTokenManager; + $this->cspNonceManager = $cspNonceManager; } @@ -177,23 +183,6 @@ class SecurityMiddleware extends Middleware { } - private function browserSupportsCspV3() { - $browserWhitelist = [ - // Chrome 40+ - '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/', - // Firefox 45+ - '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/', - // Safari 10+ - '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/1[0-9.]+ Safari\/[0-9.A-Z]+$/', - ]; - - if($this->request->isUserAgent($browserWhitelist)) { - return true; - } - - return false; - } - /** * Performs the default CSP modifications that may be injected by other * applications @@ -213,7 +202,7 @@ class SecurityMiddleware extends Middleware { $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); - if($this->browserSupportsCspV3()) { + if($this->cspNonceManager->browserSupportsCspV3()) { $defaultPolicy->useJsNonce($this->csrfTokenManager->getToken()->getEncryptedValue()); } diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php index 0482ea49e5c..e6a39b12a42 100644 --- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php @@ -22,6 +22,7 @@ namespace OC\Security\CSP; use OC\Security\CSRF\CsrfTokenManager; +use OCP\IRequest; /** * @package OC\Security\CSP @@ -29,14 +30,19 @@ use OC\Security\CSRF\CsrfTokenManager; class ContentSecurityPolicyNonceManager { /** @var CsrfTokenManager */ private $csrfTokenManager; + /** @var IRequest */ + private $request; /** @var string */ private $nonce = ''; /** * @param CsrfTokenManager $csrfTokenManager + * @param IRequest $request */ - public function __construct(CsrfTokenManager $csrfTokenManager) { + public function __construct(CsrfTokenManager $csrfTokenManager, + IRequest $request) { $this->csrfTokenManager = $csrfTokenManager; + $this->request = $request; } /** @@ -51,4 +57,26 @@ class ContentSecurityPolicyNonceManager { return $this->nonce; } + + /** + * Check if the browser supports CSP v3 + * + * @return bool + */ + public function browserSupportsCspV3() { + $browserWhitelist = [ + // Chrome 40+ + '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[4-9][0-9].[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+$/', + // Firefox 45+ + '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/', + // Safari 10+ + '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/1[0-9.]+ Safari\/[0-9.A-Z]+$/', + ]; + + if($this->request->isUserAgent($browserWhitelist)) { + return true; + } + + return false; + } } diff --git a/lib/private/Server.php b/lib/private/Server.php index 1ccc27802d2..21ec311401d 100644 --- a/lib/private/Server.php +++ b/lib/private/Server.php @@ -711,7 +711,8 @@ class Server extends ServerContainer implements IServerContainer { }); $this->registerService('ContentSecurityPolicyNonceManager', function(Server $c) { return new ContentSecurityPolicyNonceManager( - $c->getCsrfTokenManager() + $c->getCsrfTokenManager(), + $c->getRequest() ); }); $this->registerService('ShareManager', function(Server $c) { diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php new file mode 100644 index 00000000000..a7f8c251cee --- /dev/null +++ b/lib/private/Template/JSConfigHelper.php @@ -0,0 +1,243 @@ +<?php +/** + * @copyright Copyright (c) 2016, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ +namespace OC\Template; + +use bantu\IniGetWrapper\IniGetWrapper; +use OCP\App\IAppManager; +use OCP\IConfig; +use OCP\IGroupManager; +use OCP\IL10N; +use OCP\IURLGenerator; +use OCP\IUser; + +class JSConfigHelper { + + /** @var IL10N */ + private $l; + + /** @var \OC_Defaults */ + private $defaults; + + /** @var IAppManager */ + private $appManager; + + /** @var IUser */ + private $currentUser; + + /** @var IConfig */ + private $config; + + /** @var IGroupManager */ + private $groupManager; + + /** @var IniGetWrapper */ + private $iniWrapper; + + /** @var IURLGenerator */ + private $urlGenerator; + + /** + * @param IL10N $l + * @param \OC_Defaults $defaults + * @param IAppManager $appManager + * @param IUser|null $currentUser + * @param IConfig $config + * @param IGroupManager $groupManager + * @param IniGetWrapper $iniWrapper + * @param IURLGenerator $urlGenerator + */ + public function __construct(IL10N $l, + \OC_Defaults $defaults, + IAppManager $appManager, + $currentUser, + IConfig $config, + IGroupManager $groupManager, + IniGetWrapper $iniWrapper, + IURLGenerator $urlGenerator) { + $this->l = $l; + $this->defaults = $defaults; + $this->appManager = $appManager; + $this->currentUser = $currentUser; + $this->config = $config; + $this->groupManager = $groupManager; + $this->iniWrapper = $iniWrapper; + $this->urlGenerator = $urlGenerator; + } + + public function getConfig() { + + if ($this->currentUser !== null) { + $uid = $this->currentUser->getUID(); + } else { + $uid = null; + } + + // Get the config + $apps_paths = []; + + if ($this->currentUser === null) { + $apps = $this->appManager->getInstalledApps(); + } else { + $apps = $this->appManager->getEnabledAppsForUser($this->currentUser); + } + + foreach($apps as $app) { + $apps_paths[$app] = \OC_App::getAppWebPath($app); + } + + $defaultExpireDateEnabled = $this->config->getAppValue('core', 'shareapi_default_expire_date', 'no') === 'yes'; + $defaultExpireDate = $enforceDefaultExpireDate = null; + if ($defaultExpireDateEnabled) { + $defaultExpireDate = (int) $this->config->getAppValue('core', 'shareapi_expire_after_n_days', '7'); + $enforceDefaultExpireDate = $this->config->getAppValue('core', 'shareapi_enforce_expire_date', 'no') === 'yes'; + } + $outgoingServer2serverShareEnabled = $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') === 'yes'; + + $countOfDataLocation = 0; + $dataLocation = str_replace(\OC::$SERVERROOT .'/', '', $this->config->getSystemValue('datadirectory', ''), $countOfDataLocation); + if($countOfDataLocation !== 1 || !$this->groupManager->isAdmin($uid)) { + $dataLocation = false; + } + + $array = [ + "oc_debug" => $this->config->getSystemValue('debug', false) ? 'true' : 'false', + "oc_isadmin" => $this->groupManager->isAdmin($uid) ? 'true' : 'false', + "oc_dataURL" => is_string($dataLocation) ? "\"".$dataLocation."\"" : 'false', + "oc_webroot" => "\"".\OC::$WEBROOT."\"", + "oc_appswebroots" => str_replace('\\/', '/', json_encode($apps_paths)), // Ugly unescape slashes waiting for better solution + "datepickerFormatDate" => json_encode($this->l->l('jsdate', null)), + "dayNames" => json_encode([ + (string)$this->l->t('Sunday'), + (string)$this->l->t('Monday'), + (string)$this->l->t('Tuesday'), + (string)$this->l->t('Wednesday'), + (string)$this->l->t('Thursday'), + (string)$this->l->t('Friday'), + (string)$this->l->t('Saturday') + ]), + "dayNamesShort" => json_encode([ + (string)$this->l->t('Sun.'), + (string)$this->l->t('Mon.'), + (string)$this->l->t('Tue.'), + (string)$this->l->t('Wed.'), + (string)$this->l->t('Thu.'), + (string)$this->l->t('Fri.'), + (string)$this->l->t('Sat.') + ]), + "dayNamesMin" => json_encode([ + (string)$this->l->t('Su'), + (string)$this->l->t('Mo'), + (string)$this->l->t('Tu'), + (string)$this->l->t('We'), + (string)$this->l->t('Th'), + (string)$this->l->t('Fr'), + (string)$this->l->t('Sa') + ]), + "monthNames" => json_encode([ + (string)$this->l->t('January'), + (string)$this->l->t('February'), + (string)$this->l->t('March'), + (string)$this->l->t('April'), + (string)$this->l->t('May'), + (string)$this->l->t('June'), + (string)$this->l->t('July'), + (string)$this->l->t('August'), + (string)$this->l->t('September'), + (string)$this->l->t('October'), + (string)$this->l->t('November'), + (string)$this->l->t('December') + ]), + "monthNamesShort" => json_encode([ + (string)$this->l->t('Jan.'), + (string)$this->l->t('Feb.'), + (string)$this->l->t('Mar.'), + (string)$this->l->t('Apr.'), + (string)$this->l->t('May.'), + (string)$this->l->t('Jun.'), + (string)$this->l->t('Jul.'), + (string)$this->l->t('Aug.'), + (string)$this->l->t('Sep.'), + (string)$this->l->t('Oct.'), + (string)$this->l->t('Nov.'), + (string)$this->l->t('Dec.') + ]), + "firstDay" => json_encode($this->l->l('firstday', null)) , + "oc_config" => json_encode([ + 'session_lifetime' => min($this->config->getSystemValue('session_lifetime', $this->iniWrapper->getNumeric('session.gc_maxlifetime')), $this->iniWrapper->getNumeric('session.gc_maxlifetime')), + 'session_keepalive' => $this->config->getSystemValue('session_keepalive', true), + 'version' => implode('.', \OCP\Util::getVersion()), + 'versionstring' => \OC_Util::getVersionString(), + 'enable_avatars' => $this->config->getSystemValue('enable_avatars', true) === true, + 'lost_password_link'=> $this->config->getSystemValue('lost_password_link', null), + 'modRewriteWorking' => (getenv('front_controller_active') === 'true'), + ]), + "oc_appconfig" => json_encode([ + 'core' => [ + 'defaultExpireDateEnabled' => $defaultExpireDateEnabled, + 'defaultExpireDate' => $defaultExpireDate, + 'defaultExpireDateEnforced' => $enforceDefaultExpireDate, + 'enforcePasswordForPublicLink' => \OCP\Util::isPublicLinkPasswordRequired(), + 'sharingDisabledForUser' => \OCP\Util::isSharingDisabledForUser(), + 'resharingAllowed' => \OCP\Share::isResharingAllowed(), + 'remoteShareAllowed' => $outgoingServer2serverShareEnabled, + 'federatedCloudShareDoc' => $this->urlGenerator->linkToDocs('user-sharing-federated'), + 'allowGroupSharing' => \OC::$server->getShareManager()->allowGroupSharing() + ] + ]), + "oc_defaults" => json_encode([ + 'entity' => $this->defaults->getEntity(), + 'name' => $this->defaults->getName(), + 'title' => $this->defaults->getTitle(), + 'baseUrl' => $this->defaults->getBaseUrl(), + 'syncClientUrl' => $this->defaults->getSyncClientUrl(), + 'docBaseUrl' => $this->defaults->getDocBaseUrl(), + 'docPlaceholderUrl' => $this->defaults->buildDocLinkToKey('PLACEHOLDER'), + 'slogan' => $this->defaults->getSlogan(), + 'logoClaim' => $this->defaults->getLogoClaim(), + 'shortFooter' => $this->defaults->getShortFooter(), + 'longFooter' => $this->defaults->getLongFooter(), + 'folder' => \OC_Util::getTheme(), + ]), + ]; + + if ($this->currentUser !== null) { + $array['oc_userconfig'] = json_encode([ + 'avatar' => [ + 'version' => (int)$this->config->getUserValue($uid, 'avatar', 'version', 0), + ] + ]); + } + + // Allow hooks to modify the output values + \OC_Hook::emit('\OCP\Config', 'js', array('array' => &$array)); + + $result = ''; + + // Echo it + foreach ($array as $setting => $value) { + $result .= 'var '. $setting . '='. $value . ';' . PHP_EOL; + } + + return $result; + } +} diff --git a/lib/private/TemplateLayout.php b/lib/private/TemplateLayout.php index da845d80d04..9f89174e7f9 100644 --- a/lib/private/TemplateLayout.php +++ b/lib/private/TemplateLayout.php @@ -43,6 +43,7 @@ use Assetic\Filter\CssMinFilter; use Assetic\Filter\CssRewriteFilter; use Assetic\Filter\JSqueezeFilter; use Assetic\Filter\SeparatorFilter; +use OC\Template\JSConfigHelper; class TemplateLayout extends \OC_Template { @@ -142,7 +143,22 @@ class TemplateLayout extends \OC_Template { $jsFiles = self::findJavascriptFiles(\OC_Util::$scripts); $this->assign('jsfiles', array()); if ($this->config->getSystemValue('installed', false) && $renderAs != 'error') { - $this->append( 'jsfiles', \OC::$server->getURLGenerator()->linkToRoute('js_config', ['v' => self::$versionHash])); + if (\OC::$server->getContentSecurityPolicyNonceManager()->browserSupportsCspV3()) { + $jsConfigHelper = new JSConfigHelper( + \OC::$server->getL10N('core'), + \OC::$server->getThemingDefaults(), + \OC::$server->getAppManager(), + \OC::$server->getUserSession()->getUser(), + \OC::$server->getConfig(), + \OC::$server->getGroupManager(), + \OC::$server->getIniWrapper(), + \OC::$server->getURLGenerator() + ); + $this->assign('inline_ocjs', $jsConfigHelper->getConfig()); + $this->assign('foo', 'bar'); + } else { + $this->append('jsfiles', \OC::$server->getURLGenerator()->linkToRoute('core.OCJS.getConfig', ['v' => self::$versionHash])); + } } foreach($jsFiles as $info) { $web = $info[1]; diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php index b597317fca4..1fdcf485c28 100644 --- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php +++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php @@ -36,6 +36,7 @@ use OC\AppFramework\Middleware\Security\SecurityMiddleware; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Security\CSP\ContentSecurityPolicy; use OC\Security\CSP\ContentSecurityPolicyManager; +use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSRF\CsrfToken; use OC\Security\CSRF\CsrfTokenManager; use OCP\AppFramework\Controller; @@ -76,6 +77,8 @@ class SecurityMiddlewareTest extends \Test\TestCase { private $contentSecurityPolicyManager; /** @var CsrfTokenManager|\PHPUnit_Framework_MockObject_MockObject */ private $csrfTokenManager; + /** @var ContentSecurityPolicyNonceManager|\PHPUnit_Framework_MockObject_MockObject */ + private $cspNonceManager; protected function setUp() { parent::setUp(); @@ -88,6 +91,7 @@ class SecurityMiddlewareTest extends \Test\TestCase { $this->request = $this->createMock(IRequest::class); $this->contentSecurityPolicyManager = $this->createMock(ContentSecurityPolicyManager::class); $this->csrfTokenManager = $this->createMock(CsrfTokenManager::class); + $this->cspNonceManager = $this->createMock(ContentSecurityPolicyNonceManager::class); $this->middleware = $this->getMiddleware(true, true); $this->secException = new SecurityException('hey', false); $this->secAjaxException = new SecurityException('hey', true); @@ -109,7 +113,8 @@ class SecurityMiddlewareTest extends \Test\TestCase { $isLoggedIn, $isAdminUser, $this->contentSecurityPolicyManager, - $this->csrfTokenManager + $this->csrfTokenManager, + $this->cspNonceManager ); } @@ -559,9 +564,9 @@ class SecurityMiddlewareTest extends \Test\TestCase { } public function testAfterController() { - $this->request + $this->cspNonceManager ->expects($this->once()) - ->method('isUserAgent') + ->method('browserSupportsCspV3') ->willReturn(false); $response = $this->createMock(Response::class); $defaultPolicy = new ContentSecurityPolicy(); @@ -603,9 +608,9 @@ class SecurityMiddlewareTest extends \Test\TestCase { } public function testAfterControllerWithContentSecurityPolicy3Support() { - $this->request + $this->cspNonceManager ->expects($this->once()) - ->method('isUserAgent') + ->method('browserSupportsCspV3') ->willReturn(true); $token = $this->createMock(CsrfToken::class); $token diff --git a/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php b/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php index 39d24807d5b..3211a5284f8 100644 --- a/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php +++ b/tests/lib/Security/CSP/ContentSecurityPolicyNonceManagerTest.php @@ -24,6 +24,7 @@ namespace Test\Security\CSP; use OC\Security\CSP\ContentSecurityPolicyNonceManager; use OC\Security\CSRF\CsrfToken; use OC\Security\CSRF\CsrfTokenManager; +use OCP\IRequest; use Test\TestCase; class ContentSecurityPolicyNonceManagerTest extends TestCase { @@ -35,7 +36,8 @@ class ContentSecurityPolicyNonceManagerTest extends TestCase { public function setUp() { $this->csrfTokenManager = $this->createMock(CsrfTokenManager::class); $this->nonceManager = new ContentSecurityPolicyNonceManager( - $this->csrfTokenManager + $this->csrfTokenManager, + $this->createMock(IRequest::class) ); } |