Merge branch 'master' into routing

7 files changed, 58 insertions, 25 deletions

diff --git a/lib/base.php b/lib/base.php
index fa777cb9343..2d82d5a40fc 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -247,6 +247,8 @@ class OC{
 		OC_Util::addScript( "jquery-tipsy" );
 		OC_Util::addScript( "oc-dialogs" );
 		OC_Util::addScript( "js" );
+		// request protection token MUST be defined after the jquery library but before any $('document').ready()
+		OC_Util::addScript( "requesttoken" );
 		OC_Util::addScript( "eventsource" );
 		OC_Util::addScript( "config" );
 		//OC_Util::addScript( "multiselect" );
diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 55fa0dfde66..bdedc030c88 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -23,8 +23,7 @@
 
 abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IProperties {
 	const GETETAG_PROPERTYNAME = '{DAV:}getetag';
-	const LASTMODIFIED_PROPERTYNAME_DEPRECIATED = '{DAV:}lastmodified'; // FIXME: keept for the  transition period, can be removed for OC 4.5.1 if the sync client update too
-	const GETLASTMODIFIED_PROPERTYNAME = '{DAV:}getlastmodified';
+	const LASTMODIFIED_PROPERTYNAME = '{DAV:}lastmodified';
 	
 	/**
 	 * The path to the current node
@@ -151,9 +150,8 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 					$query->execute( array( OC_User::getUser(), $this->path, $propertyName ));
 				}
 			}
-			else { //FIXME: first part of if statement can be removed together with the LASTMODIFIED_PROPERTYNAME_DEPRECIATED const for oc4.5.1 if the sync client was updated too
-				if( strcmp( $propertyName, self::LASTMODIFIED_PROPERTYNAME_DEPRECIATED) === 0 ||
-					strcmp( $propertyName, self::GETLASTMODIFIED_PROPERTYNAME) === 0	) {
+			else {
+				if( strcmp( $propertyName, self::LASTMODIFIED_PROPERTYNAME) === 0 ) {
 					$this->touch($propertyValue);
 				} else {
 					if(!array_key_exists( $propertyName, $existing )) {
diff --git a/lib/filesystem.php b/lib/filesystem.php
index f5c10923b32..c6da826a339 100644
--- a/lib/filesystem.php
+++ b/lib/filesystem.php
@@ -521,12 +521,19 @@ class OC_Filesystem{
 		return self::$defaultInstance->hasUpdated($path,$time);
 	}
 
-	static public function removeETagHook($params) {
+	static public function removeETagHook($params, $root = false) {
 		if (isset($params['path'])) {
 			$path=$params['path'];
 		} else {
 			$path=$params['oldpath'];
 		}
+
+		if ($root) { // reduce path to the required part of it (no 'username/files')
+			$fakeRootView = new OC_FilesystemView($root);
+			$count = 1;
+			$path=str_replace(OC_App::getStorage("files")->getAbsolutePath(), "", $fakeRootView->getAbsolutePath($path), $count);
+		}
+
 		$path = self::normalizePath($path);
 		OC_Connector_Sabre_Node::removeETagPropertyForPath($path);
 	}
diff --git a/lib/filesystemview.php b/lib/filesystemview.php
index 02a0b521053..2950ced5f9e 100644
--- a/lib/filesystemview.php
+++ b/lib/filesystemview.php
@@ -451,8 +451,9 @@ class OC_FilesystemView {
 						OC_Filesystem::signal_post_write,
 						array( OC_Filesystem::signal_param_path => $path2)
 					);
-				} else { // no real copy, file comes from somewhere else, e.g. version rollback -> just update the file cache without all the other post_write actions
+				} else { // no real copy, file comes from somewhere else, e.g. version rollback -> just update the file cache and the webdav properties without all the other post_write actions
 					OC_FileCache_Update::update($path2, $this->fakeRoot);
+					OC_Filesystem::removeETagHook(array("path" => $path2), $this->fakeRoot);
 				}
 				return $result;
 			}
diff --git a/lib/search/provider/file.php b/lib/search/provider/file.php
index 135e40667b1..21fae0c1ce5 100644
--- a/lib/search/provider/file.php
+++ b/lib/search/provider/file.php
@@ -5,29 +5,36 @@ class OC_Search_Provider_File extends OC_Search_Provider{
 		$files=OC_FileCache::search($query,true);
 		$results=array();
 		foreach($files as $fileData) {
-			$file=$fileData['path'];
-			$mime=$fileData['mimetype'];
+			$path = $fileData['path'];
+			$mime = $fileData['mimetype'];
+
+			$name = basename($path);
+			$text = '';
+			$path = urlencode($path);
 			if($mime=='httpd/unix-directory') {
-				$results[]=new OC_Search_Result(basename($file),'',OC_Helper::linkTo( 'files', 'index.php', array('dir' => $file)),'Files');
+				$link = OC_Helper::linkTo( 'files', 'index.php', array('dir' => $path));
+				$type = 'Files';
 			}else{
-				$mimeBase=$fileData['mimepart'];
+				$link = OC_Helper::linkTo( 'files', 'download.php', array('file' => $path));
+				$mimeBase = $fileData['mimepart'];
 				switch($mimeBase) {
 					case 'audio':
 						break;
 					case 'text':
-						$results[]=new OC_Search_Result(basename($file),'',OC_Helper::linkTo( 'files', 'download.php', array('file' => $file) ),'Text');
+						$type = 'Text';
 						break;
 					case 'image':
-						$results[]=new OC_Search_Result(basename($file),'',OC_Helper::linkTo( 'files', 'download.php', array('file' => $file) ),'Images');
+						$type = 'Images';
 						break;
 					default:
 						if($mime=='application/xml') {
-							$results[]=new OC_Search_Result(basename($file),'',OC_Helper::linkTo( 'files', 'download.php', array('file' => $file) ),'Text');
+							$type = 'Text';
 						}else{
-							$results[]=new OC_Search_Result(basename($file),'',OC_Helper::linkTo( 'files', 'download.php', array('file' => $file) ),'Files');
+							$type = 'Files';
 						}
 				}
 			}
+			$results[] = new OC_Search_Result($name, $text, $link, $type);
 		}
 		return $results;
 	}
diff --git a/lib/template.php b/lib/template.php
index 0987d6f0d88..681b3f0b140 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -157,6 +157,7 @@ class OC_Template{
 		$this->vars = array();
 		if($renderas == 'user') {
 			$this->vars['requesttoken'] = OC_Util::callRegister();
+			$this->vars['requestlifespan'] = OC_Util::$callLifespan;
 		}
 		$parts = explode('/', $app); // fix translation when app is something like core/lostpassword
 		$this->l10n = OC_L10N::get($parts[0]);
@@ -374,6 +375,7 @@ class OC_Template{
 			$page = new OC_TemplateLayout($this->renderas);
 			if($this->renderas == 'user') {
 				$page->assign('requesttoken', $this->vars['requesttoken']);
+				$page->assign('requestlifespan', $this->vars['requestlifespan']);
 			}
 
 			// Add custom headers
diff --git a/lib/util.php b/lib/util.php
index c89c4d8c7c1..777cb7a28fc 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -416,14 +416,29 @@ class OC_Util {
 	}
 
 	/**
-	 * @brief Register an get/post call. This is important to prevent CSRF attacks
-	 * Todo: Write howto
+	 * @brief Static lifespan (in seconds) when a request token expires.
+	 * @see OC_Util::callRegister()
+	 * @see OC_Util::isCallRegistered()
+	 * @description
+	 * Also required for the client side to compute the piont in time when to
+	 * request a fresh token. The client will do so when nearly 97% of the
+	 * timespan coded here has expired. 
+	 */
+	public static $callLifespan = 3600; // 3600 secs = 1 hour
+
+	/**
+	 * @brief Register an get/post call. Important to prevent CSRF attacks.
+	 * @todo Write howto: CSRF protection guide
 	 * @return $token Generated token.
+	 * @description
+	 * Creates a 'request token' (random) and stores it inside the session.
+	 * Ever subsequent (ajax) request must use such a valid token to succeed,
+	 * otherwise the request will be denied as a protection against CSRF.
+	 * The tokens expire after a fixed lifespan.
+	 * @see OC_Util::$callLifespan
+	 * @see OC_Util::isCallRegistered()
 	 */
 	public static function callRegister() {
-		//mamimum time before token exires
-		$maxtime=(60*60);  // 1 hour
-
 		// generate a random token.
 		$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
 
@@ -436,7 +451,8 @@ class OC_Util {
 			foreach($_SESSION as $key=>$value) {
 				// search all tokens in the session
 				if(substr($key,0,12)=='requesttoken') {
-					if($value+$maxtime<time()) {
+					// check if static lifespan has expired
+					if($value+self::$callLifespan<time()) {
 						// remove outdated tokens
 						unset($_SESSION[$key]);
 					}
@@ -447,14 +463,13 @@ class OC_Util {
 		return($token);
 	}
 
-
 	/**
 	 * @brief Check an ajax get/post call if the request token is valid.
 	 * @return boolean False if request token is not set or is invalid.
+	 * @see OC_Util::$callLifespan
+	 * @see OC_Util::calLRegister()
 	 */
 	public static function isCallRegistered() {
-		//mamimum time before token exires
-		$maxtime=(60*60);  // 1 hour
 		if(isset($_GET['requesttoken'])) {
 			$token=$_GET['requesttoken'];
 		}elseif(isset($_POST['requesttoken'])) {
@@ -467,7 +482,8 @@ class OC_Util {
 		}
 		if(isset($_SESSION['requesttoken-'.$token])) {
 			$timestamp=$_SESSION['requesttoken-'.$token];
-			if($timestamp+$maxtime<time()) {
+			// check if static lifespan has expired
+			if($timestamp+self::$callLifespan<time()) {
 				return false;
 			}else{
 				//token valid