Add mitigation against BREACH

While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
author: Lukas Reschke <lukas@owncloud.com> 2015-08-13 07:36:42 +0200
committer: Lukas Reschke <lukas@owncloud.com> 2015-08-14 01:31:32 +0200
commit: 8313a3fcb3b24bf9e36f48581f64336623ae1ead (patch)
tree: 5f5f665dca0cd395a6706389c5e2e1f11b95380d /lib/private/server.php
parent: 1f96fb3352ad43155586d6deae95bf889768ba05 (diff)
download: nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.tar.gz
nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/private/server.php b/lib/private/server.php
index 618431ff2d4..9eea7c45376 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -409,6 +409,7 @@ class Server extends SimpleContainer implements IServerContainer {
 					'requesttoken' => $requestToken,
 				],
 				$this->getSecureRandom(),
+				$this->getCrypto(),
 				$this->getConfig(),
 				$stream
 			);
author	Lukas Reschke <lukas@owncloud.com>	2015-08-13 07:36:42 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2015-08-14 01:31:32 +0200
commit	8313a3fcb3b24bf9e36f48581f64336623ae1ead (patch)
tree	5f5f665dca0cd395a6706389c5e2e1f11b95380d /lib/private/server.php
parent	1f96fb3352ad43155586d6deae95bf889768ba05 (diff)
download	nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.tar.gz nextcloud-server-8313a3fcb3b24bf9e36f48581f64336623ae1ead.zip