Merge branch 'master' of https://github.com/nextcloud/server into gridview-table

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
author: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-10-23 16:44:09 +0200
committer: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> 2018-10-23 16:44:20 +0200
commit: b6981dcecb0fb80b3b519af70f2c29329fe2c2b0 (patch)
tree: a0042912470bd4be6e84ccf0e176fa1afb9b1781 /core/js
parent: 26ca7a0e2f86cb76726073f2d73fd5cb8a1e09d9 (diff)
parent: 39338aaa676168b0a53c3a1f6d5363569f303361 (diff)
download: nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.tar.gz
nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.zip
6 files changed, 124 insertions, 15 deletions
diff --git a/core/js/jquery-showpassword.js b/core/js/jquery-showpassword.js
index 5d518c78bcb..de18c8068be 100644
--- a/core/js/jquery-showpassword.js
+++ b/core/js/jquery-showpassword.js
@@ -25,7 +25,7 @@
 				
 				var $element = $(element);
 					
-				$clone = $("<input />");
+				var $clone = $("<input />");
 					
 				// Name added for JQuery Validation compatibility
 				// Element name is required to avoid script warning.
diff --git a/core/js/l10n.js b/core/js/l10n.js
index 52dd136e8f5..6027d42dca0 100644
--- a/core/js/l10n.js
+++ b/core/js/l10n.js
@@ -167,7 +167,7 @@ OC.L10N = {
 	 * @private
 	 */
 	_getPlural: function(number) {
-		locale = OC.getLocale();
+		var locale = OC.getLocale();
 		if ('pt_BR' === locale) {
 			// temporary set a locale for brazilian
 			locale = 'xbr';
diff --git a/core/js/placeholder.js b/core/js/placeholder.js
index 7c1bd724550..04c2ca88401 100644
--- a/core/js/placeholder.js
+++ b/core/js/placeholder.js
@@ -91,7 +91,7 @@
 			var palette = new Array();
 			palette.push(color1);
 			var step = stepCalc(steps, [color1, color2])
-			for (i = 1; i < steps; i++) {
+			for (var i = 1; i < steps; i++) {
 				var r = parseInt(color1.r + (step[0] * i));
 				var g = parseInt(color1.g + (step[1] * i));
 				var b = parseInt(color1.b + (step[2] * i));
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index de329a8ca5c..aa59cc8181b 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -422,7 +422,6 @@
 
 			if (xhr.status === 200) {
 				var securityHeaders = {
-					'X-XSS-Protection': ['1; mode=block'],
 					'X-Content-Type-Options': ['nosniff'],
 					'X-Robots-Tag': ['none'],
 					'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
@@ -443,6 +442,18 @@
 					}
 				}
 
+				var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
+				if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
+					messages.push({
+						msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+							{
+								header: 'X-XSS-Protection',
+								expected: '1; mode=block'
+							}),
+						type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+					});
+				}
+
 				if (!xhr.getResponseHeader('Referrer-Policy') ||
 					(xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer' &&
 					xhr.getResponseHeader('Referrer-Policy').toLowerCase() !== 'no-referrer-when-downgrade' &&
diff --git a/core/js/sharedialoglinkshareview.js b/core/js/sharedialoglinkshareview.js
index 995ff480aa6..aac4843c8e0 100644
--- a/core/js/sharedialoglinkshareview.js
+++ b/core/js/sharedialoglinkshareview.js
@@ -114,7 +114,7 @@
 			});
 			clipboard.on('error', function (e) {
 				var $menu = $(e.trigger);
-				var $linkTextMenu = $menu.parent().next('li.linkTextMenu')
+				var $linkTextMenu = $menu.parent().next('li.linkTextMenu');
 				var $input = $linkTextMenu.find('.linkText');
 
 				var actionMsg = '';
@@ -393,8 +393,8 @@
 
 			var isLinkShare = this.model.get('linkShare').isLinkShare;
 			var isPasswordSet = !!this.model.get('linkShare').password;
-			var isPasswordEnforced = this.configModel.get('enforcePasswordForPublicLink')
-			var isPasswordEnabledByDefault = this.configModel.get('enableLinkPasswordByDefault') === true
+			var isPasswordEnforced = this.configModel.get('enforcePasswordForPublicLink');
+			var isPasswordEnabledByDefault = this.configModel.get('enableLinkPasswordByDefault') === true;
 			var showPasswordCheckBox = isLinkShare
 				&& (   !this.configModel.get('enforcePasswordForPublicLink')
 					|| !this.model.get('linkShare').password);
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index d16032a5cf5..3de1a4463b0 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -811,9 +811,6 @@ describe('OC.SetupChecks tests', function() {
 			async.done(function( data, s, x ){
 				expect(data).toEqual([
 				{
-					msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
-					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-				}, {
 					msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
 				}, {
@@ -830,6 +827,9 @@ describe('OC.SetupChecks tests', function() {
 					msg: 'The "X-Permitted-Cross-Domain-Policies" HTTP header is not set to "none". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
 				}, {
+					msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+				}, {
 					msg: 'The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information. See the <a href="https://www.w3.org/TR/referrer-policy/" rel="noreferrer noopener">W3C Recommendation ↗</a>.',
 					type: OC.SetupChecks.MESSAGE_TYPE_INFO
 				}
@@ -855,13 +855,15 @@ describe('OC.SetupChecks tests', function() {
 			);
 
 			async.done(function( data, s, x ){
-				expect(data).toEqual([{
-					msg: 'The "X-XSS-Protection" HTTP header is not set to "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
-					type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
-				}, {
+				expect(data).toEqual([
+				{
 					msg: 'The "X-Content-Type-Options" HTTP header is not set to "nosniff". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
 					type: OC.SetupChecks.MESSAGE_TYPE_WARNING
-				}]);
+				}, {
+					msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+					type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
+				}
+				]);
 				done();
 			});
 		});
@@ -890,6 +892,102 @@ describe('OC.SetupChecks tests', function() {
 			});
 		});
 
+		describe('check X-XSS-Protection header', function() {
+			it('should return no message if X-XSS-Protection is set to 1; mode=block; report=https://example.com', function(done) {
+				protocolStub.returns('https');
+				var result = OC.SetupChecks.checkGeneric();
+
+				suite.server.requests[0].respond(200, {
+					'Strict-Transport-Security': 'max-age=15768000',
+					'X-XSS-Protection': '1; mode=block; report=https://example.com',
+					'X-Content-Type-Options': 'nosniff',
+					'X-Robots-Tag': 'none',
+					'X-Frame-Options': 'SAMEORIGIN',
+					'X-Download-Options': 'noopen',
+					'X-Permitted-Cross-Domain-Policies': 'none',
+					'Referrer-Policy': 'no-referrer',
+				});
+
+				result.done(function( data, s, x ){
+					expect(data).toEqual([]);
+					done();
+				});
+			});
+
+			it('should return no message if X-XSS-Protection is set to 1; mode=block', function(done) {
+				protocolStub.returns('https');
+				var result = OC.SetupChecks.checkGeneric();
+
+				suite.server.requests[0].respond(200, {
+					'Strict-Transport-Security': 'max-age=15768000',
+					'X-XSS-Protection': '1; mode=block',
+					'X-Content-Type-Options': 'nosniff',
+					'X-Robots-Tag': 'none',
+					'X-Frame-Options': 'SAMEORIGIN',
+					'X-Download-Options': 'noopen',
+					'X-Permitted-Cross-Domain-Policies': 'none',
+					'Referrer-Policy': 'no-referrer',
+				});
+
+				result.done(function( data, s, x ){
+					expect(data).toEqual([]);
+					done();
+				});
+			});
+
+			it('should return a message if X-XSS-Protection is set to 1', function(done) {
+				protocolStub.returns('https');
+				var result = OC.SetupChecks.checkGeneric();
+
+				suite.server.requests[0].respond(200, {
+					'Strict-Transport-Security': 'max-age=15768000',
+					'X-XSS-Protection': '1',
+					'X-Content-Type-Options': 'nosniff',
+					'X-Robots-Tag': 'none',
+					'X-Frame-Options': 'SAMEORIGIN',
+					'X-Download-Options': 'noopen',
+					'X-Permitted-Cross-Domain-Policies': 'none',
+					'Referrer-Policy': 'no-referrer',
+				});
+
+				result.done(function( data, s, x ){
+					expect(data).toEqual([
+						{
+							msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+						}
+					]);
+					done();
+				});
+			});
+
+			it('should return a message if X-XSS-Protection is set to 0', function(done) {
+				protocolStub.returns('https');
+				var result = OC.SetupChecks.checkGeneric();
+
+				suite.server.requests[0].respond(200, {
+					'Strict-Transport-Security': 'max-age=15768000',
+					'X-XSS-Protection': '0',
+					'X-Content-Type-Options': 'nosniff',
+					'X-Robots-Tag': 'none',
+					'X-Frame-Options': 'SAMEORIGIN',
+					'X-Download-Options': 'noopen',
+					'X-Permitted-Cross-Domain-Policies': 'none',
+					'Referrer-Policy': 'no-referrer',
+				});
+
+				result.done(function( data, s, x ){
+					expect(data).toEqual([
+						{
+							msg: 'The "X-XSS-Protection" HTTP header doesn\'t contain "1; mode=block". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
+							type: OC.SetupChecks.MESSAGE_TYPE_WARNING
+						}
+					]);
+					done();
+				});
+			});
+		});
+
 		describe('check Referrer-Policy header', function() {
 			it('should return no message if Referrer-Policy is set to no-referrer', function(done) {
 				protocolStub.returns('https');
author	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-10-23 16:44:09 +0200
committer	John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2018-10-23 16:44:20 +0200
commit	b6981dcecb0fb80b3b519af70f2c29329fe2c2b0 (patch)
tree	a0042912470bd4be6e84ccf0e176fa1afb9b1781 /core/js
parent	26ca7a0e2f86cb76726073f2d73fd5cb8a1e09d9 (diff)
parent	39338aaa676168b0a53c3a1f6d5363569f303361 (diff)
download	nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.tar.gz nextcloud-server-b6981dcecb0fb80b3b519af70f2c29329fe2c2b0.zip