diff options
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 49 |
1 files changed, 15 insertions, 34 deletions
diff --git a/lib/base.php b/lib/base.php index 1f7d0c0da65..abb76b94a5d 100644 --- a/lib/base.php +++ b/lib/base.php @@ -175,7 +175,7 @@ class OC { OC::$SERVERROOT . '/lib/private' . PATH_SEPARATOR . OC::$SERVERROOT . '/config' . PATH_SEPARATOR . OC::$THIRDPARTYROOT . '/3rdparty' . PATH_SEPARATOR . - implode($paths, PATH_SEPARATOR) . PATH_SEPARATOR . + implode(PATH_SEPARATOR, $paths) . PATH_SEPARATOR . get_include_path() . PATH_SEPARATOR . OC::$SERVERROOT ); @@ -212,34 +212,6 @@ class OC { } } - /* - * This function adds some security related headers to all requests served via base.php - * The implementation of this function has to happen here to ensure that all third-party - * components (e.g. SabreDAV) also benefit from this headers. - */ - public static function addSecurityHeaders() { - header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters - header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE - - // iFrame Restriction Policy - $xFramePolicy = OC_Config::getValue('xframe_restriction', true); - if($xFramePolicy) { - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains - } - - // Content Security Policy - // If you change the standard policy, please also change it in config.sample.php - $policy = OC_Config::getValue('custom_csp_policy', - 'default-src \'self\'; ' - .'script-src \'self\' \'unsafe-eval\'; ' - .'style-src \'self\' \'unsafe-inline\'; ' - .'frame-src *; ' - .'img-src *; ' - .'font-src \'self\' data:; ' - .'media-src *'); - header('Content-Security-Policy:'.$policy); - } - public static function checkSSL() { // redirect to https site if configured if (OC_Config::getValue("forcessl", false)) { @@ -378,9 +350,17 @@ class OC { //set the session object to a dummy session so code relying on the session existing still works self::$session = new \OC\Session\Memory(''); + // Let the session name be changed in the initSession Hook + $sessionName = OC_Util::getInstanceId(); + try { - // set the session name to the instance id - which is unique - self::$session = new \OC\Session\Internal(OC_Util::getInstanceId()); + // Allow session apps to create a custom session object + $useCustomSession = false; + OC_Hook::emit('OC', 'initSession', array('session' => &self::$session, 'sessionName' => &$sessionName, 'useCustomSession' => &$useCustomSession)); + if(!$useCustomSession) { + // set the session name to the instance id - which is unique + self::$session = new \OC\Session\Internal($sessionName); + } // if session cant be started break with http 500 error } catch (Exception $e) { //show the user a detailed error page @@ -537,6 +517,7 @@ class OC { self::$server = new \OC\Server(); self::initTemplateEngine(); + OC_App::loadApps(array('session')); if (!self::$CLI) { self::initSession(); } else { @@ -545,7 +526,7 @@ class OC { self::checkConfig(); self::checkInstalled(); self::checkSSL(); - self::addSecurityHeaders(); + OC_Response::addSecurityHeaders(); $errors = OC_Util::checkServer(); if (count($errors) > 0) { @@ -613,7 +594,7 @@ class OC { if (!is_null(self::$REQUESTEDFILE)) { $subdir = OC_App::getAppPath(OC::$REQUESTEDAPP) . '/' . self::$REQUESTEDFILE; $parent = OC_App::getAppPath(OC::$REQUESTEDAPP); - if (!OC_Helper::issubdirectory($subdir, $parent)) { + if (!OC_Helper::isSubDirectory($subdir, $parent)) { self::$REQUESTEDFILE = null; header('HTTP/1.0 404 Not Found'); exit; @@ -685,7 +666,7 @@ class OC { } /** - * @brief Handle the request + * Handle the request */ public static function handleRequest() { $l = \OC_L10N::get('lib'); |