9 files changed, 47 insertions, 7 deletions

diff --git a/.htaccess b/.htaccess
index 463b49993e6..201e0d605b7 100755
--- a/.htaccess
+++ b/.htaccess
@@ -32,5 +32,8 @@ RewriteRule ^remote/(.*) remote.php [QSA,L]
 AddType image/svg+xml svg svgz
 AddEncoding gzip svgz
 </IfModule>
+<IfModule dir_module>
+DirectoryIndex index.php index.html
+</IfModule>
 AddDefaultCharset utf-8
 Options -Indexes
diff --git a/apps/files/js/fileactions.js b/apps/files/js/fileactions.js
index f3264da5a12..264a86adb7b 100644
--- a/apps/files/js/fileactions.js
+++ b/apps/files/js/fileactions.js
@@ -113,6 +113,7 @@ var FileActions = {
 			}
 		});
 		if(actions.Share && !($('#dir').val() === '/' && file === 'Shared')){
+			// t('files', 'Share')
 			addAction('Share', actions.Share);
 		}
 
diff --git a/config/config.sample.php b/config/config.sample.php
index b70b3cf533d..72834009201 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -146,8 +146,12 @@ $CONFIG = array(
 "remember_login_cookie_lifetime" => 60*60*24*15,
 
 /* Custom CSP policy, changing this will overwrite the standard policy */
-"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
+"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *",
 
+/* Enable/disable X-Frame-Restriction */
+/* HIGH SECURITY RISK IF DISABLED*/
+"xframe_restriction" => true,
+	
 /* The directory where the user data is stored, default to data in the owncloud
  * directory. The sqlite database is also stored here, when sqlite is used.
  */
diff --git a/index.html b/index.html
index 69d42e3a0b3..f160f46b6fc 100644
--- a/index.html
+++ b/index.html
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
+	<script type="text/javascript"> window.location.href="index.php"; </script>
 	<meta http-equiv="refresh" content="0; URL=index.php">
 </head>
 </html>
diff --git a/lib/helper.php b/lib/helper.php
index 73484ad913f..2ba70294f4b 100644
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -159,7 +159,7 @@ class OC_Helper {
 	 */
 	public static function imagePath( $app, $image ) {
 		// Read the selected theme from the config file
-		$theme=OC_Config::getValue( "theme" );
+		$theme = OC_Util::getTheme();
 
 		// Check if the app is in the app folder
 		if( file_exists( OC::$SERVERROOT."/themes/$theme/apps/$app/img/$image" )) {
diff --git a/lib/setup.php b/lib/setup.php
index c330729298e..d1197b3ebf3 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -828,6 +828,10 @@ class OC_Setup {
 		$content.= "AddType image/svg+xml svg svgz\n";
 		$content.= "AddEncoding gzip svgz\n";
 		$content.= "</IfModule>\n";
+		$content.= "<IfModule dir_module>\n";
+		$content.= "DirectoryIndex index.php index.html\n";
+		$content.= "</IfModule>\n";
+		$content.= "AddDefaultCharset utf-8\n";
 		$content.= "Options -Indexes\n";
 		@file_put_contents(OC::$SERVERROOT.'/.htaccess', $content); //supress errors in case we don't have permissions for it
 
diff --git a/lib/template.php b/lib/template.php
index 434c1e9e990..2f535335648 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -186,10 +186,15 @@ class OC_Template{
 		$this->l10n = OC_L10N::get($parts[0]);
 
 		// Some headers to enhance security
-		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
 		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 
+		// iFrame Restriction Policy
+		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+		if($xFramePolicy) {
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+		}
+		
 		// Content Security Policy
 		// If you change the standard policy, please also change it in config.sample.php
 		$policy = OC_Config::getValue('custom_csp_policy',
@@ -198,7 +203,8 @@ class OC_Template{
 			.'style-src \'self\' \'unsafe-inline\'; '
 			.'frame-src *; '
 			.'img-src *; '
-			.'font-src \'self\' data:');
+			.'font-src \'self\' data:; '
+			.'media-src *');
 		header('Content-Security-Policy:'.$policy); // Standard
 
 		$this->findTemplate($name);
@@ -272,7 +278,7 @@ class OC_Template{
 	protected function findTemplate($name)
 	{
 		// Read the selected theme from the config file
-		$theme=OC_Config::getValue( "theme" );
+		$theme = OC_Util::getTheme();
 
 		// Read the detected formfactor and use the right file name.
 		$fext = self::getFormFactorExtension();
diff --git a/lib/templatelayout.php b/lib/templatelayout.php
index 69bebac0503..3c496f56e41 100644
--- a/lib/templatelayout.php
+++ b/lib/templatelayout.php
@@ -103,7 +103,7 @@ class OC_TemplateLayout extends OC_Template {
 
 	static public function findStylesheetFiles($styles) {
 		// Read the selected theme from the config file
-		$theme=OC_Config::getValue( 'theme' );
+		$theme = OC_Util::getTheme();
 
 		// Read the detected formfactor and use the right file name.
 		$fext = self::getFormFactorExtension();
@@ -162,7 +162,7 @@ class OC_TemplateLayout extends OC_Template {
 
 	static public function findJavascriptFiles($scripts) {
 		// Read the selected theme from the config file
-		$theme=OC_Config::getValue( 'theme' );
+		$theme = OC_Util::getTheme();
 
 		// Read the detected formfactor and use the right file name.
 		$fext = self::getFormFactorExtension();
diff --git a/lib/util.php b/lib/util.php
index 38453c1ce92..810593358a5 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -795,4 +795,25 @@ class OC_Util {
 		return (substr(PHP_OS, 0, 3) === "WIN");
 	}
 
+
+	/**
+	 * Handles the case that there may not be a theme, then check if a "default"
+	 * theme exists and take that one
+	 * @return string the theme
+	 */
+	public static function getTheme() {
+		$theme = OC_Config::getValue("theme");
+
+		if(is_null($theme)) {
+			
+			if(is_dir(OC::$SERVERROOT . '/themes/default')) {
+				$theme = 'default';
+			}
+
+		}
+
+		return $theme;
+	}
+
+
 }