diff options
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 815 |
1 files changed, 465 insertions, 350 deletions
diff --git a/lib/base.php b/lib/base.php index c42f427ca40..ab838d366b1 100644 --- a/lib/base.php +++ b/lib/base.php @@ -1,73 +1,36 @@ <?php + +declare(strict_types=1); /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Adam Williamson <awilliam@redhat.com> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Bernhard Posselt <dev@bernhard-posselt.com> - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Damjan Georgievski <gdamjan@gmail.com> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author davidgumberg <davidnoizgumberg@gmail.com> - * @author Eric Masseran <rico.masseran@gmail.com> - * @author Florin Peter <github@florin-peter.de> - * @author Greta Doci <gretadoci@gmail.com> - * @author Jakob Sack <mail@jakobsack.de> - * @author jaltek <jaltek@mailbox.org> - * @author Jan-Christoph Borchardt <hey@jancborchardt.net> - * @author Joachim Sokolowski <github@sokolowski.org> - * @author Joas Schilling <coding@schilljs.com> - * @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Jose Quinteiro <github@quinteiro.org> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Julius Härtl <jus@bitgrid.net> - * @author Ko- <k.stoffelen@cs.ru.nl> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author MartB <mart.b@outlook.de> - * @author Michael Gapczynski <GapczynskiM@gmail.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Owen Winkler <a_github@midnightcircus.com> - * @author Phil Davis <phil.davis@inf.org> - * @author Ramiro Aparicio <rapariciog@gmail.com> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Sebastian Wessalowski <sebastian@wessalowski.org> - * @author Stefan Weil <sw@weilnetz.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Thomas Tanghus <thomas@tanghus.net> - * @author Tobia De Koninck <tobia@ledfan.be> - * @author Vincent Petry <vincent@nextcloud.com> - * @author Volkan Gezer <volkangezer@gmail.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2013-2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ +use OC\Profiler\BuiltInProfiler; +use OC\Share20\GroupDeletedListener; +use OC\Share20\Hooks; +use OC\Share20\UserDeletedListener; +use OC\Share20\UserRemovedListener; +use OC\User\DisabledUserException; use OCP\EventDispatcher\IEventDispatcher; +use OCP\Files\Events\BeforeFileSystemSetupEvent; +use OCP\Group\Events\GroupDeletedEvent; use OCP\Group\Events\UserRemovedEvent; +use OCP\IConfig; use OCP\ILogger; -use OCP\Share; -use OC\Encryption\HookManager; -use OC\Files\Filesystem; -use OC\Share20\Hooks; +use OCP\IRequest; +use OCP\IURLGenerator; +use OCP\IUserSession; +use OCP\Security\Bruteforce\IThrottler; +use OCP\Server; +use OCP\Template\ITemplateManager; +use OCP\User\Events\UserChangedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\Util; +use Psr\Log\LoggerInterface; +use Symfony\Component\Routing\Exception\MethodNotAllowedException; +use function OCP\Log\logger; require_once 'public/Constants.php'; @@ -78,65 +41,46 @@ require_once 'public/Constants.php'; */ class OC { /** - * Associative array for autoloading. classname => filename - */ - public static $CLASSPATH = []; - /** * The installation path for Nextcloud on the server (e.g. /srv/http/nextcloud) */ - public static $SERVERROOT = ''; + public static string $SERVERROOT = ''; /** * the current request path relative to the Nextcloud root (e.g. files/index.php) */ - private static $SUBURI = ''; + private static string $SUBURI = ''; /** - * the Nextcloud root path for http requests (e.g. nextcloud/) + * the Nextcloud root path for http requests (e.g. /nextcloud) */ - public static $WEBROOT = ''; + public static string $WEBROOT = ''; /** * The installation path array of the apps folder on the server (e.g. /srv/http/nextcloud) 'path' and * web path in 'url' */ - public static $APPSROOTS = []; + public static array $APPSROOTS = []; - /** - * @var string - */ - public static $configDir; + public static string $configDir; /** * requested app */ - public static $REQUESTEDAPP = ''; + public static string $REQUESTEDAPP = ''; /** * check if Nextcloud runs in cli mode */ - public static $CLI = false; - - /** - * @var \OC\Autoloader $loader - */ - public static $loader = null; + public static bool $CLI = false; - /** @var \Composer\Autoload\ClassLoader $composerAutoloader */ - public static $composerAutoloader = null; + public static \Composer\Autoload\ClassLoader $composerAutoloader; - /** - * @var \OC\Server - */ - public static $server = null; + public static \OC\Server $server; - /** - * @var \OC\Config - */ - private static $config = null; + private static \OC\Config $config; /** * @throws \RuntimeException when the 3rdparty directory is missing or - * the app path list is empty or contains an invalid path + * the app path list is empty or contains an invalid path */ - public static function initPaths() { + public static function initPaths(): void { if (defined('PHPUNIT_CONFIG_DIR')) { self::$configDir = OC::$SERVERROOT . '/' . PHPUNIT_CONFIG_DIR . '/'; } elseif (defined('PHPUNIT_RUN') and PHPUNIT_RUN and is_dir(OC::$SERVERROOT . '/tests/config/')) { @@ -148,18 +92,25 @@ class OC { } self::$config = new \OC\Config(self::$configDir); - OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT))); + OC::$SUBURI = str_replace('\\', '/', substr(realpath($_SERVER['SCRIPT_FILENAME'] ?? ''), strlen(OC::$SERVERROOT))); /** * FIXME: The following lines are required because we can't yet instantiate - * \OC::$server->getRequest() since \OC::$server does not yet exist. + * Server::get(\OCP\IRequest::class) since \OC::$server does not yet exist. */ $params = [ 'server' => [ - 'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'], - 'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'], + 'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'] ?? null, + 'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'] ?? null, ], ]; - $fakeRequest = new \OC\AppFramework\Http\Request($params, new \OC\Security\SecureRandom(), new \OC\AllConfig(new \OC\SystemConfig(self::$config))); + if (isset($_SERVER['REMOTE_ADDR'])) { + $params['server']['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; + } + $fakeRequest = new \OC\AppFramework\Http\Request( + $params, + new \OC\AppFramework\Http\RequestId($_SERVER['UNIQUE_ID'] ?? '', new \OC\Security\SecureRandom()), + new \OC\AllConfig(new \OC\SystemConfig(self::$config)) + ); $scriptName = $fakeRequest->getScriptName(); if (substr($scriptName, -1) == '/') { $scriptName .= 'index.php'; @@ -172,7 +123,6 @@ class OC { } } - if (OC::$CLI) { OC::$WEBROOT = self::$config->getValue('overwritewebroot', ''); } else { @@ -192,9 +142,9 @@ class OC { // Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing // slash which is required by URL generation. - if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT && - substr($_SERVER['REQUEST_URI'], -1) !== '/') { - header('Location: '.\OC::$WEBROOT.'/'); + if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT + && substr($_SERVER['REQUEST_URI'], -1) !== '/') { + header('Location: ' . \OC::$WEBROOT . '/'); exit(); } } @@ -232,41 +182,41 @@ class OC { ); } - public static function checkConfig() { - $l = \OC::$server->getL10N('lib'); - + public static function checkConfig(): void { // Create config if it does not already exist - $configFilePath = self::$configDir .'/config.php'; + $configFilePath = self::$configDir . '/config.php'; if (!file_exists($configFilePath)) { @touch($configFilePath); } // Check if config is writable $configFileWritable = is_writable($configFilePath); - if (!$configFileWritable && !OC_Helper::isReadOnlyConfigEnabled() + $configReadOnly = Server::get(IConfig::class)->getSystemValueBool('config_is_read_only'); + if (!$configFileWritable && !$configReadOnly || !$configFileWritable && \OCP\Util::needUpgrade()) { - $urlGenerator = \OC::$server->getURLGenerator(); + $urlGenerator = Server::get(IURLGenerator::class); + $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); if (self::$CLI) { - echo $l->t('Cannot write into "config" directory!')."\n"; - echo $l->t('This can usually be fixed by giving the webserver write access to the config directory')."\n"; + echo $l->t('Cannot write into "config" directory!') . "\n"; + echo $l->t('This can usually be fixed by giving the web server write access to the config directory.') . "\n"; echo "\n"; - echo $l->t('Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.')."\n"; - echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ])."\n"; + echo $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . "\n"; + echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]) . "\n"; exit; } else { - OC_Template::printErrorPage( + Server::get(ITemplateManager::class)->printErrorPage( $l->t('Cannot write into "config" directory!'), - $l->t('This can usually be fixed by giving the webserver write access to the config directory.') . '. ' - . $l->t('Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it. See %s', - [ $urlGenerator->linkToDocs('admin-config') ]), + $l->t('This can usually be fixed by giving the web server write access to the config directory.') . ' ' + . $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . ' ' + . $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]), 503 ); } } } - public static function checkInstalled(\OC\SystemConfig $systemConfig) { + public static function checkInstalled(\OC\SystemConfig $systemConfig): void { if (defined('OC_CONSOLE')) { return; } @@ -282,17 +232,19 @@ class OC { } } - public static function checkMaintenanceMode(\OC\SystemConfig $systemConfig) { + public static function checkMaintenanceMode(\OC\SystemConfig $systemConfig): void { // Allow ajax update script to execute without being stopped - if (((bool) $systemConfig->getValue('maintenance', false)) && OC::$SUBURI != '/core/ajax/update.php') { + if (((bool)$systemConfig->getValue('maintenance', false)) && OC::$SUBURI != '/core/ajax/update.php') { // send http status 503 http_response_code(503); + header('X-Nextcloud-Maintenance-Mode: 1'); header('Retry-After: 120'); // render error page - $template = new OC_Template('', 'update.user', 'guest'); - OC_Util::addScript('dist/maintenance'); - OC_Util::addStyle('core', 'guest'); + $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.user', 'guest'); + \OCP\Util::addScript('core', 'maintenance'); + \OCP\Util::addScript('core', 'common'); + \OCP\Util::addStyle('core', 'guest'); $template->printPage(); die(); } @@ -300,31 +252,30 @@ class OC { /** * Prints the upgrade page - * - * @param \OC\SystemConfig $systemConfig */ - private static function printUpgradePage(\OC\SystemConfig $systemConfig) { + private static function printUpgradePage(\OC\SystemConfig $systemConfig): void { + $cliUpgradeLink = $systemConfig->getValue('upgrade.cli-upgrade-link', ''); $disableWebUpdater = $systemConfig->getValue('upgrade.disable-web', false); $tooBig = false; if (!$disableWebUpdater) { - $apps = \OC::$server->getAppManager(); - if ($apps->isInstalled('user_ldap')) { - $qb = \OC::$server->getDatabaseConnection()->getQueryBuilder(); + $apps = Server::get(\OCP\App\IAppManager::class); + if ($apps->isEnabledForAnyone('user_ldap')) { + $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder(); $result = $qb->select($qb->func()->count('*', 'user_count')) ->from('ldap_user_mapping') - ->execute(); + ->executeQuery(); $row = $result->fetch(); $result->closeCursor(); $tooBig = ($row['user_count'] > 50); } - if (!$tooBig && $apps->isInstalled('user_saml')) { - $qb = \OC::$server->getDatabaseConnection()->getQueryBuilder(); + if (!$tooBig && $apps->isEnabledForAnyone('user_saml')) { + $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder(); $result = $qb->select($qb->func()->count('*', 'user_count')) ->from('user_saml_users') - ->execute(); + ->executeQuery(); $row = $result->fetch(); $result->closeCursor(); @@ -332,24 +283,26 @@ class OC { } if (!$tooBig) { // count users - $stats = \OC::$server->getUserManager()->countUsers(); - $totalUsers = array_sum($stats); + $totalUsers = Server::get(\OCP\IUserManager::class)->countUsersTotal(51); $tooBig = ($totalUsers > 50); } } - $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup']) && - $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis'; + $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup']) + && $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis'; if ($disableWebUpdater || ($tooBig && !$ignoreTooBigWarning)) { // send http status 503 http_response_code(503); header('Retry-After: 120'); + $serverVersion = \OCP\Server::get(\OCP\ServerVersion::class); + // render error page - $template = new OC_Template('', 'update.use-cli', 'guest'); + $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.use-cli', 'guest'); $template->assign('productName', 'nextcloud'); // for now - $template->assign('version', OC_Util::getVersionString()); + $template->assign('version', $serverVersion->getVersionString()); $template->assign('tooBig', $tooBig); + $template->assign('cliUpgradeLink', $cliUpgradeLink); $template->printPage(); die(); @@ -364,70 +317,118 @@ class OC { $oldTheme = $systemConfig->getValue('theme'); $systemConfig->setValue('theme', ''); - OC_Util::addScript('update'); + \OCP\Util::addScript('core', 'common'); + \OCP\Util::addScript('core', 'main'); + \OCP\Util::addTranslations('core'); + \OCP\Util::addScript('core', 'update'); /** @var \OC\App\AppManager $appManager */ - $appManager = \OC::$server->getAppManager(); + $appManager = Server::get(\OCP\App\IAppManager::class); - $tmpl = new OC_Template('', 'update.admin', 'guest'); - $tmpl->assign('version', OC_Util::getVersionString()); + $tmpl = Server::get(ITemplateManager::class)->getTemplate('', 'update.admin', 'guest'); + $tmpl->assign('version', \OCP\Server::get(\OCP\ServerVersion::class)->getVersionString()); $tmpl->assign('isAppsOnlyUpgrade', $isAppsOnlyUpgrade); // get third party apps $ocVersion = \OCP\Util::getVersion(); $ocVersion = implode('.', $ocVersion); $incompatibleApps = $appManager->getIncompatibleApps($ocVersion); + $incompatibleOverwrites = $systemConfig->getValue('app_install_overwrite', []); $incompatibleShippedApps = []; + $incompatibleDisabledApps = []; foreach ($incompatibleApps as $appInfo) { if ($appManager->isShipped($appInfo['id'])) { $incompatibleShippedApps[] = $appInfo['name'] . ' (' . $appInfo['id'] . ')'; } + if (!in_array($appInfo['id'], $incompatibleOverwrites)) { + $incompatibleDisabledApps[] = $appInfo; + } } if (!empty($incompatibleShippedApps)) { - $l = \OC::$server->getL10N('core'); - $hint = $l->t('The files of the app %1$s were not replaced correctly. Make sure it is a version compatible with the server.', [implode(', ', $incompatibleShippedApps)]); - throw new \OC\HintException('The files of the app ' . implode(', ', $incompatibleShippedApps) . ' were not replaced correctly. Make sure it is a version compatible with the server.', $hint); + $l = Server::get(\OCP\L10N\IFactory::class)->get('core'); + $hint = $l->t('Application %1$s is not present or has a non-compatible version with this server. Please check the apps directory.', [implode(', ', $incompatibleShippedApps)]); + throw new \OCP\HintException('Application ' . implode(', ', $incompatibleShippedApps) . ' is not present or has a non-compatible version with this server. Please check the apps directory.', $hint); } $tmpl->assign('appsToUpgrade', $appManager->getAppsNeedingUpgrade($ocVersion)); - $tmpl->assign('incompatibleAppsList', $incompatibleApps); - $tmpl->assign('productName', 'Nextcloud'); // for now + $tmpl->assign('incompatibleAppsList', $incompatibleDisabledApps); + try { + $defaults = new \OC_Defaults(); + $tmpl->assign('productName', $defaults->getName()); + } catch (Throwable $error) { + $tmpl->assign('productName', 'Nextcloud'); + } $tmpl->assign('oldTheme', $oldTheme); $tmpl->printPage(); } - public static function initSession() { - if (self::$server->getRequest()->getServerProtocol() === 'https') { - ini_set('session.cookie_secure', true); + public static function initSession(): void { + $request = Server::get(IRequest::class); + + // TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies + // TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments + // TODO: for further information. + // $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + // if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest && !isset($_COOKIE['nc_session_id'])) { + // setcookie('cookie_test', 'test', time() + 3600); + // // Do not initialize the session if a request is authenticated directly + // // unless there is a session cookie already sent along + // return; + // } + + if ($request->getServerProtocol() === 'https') { + ini_set('session.cookie_secure', 'true'); } // prevents javascript from accessing php session cookies ini_set('session.cookie_httponly', 'true'); + // Do not initialize sessions for 'status.php' requests + // Monitoring endpoints can quickly flood session handlers + // and 'status.php' doesn't require sessions anyway + if (str_ends_with($request->getScriptName(), '/status.php')) { + return; + } + // set the cookie path to the Nextcloud directory $cookie_path = OC::$WEBROOT ? : '/'; ini_set('session.cookie_path', $cookie_path); + // set the cookie domain to the Nextcloud domain + $cookie_domain = self::$config->getValue('cookie_domain', ''); + if ($cookie_domain) { + ini_set('session.cookie_domain', $cookie_domain); + } + // Let the session name be changed in the initSession Hook $sessionName = OC_Util::getInstanceId(); try { + $logger = null; + if (Server::get(\OC\SystemConfig::class)->getValue('installed', false)) { + $logger = logger('core'); + } + // set the session name to the instance id - which is unique - $session = new \OC\Session\Internal($sessionName); + $session = new \OC\Session\Internal( + $sessionName, + $logger, + ); - $cryptoWrapper = \OC::$server->getSessionCryptoWrapper(); + $cryptoWrapper = Server::get(\OC\Session\CryptoWrapper::class); $session = $cryptoWrapper->wrapSession($session); self::$server->setSession($session); // if session can't be started break with http 500 error } catch (Exception $e) { - \OC::$server->getLogger()->logException($e, ['app' => 'base']); + Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'base','exception' => $e]); //show the user a detailed error page - OC_Template::printExceptionErrorPage($e, 500); + Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500); die(); } + //try to set the session lifetime $sessionLifeTime = self::getSessionLifeTime(); // session timeout @@ -435,23 +436,51 @@ class OC { if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', -1, self::$WEBROOT ? : '/'); } - \OC::$server->getUserSession()->logout(); + Server::get(IUserSession::class)->logout(); } - $session->set('LAST_ACTIVITY', time()); + if (!self::hasSessionRelaxedExpiry()) { + $session->set('LAST_ACTIVITY', time()); + } + $session->close(); + } + + private static function getSessionLifeTime(): int { + return Server::get(\OC\AllConfig::class)->getSystemValueInt('session_lifetime', 60 * 60 * 24); } /** - * @return string + * @return bool true if the session expiry should only be done by gc instead of an explicit timeout */ - private static function getSessionLifeTime() { - return \OC::$server->getConfig()->getSystemValue('session_lifetime', 60 * 60 * 24); + public static function hasSessionRelaxedExpiry(): bool { + return Server::get(\OC\AllConfig::class)->getSystemValueBool('session_relaxed_expiry', false); } /** * Try to set some values to the required Nextcloud default */ - public static function setRequiredIniValues() { + public static function setRequiredIniValues(): void { + // Don't display errors and log them + @ini_set('display_errors', '0'); + @ini_set('log_errors', '1'); + + // Try to configure php to enable big file uploads. + // This doesn't work always depending on the webserver and php configuration. + // Let's try to overwrite some defaults if they are smaller than 1 hour + + if (intval(@ini_get('max_execution_time') ?: 0) < 3600) { + @ini_set('max_execution_time', strval(3600)); + } + + if (intval(@ini_get('max_input_time') ?: 0) < 3600) { + @ini_set('max_input_time', strval(3600)); + } + + // Try to set the maximum execution time to the largest time limit we have + if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) { + @set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time')))); + } + @ini_set('default_charset', 'UTF-8'); @ini_set('gd.jpeg_ignore_warning', '1'); } @@ -459,7 +488,7 @@ class OC { /** * Send the same site cookies */ - private static function sendSameSiteCookies() { + private static function sendSameSiteCookies(): void { $cookieParams = session_get_cookie_params(); $secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : ''; $policies = [ @@ -496,8 +525,8 @@ class OC { * We use an additional cookie since we want to protect logout CSRF and * also we can't directly interfere with PHP's session mechanism. */ - private static function performSameSiteCookieProtection(\OCP\IConfig $config) { - $request = \OC::$server->getRequest(); + private static function performSameSiteCookieProtection(IConfig $config): void { + $request = Server::get(IRequest::class); // Some user agents are notorious and don't really properly follow HTTP // specifications. For those, have an automated opt-out. Since the protection @@ -524,18 +553,23 @@ class OC { $processingScript = explode('/', $requestUri); $processingScript = $processingScript[count($processingScript) - 1]; - // index.php routes are handled in the middleware - if ($processingScript === 'index.php') { + if ($processingScript === 'index.php' // index.php routes are handled in the middleware + || $processingScript === 'cron.php' // and cron.php does not need any authentication at all + || $processingScript === 'public.php' // For public.php, auth for password protected shares is done in the PublicAuth plugin + ) { return; } // All other endpoints require the lax and the strict cookie if (!$request->passesStrictCookieCheck()) { + logger('core')->warning('Request does not pass strict cookie check'); self::sendSameSiteCookies(); // Debug mode gets access to the resources without strict cookie // due to the fact that the SabreDAV browser also lives there. - if (!$config->getSystemValue('debug', false)) { - http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE); + if (!$config->getSystemValueBool('debug', false)) { + http_response_code(\OCP\AppFramework\Http::STATUS_PRECONDITION_FAILED); + header('Content-Type: application/json'); + echo json_encode(['error' => 'Strict Cookie has not been found in request']); exit(); } } @@ -544,31 +578,39 @@ class OC { } } - public static function init() { + public static function init(): void { + // First handle PHP configuration and copy auth headers to the expected + // $_SERVER variable before doing anything Server object related + self::setRequiredIniValues(); + self::handleAuthHeaders(); + + // prevent any XML processing from loading external entities + libxml_set_external_entity_loader(static function () { + return null; + }); + + // Set default timezone before the Server object is booted + if (!date_default_timezone_set('UTC')) { + throw new \RuntimeException('Could not set timezone to UTC'); + } + // calculate the root directories - OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4)); + OC::$SERVERROOT = str_replace('\\', '/', substr(__DIR__, 0, -4)); // register autoloader $loaderStart = microtime(true); - require_once __DIR__ . '/autoloader.php'; - self::$loader = new \OC\Autoloader([ - OC::$SERVERROOT . '/lib/private/legacy', - ]); - if (defined('PHPUNIT_RUN')) { - self::$loader->addValidRoot(OC::$SERVERROOT . '/tests'); - } - spl_autoload_register([self::$loader, 'load']); - $loaderEnd = microtime(true); self::$CLI = (php_sapi_name() == 'cli'); - // Add default composer PSR-4 autoloader + // Add default composer PSR-4 autoloader, ensure apcu to be disabled self::$composerAutoloader = require_once OC::$SERVERROOT . '/lib/composer/autoload.php'; + self::$composerAutoloader->setApcuPrefix(null); + try { self::initPaths(); // setup 3rdparty autoloader - $vendorAutoLoad = OC::$SERVERROOT. '/3rdparty/autoload.php'; + $vendorAutoLoad = OC::$SERVERROOT . '/3rdparty/autoload.php'; if (!file_exists($vendorAutoLoad)) { throw new \RuntimeException('Composer autoloader not found, unable to continue. Check the folder "3rdparty". Running "git submodule update --init" will initialize the git submodule that handles the subfolder "3rdparty".'); } @@ -582,59 +624,76 @@ class OC { print($e->getMessage()); exit(); } + $loaderEnd = microtime(true); + + // Enable lazy loading if activated + \OC\AppFramework\Utility\SimpleContainer::$useLazyObjects = (bool)self::$config->getValue('enable_lazy_objects', true); // setup the basic server self::$server = new \OC\Server(\OC::$WEBROOT, self::$config); self::$server->boot(); - $eventLogger = \OC::$server->getEventLogger(); - $eventLogger->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd); - $eventLogger->start('boot', 'Initialize'); - // Override php.ini and log everything if we're troubleshooting - if (self::$config->getValue('loglevel') === ILogger::DEBUG) { - error_reporting(E_ALL); + try { + $profiler = new BuiltInProfiler( + Server::get(IConfig::class), + Server::get(IRequest::class), + ); + $profiler->start(); + } catch (\Throwable $e) { + logger('core')->error('Failed to start profiler: ' . $e->getMessage(), ['app' => 'base']); } - // Don't display errors and log them - @ini_set('display_errors', '0'); - @ini_set('log_errors', '1'); - - if (!date_default_timezone_set('UTC')) { - throw new \RuntimeException('Could not set timezone to UTC'); + if (self::$CLI && in_array('--' . \OCP\Console\ReservedOptions::DEBUG_LOG, $_SERVER['argv'])) { + \OC\Core\Listener\BeforeMessageLoggedEventListener::setup(); } - //try to configure php to enable big file uploads. - //this doesn´t work always depending on the webserver and php configuration. - //Let´s try to overwrite some defaults anyway + $eventLogger = Server::get(\OCP\Diagnostics\IEventLogger::class); + $eventLogger->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd); + $eventLogger->start('boot', 'Initialize'); - //try to set the maximum execution time to 60min - if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) { - @set_time_limit(3600); + // Override php.ini and log everything if we're troubleshooting + if (self::$config->getValue('loglevel') === ILogger::DEBUG) { + error_reporting(E_ALL); } - @ini_set('max_execution_time', '3600'); - @ini_set('max_input_time', '3600'); - - self::setRequiredIniValues(); - self::handleAuthHeaders(); - $systemConfig = \OC::$server->get(\OC\SystemConfig::class); - self::registerAutoloaderCache($systemConfig); // initialize intl fallback if necessary OC_Util::isSetLocaleWorking(); - $config = \OC::$server->get(\OCP\IConfig::class); + $config = Server::get(IConfig::class); if (!defined('PHPUNIT_RUN')) { - OC\Log\ErrorHandler::setLogger(\OC::$server->getLogger()); - $debug = $config->getSystemValue('debug', false); - OC\Log\ErrorHandler::register($debug); + $errorHandler = new OC\Log\ErrorHandler( + \OCP\Server::get(\Psr\Log\LoggerInterface::class), + ); + $exceptionHandler = [$errorHandler, 'onException']; + if ($config->getSystemValueBool('debug', false)) { + set_error_handler([$errorHandler, 'onAll'], E_ALL); + if (\OC::$CLI) { + $exceptionHandler = [Server::get(ITemplateManager::class), 'printExceptionErrorPage']; + } + } else { + set_error_handler([$errorHandler, 'onError']); + } + register_shutdown_function([$errorHandler, 'onShutdown']); + set_exception_handler($exceptionHandler); } /** @var \OC\AppFramework\Bootstrap\Coordinator $bootstrapCoordinator */ - $bootstrapCoordinator = \OC::$server->query(\OC\AppFramework\Bootstrap\Coordinator::class); + $bootstrapCoordinator = Server::get(\OC\AppFramework\Bootstrap\Coordinator::class); $bootstrapCoordinator->runInitialRegistration(); $eventLogger->start('init_session', 'Initialize session'); - OC_App::loadApps(['session']); + + // Check for PHP SimpleXML extension earlier since we need it before our other checks and want to provide a useful hint for web users + // see https://github.com/nextcloud/server/pull/2619 + if (!function_exists('simplexml_load_file')) { + throw new \OCP\HintException('The PHP SimpleXML/PHP-XML extension is not installed.', 'Install the extension or make sure it is enabled.'); + } + + $systemConfig = Server::get(\OC\SystemConfig::class); + $appManager = Server::get(\OCP\App\IAppManager::class); + if ($systemConfig->getValue('installed', false)) { + $appManager->loadApps(['session']); + } if (!self::$CLI) { self::initSession(); } @@ -647,13 +706,14 @@ class OC { self::performSameSiteCookieProtection($config); if (!defined('OC_CONSOLE')) { + $eventLogger->start('check_server', 'Run a few configuration checks'); $errors = OC_Util::checkServer($systemConfig); if (count($errors) > 0) { if (!self::$CLI) { http_response_code(503); - OC_Util::addStyle('guest'); + Util::addStyle('guest'); try { - OC_Template::printGuestPage('', 'error', ['errors' => $errors]); + Server::get(ITemplateManager::class)->printGuestPage('', 'error', ['errors' => $errors]); exit; } catch (\Exception $e) { // In case any error happens when showing the error page, we simply fall back to posting the text. @@ -678,21 +738,20 @@ class OC { echo('Writing to database failed'); } exit(1); - } elseif (self::$CLI && $config->getSystemValue('installed', false)) { + } elseif (self::$CLI && $config->getSystemValueBool('installed', false)) { $config->deleteAppValue('core', 'cronErrors'); } + $eventLogger->end('check_server'); } - //try to set the session lifetime - $sessionLifeTime = self::getSessionLifeTime(); - @ini_set('gc_maxlifetime', (string)$sessionLifeTime); // User and Groups - if (!$systemConfig->getValue("installed", false)) { + if (!$systemConfig->getValue('installed', false)) { self::$server->getSession()->set('user_id', ''); } - OC_User::useBackend(new \OC\User\Database()); - \OC::$server->getGroupManager()->addBackend(new \OC\Group\Database()); + $eventLogger->start('setup_backends', 'Setup group and user backends'); + Server::get(\OCP\IUserManager::class)->registerBackend(new \OC\User\Database()); + Server::get(\OCP\IGroupManager::class)->addBackend(new \OC\Group\Database()); // Subscribe to the hook \OCP\Util::connectHook( @@ -709,30 +768,32 @@ class OC { // Run upgrades in incognito mode OC_User::setIncognitoMode(true); } + $eventLogger->end('setup_backends'); self::registerCleanupHooks($systemConfig); - self::registerFilesystemHooks(); self::registerShareHooks($systemConfig); self::registerEncryptionWrapperAndHooks(); self::registerAccountHooks(); self::registerResourceCollectionHooks(); + self::registerFileReferenceEventListener(); + self::registerRenderReferenceEventListener(); self::registerAppRestrictionsHooks(); // Make sure that the application class is not loaded before the database is setup - if ($systemConfig->getValue("installed", false)) { - OC_App::loadApp('settings'); + if ($systemConfig->getValue('installed', false)) { + $appManager->loadApp('settings'); } //make sure temporary files are cleaned up - $tmpManager = \OC::$server->getTempManager(); + $tmpManager = Server::get(\OCP\ITempManager::class); register_shutdown_function([$tmpManager, 'clean']); - $lockProvider = \OC::$server->getLockingProvider(); + $lockProvider = Server::get(\OCP\Lock\ILockingProvider::class); register_shutdown_function([$lockProvider, 'releaseAll']); // Check whether the sample configuration has been copied if ($systemConfig->getValue('copied_sample_config', false)) { - $l = \OC::$server->getL10N('lib'); - OC_Template::printErrorPage( + $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); + Server::get(ITemplateManager::class)->printErrorPage( $l->t('Sample configuration detected'), $l->t('It has been detected that the sample configuration has been copied. This can break your installation and is unsupported. Please read the documentation before performing changes on config.php'), 503 @@ -740,19 +801,19 @@ class OC { return; } - $request = \OC::$server->getRequest(); + $request = Server::get(IRequest::class); $host = $request->getInsecureServerHost(); /** * if the host passed in headers isn't trusted * FIXME: Should not be in here at all :see_no_evil: */ if (!OC::$CLI - && !\OC::$server->getTrustedDomainHelper()->isTrustedDomain($host) - && $config->getSystemValue('installed', false) + && !Server::get(\OC\Security\TrustedDomainHelper::class)->isTrustedDomain($host) + && $config->getSystemValueBool('installed', false) ) { // Allow access to CSS resources $isScssRequest = false; - if (strpos($request->getPathInfo(), '/css/') === 0) { + if (strpos($request->getPathInfo() ?: '', '/css/') === 0) { $isScssRequest = true; } @@ -765,8 +826,7 @@ class OC { if (!$isScssRequest) { http_response_code(400); - - \OC::$server->getLogger()->info( + Server::get(LoggerInterface::class)->info( 'Trusted domain error. "{remoteAddress}" tried to access using "{host}" as host.', [ 'app' => 'core', @@ -775,31 +835,51 @@ class OC { ] ); - $tmpl = new OCP\Template('core', 'untrustedDomain', 'guest'); - $tmpl->assign('docUrl', \OC::$server->getURLGenerator()->linkToDocs('admin-trusted-domains')); + $tmpl = Server::get(ITemplateManager::class)->getTemplate('core', 'untrustedDomain', 'guest'); + $tmpl->assign('docUrl', Server::get(IURLGenerator::class)->linkToDocs('admin-trusted-domains')); $tmpl->printPage(); exit(); } } $eventLogger->end('boot'); + $eventLogger->log('init', 'OC::init', $loaderStart, microtime(true)); + $eventLogger->start('runtime', 'Runtime'); + $eventLogger->start('request', 'Full request after boot'); + register_shutdown_function(function () use ($eventLogger) { + $eventLogger->end('request'); + }); + + register_shutdown_function(function () { + $memoryPeak = memory_get_peak_usage(); + $logLevel = match (true) { + $memoryPeak > 500_000_000 => ILogger::FATAL, + $memoryPeak > 400_000_000 => ILogger::ERROR, + $memoryPeak > 300_000_000 => ILogger::WARN, + default => null, + }; + if ($logLevel !== null) { + $message = 'Request used more than 300 MB of RAM: ' . Util::humanFileSize($memoryPeak); + $logger = Server::get(LoggerInterface::class); + $logger->log($logLevel, $message, ['app' => 'core']); + } + }); } /** * register hooks for the cleanup of cache and bruteforce protection */ - public static function registerCleanupHooks(\OC\SystemConfig $systemConfig) { + public static function registerCleanupHooks(\OC\SystemConfig $systemConfig): void { //don't try to do this before we are properly setup if ($systemConfig->getValue('installed', false) && !\OCP\Util::needUpgrade()) { - // NOTE: This will be replaced to use OCP - $userSession = self::$server->getUserSession(); + $userSession = Server::get(\OC\User\Session::class); $userSession->listen('\OC\User', 'postLogin', function () use ($userSession) { if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) { // reset brute force delay for this IP address and username - $uid = \OC::$server->getUserSession()->getUser()->getUID(); - $request = \OC::$server->getRequest(); - $throttler = \OC::$server->getBruteForceThrottler(); + $uid = $userSession->getUser()->getUID(); + $request = Server::get(IRequest::class); + $throttler = Server::get(IThrottler::class); $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]); } @@ -814,39 +894,40 @@ class OC { } catch (\Exception $e) { // a GC exception should not prevent users from using OC, // so log the exception - \OC::$server->getLogger()->logException($e, [ - 'message' => 'Exception when running cache gc.', - 'level' => ILogger::WARN, + Server::get(LoggerInterface::class)->warning('Exception when running cache gc.', [ 'app' => 'core', + 'exception' => $e, ]); } }); } } - private static function registerEncryptionWrapperAndHooks() { - $manager = self::$server->getEncryptionManager(); - \OCP\Util::connectHook('OC_Filesystem', 'preSetup', $manager, 'setupStorage'); + private static function registerEncryptionWrapperAndHooks(): void { + /** @var \OC\Encryption\Manager */ + $manager = Server::get(\OCP\Encryption\IManager::class); + Server::get(IEventDispatcher::class)->addListener( + BeforeFileSystemSetupEvent::class, + $manager->setupStorage(...), + ); $enabled = $manager->isEnabled(); if ($enabled) { - \OCP\Util::connectHook(Share::class, 'post_shared', HookManager::class, 'postShared'); - \OCP\Util::connectHook(Share::class, 'post_unshare', HookManager::class, 'postUnshared'); - \OCP\Util::connectHook('OC_Filesystem', 'post_rename', HookManager::class, 'postRename'); - \OCP\Util::connectHook('\OCA\Files_Trashbin\Trashbin', 'post_restore', HookManager::class, 'postRestore'); + \OC\Encryption\EncryptionEventListener::register(Server::get(IEventDispatcher::class)); } } - private static function registerAccountHooks() { - $hookHandler = \OC::$server->get(\OC\Accounts\Hooks::class); - \OCP\Util::connectHook('OC_User', 'changeUser', $hookHandler, 'changeUserHook'); + private static function registerAccountHooks(): void { + /** @var IEventDispatcher $dispatcher */ + $dispatcher = Server::get(IEventDispatcher::class); + $dispatcher->addServiceListener(UserChangedEvent::class, \OC\Accounts\Hooks::class); } - private static function registerAppRestrictionsHooks() { + private static function registerAppRestrictionsHooks(): void { /** @var \OC\Group\Manager $groupManager */ - $groupManager = self::$server->query(\OCP\IGroupManager::class); + $groupManager = Server::get(\OCP\IGroupManager::class); $groupManager->listen('\OC\Group', 'postDelete', function (\OCP\IGroup $group) { - $appManager = self::$server->getAppManager(); + $appManager = Server::get(\OCP\App\IAppManager::class); $apps = $appManager->getEnabledAppsForGroup($group); foreach ($apps as $appId) { $restrictions = $appManager->getAppRestriction($appId); @@ -865,75 +946,48 @@ class OC { }); } - private static function registerResourceCollectionHooks() { - \OC\Collaboration\Resources\Listener::register(\OC::$server->getEventDispatcher()); + private static function registerResourceCollectionHooks(): void { + \OC\Collaboration\Resources\Listener::register(Server::get(IEventDispatcher::class)); } - /** - * register hooks for the filesystem - */ - public static function registerFilesystemHooks() { - // Check for blacklisted files - OC_Hook::connect('OC_Filesystem', 'write', Filesystem::class, 'isBlacklisted'); - OC_Hook::connect('OC_Filesystem', 'rename', Filesystem::class, 'isBlacklisted'); + private static function registerFileReferenceEventListener(): void { + \OC\Collaboration\Reference\File\FileReferenceEventListener::register(Server::get(IEventDispatcher::class)); + } + + private static function registerRenderReferenceEventListener() { + \OC\Collaboration\Reference\RenderReferenceEventListener::register(Server::get(IEventDispatcher::class)); } /** * register hooks for sharing */ - public static function registerShareHooks(\OC\SystemConfig $systemConfig) { + public static function registerShareHooks(\OC\SystemConfig $systemConfig): void { if ($systemConfig->getValue('installed')) { - OC_Hook::connect('OC_User', 'post_deleteUser', Hooks::class, 'post_deleteUser'); - OC_Hook::connect('OC_User', 'post_deleteGroup', Hooks::class, 'post_deleteGroup'); - /** @var IEventDispatcher $dispatcher */ - $dispatcher = \OC::$server->get(IEventDispatcher::class); - $dispatcher->addServiceListener(UserRemovedEvent::class, \OC\Share20\UserRemovedListener::class); - } - } - - protected static function registerAutoloaderCache(\OC\SystemConfig $systemConfig) { - // The class loader takes an optional low-latency cache, which MUST be - // namespaced. The instanceid is used for namespacing, but might be - // unavailable at this point. Furthermore, it might not be possible to - // generate an instanceid via \OC_Util::getInstanceId() because the - // config file may not be writable. As such, we only register a class - // loader cache if instanceid is available without trying to create one. - $instanceId = $systemConfig->getValue('instanceid', null); - if ($instanceId) { - try { - $memcacheFactory = \OC::$server->getMemCacheFactory(); - self::$loader->setMemoryCache($memcacheFactory->createLocal('Autoloader')); - } catch (\Exception $ex) { - } + $dispatcher = Server::get(IEventDispatcher::class); + $dispatcher->addServiceListener(UserRemovedEvent::class, UserRemovedListener::class); + $dispatcher->addServiceListener(GroupDeletedEvent::class, GroupDeletedListener::class); + $dispatcher->addServiceListener(UserDeletedEvent::class, UserDeletedListener::class); } } /** * Handle the request */ - public static function handleRequest() { - \OC::$server->getEventLogger()->start('handle_request', 'Handle request'); - $systemConfig = \OC::$server->getSystemConfig(); + public static function handleRequest(): void { + Server::get(\OCP\Diagnostics\IEventLogger::class)->start('handle_request', 'Handle request'); + $systemConfig = Server::get(\OC\SystemConfig::class); // Check if Nextcloud is installed or in maintenance (update) mode if (!$systemConfig->getValue('installed', false)) { \OC::$server->getSession()->clear(); - $setupHelper = new OC\Setup( - $systemConfig, - \OC::$server->get(\bantu\IniGetWrapper\IniGetWrapper::class), - \OC::$server->getL10N('lib'), - \OC::$server->query(\OCP\Defaults::class), - \OC::$server->getLogger(), - \OC::$server->getSecureRandom(), - \OC::$server->query(\OC\Installer::class) - ); - $controller = new OC\Core\Controller\SetupController($setupHelper); + $controller = Server::get(\OC\Core\Controller\SetupController::class); $controller->run($_POST); exit(); } - $request = \OC::$server->getRequest(); + $request = Server::get(IRequest::class); + $request->throwDecodingExceptionIfAny(); $requestPath = $request->getRawPathInfo(); if ($requestPath === '/heartbeat') { return; @@ -945,52 +999,65 @@ class OC { if (function_exists('opcache_reset')) { opcache_reset(); } - if (!((bool) $systemConfig->getValue('maintenance', false))) { + if (!((bool)$systemConfig->getValue('maintenance', false))) { self::printUpgradePage($systemConfig); exit(); } } } - // emergency app disabling - if ($requestPath === '/disableapp' - && $request->getMethod() === 'POST' - && ((array)$request->getParam('appid')) !== '' - ) { - \OC_JSON::callCheck(); - \OC_JSON::checkAdminUser(); - $appIds = (array)$request->getParam('appid'); - foreach ($appIds as $appId) { - $appId = \OC_App::cleanAppId($appId); - \OC::$server->getAppManager()->disableApp($appId); - } - \OC_JSON::success(); - exit(); - } + $appManager = Server::get(\OCP\App\IAppManager::class); // Always load authentication apps - OC_App::loadApps(['authentication']); + $appManager->loadApps(['authentication']); + $appManager->loadApps(['extended_authentication']); // Load minimum set of apps if (!\OCP\Util::needUpgrade() - && !((bool) $systemConfig->getValue('maintenance', false))) { + && !((bool)$systemConfig->getValue('maintenance', false))) { // For logged-in users: Load everything - if (\OC::$server->getUserSession()->isLoggedIn()) { - OC_App::loadApps(); + if (Server::get(IUserSession::class)->isLoggedIn()) { + $appManager->loadApps(); } else { // For guests: Load only filesystem and logging - OC_App::loadApps(['filesystem', 'logging']); - self::handleLogin($request); + $appManager->loadApps(['filesystem', 'logging']); + + // Don't try to login when a client is trying to get a OAuth token. + // OAuth needs to support basic auth too, so the login is not valid + // inside Nextcloud and the Login exception would ruin it. + if ($request->getRawPathInfo() !== '/apps/oauth2/api/v1/token') { + try { + self::handleLogin($request); + } catch (DisabledUserException $e) { + // Disabled users would not be seen as logged in and + // trying to log them in would fail, so the login + // exception is ignored for the themed stylesheets and + // images. + if ($request->getRawPathInfo() !== '/apps/theming/theme/default.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/light.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/dark.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/light-highcontrast.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/dark-highcontrast.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/opendyslexic.css' + && $request->getRawPathInfo() !== '/apps/theming/image/background' + && $request->getRawPathInfo() !== '/apps/theming/image/logo' + && $request->getRawPathInfo() !== '/apps/theming/image/logoheader' + && !str_starts_with($request->getRawPathInfo(), '/apps/theming/favicon') + && !str_starts_with($request->getRawPathInfo(), '/apps/theming/icon')) { + throw $e; + } + } + } } } if (!self::$CLI) { try { - if (!((bool) $systemConfig->getValue('maintenance', false)) && !\OCP\Util::needUpgrade()) { - OC_App::loadApps(['filesystem', 'logging']); - OC_App::loadApps(); + if (!\OCP\Util::needUpgrade()) { + $appManager->loadApps(['filesystem', 'logging']); + $appManager->loadApps(); } - OC::$server->get(\OC\Route\Router::class)->match($request->getRawPathInfo()); + Server::get(\OC\Route\Router::class)->match($request->getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); @@ -1009,31 +1076,63 @@ class OC { return; } - // Someone is logged in - if (\OC::$server->getUserSession()->isLoggedIn()) { - OC_App::loadApps(); - OC_User::setupBackends(); - OC_Util::setupFS(); - // FIXME - // Redirect to default application - OC_Util::redirectToDefaultPage(); - } else { - // Not handled and not logged in - header('Location: '.\OC::$server->getURLGenerator()->linkToRouteAbsolute('core.login.showLoginForm')); + // Handle requests for JSON or XML + $acceptHeader = $request->getHeader('Accept'); + if (in_array($acceptHeader, ['application/json', 'application/xml'], true)) { + http_response_code(404); + return; + } + + // Handle resources that can't be found + // This prevents browsers from redirecting to the default page and then + // attempting to parse HTML as CSS and similar. + $destinationHeader = $request->getHeader('Sec-Fetch-Dest'); + if (in_array($destinationHeader, ['font', 'script', 'style'])) { + http_response_code(404); + return; + } + + // Redirect to the default app or login only as an entry point + if ($requestPath === '') { + // Someone is logged in + if (Server::get(IUserSession::class)->isLoggedIn()) { + header('Location: ' . Server::get(IURLGenerator::class)->linkToDefaultPageUrl()); + } else { + // Not handled and not logged in + header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute('core.login.showLoginForm')); + } + return; + } + + try { + Server::get(\OC\Route\Router::class)->match('/error/404'); + } catch (\Exception $e) { + if (!$e instanceof MethodNotAllowedException) { + logger('core')->emergency($e->getMessage(), ['exception' => $e]); + } + $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); + Server::get(ITemplateManager::class)->printErrorPage( + '404', + $l->t('The page could not be found on the server.'), + 404 + ); } } /** * Check login: apache auth, auth token, basic auth - * - * @param OCP\IRequest $request - * @return boolean */ - public static function handleLogin(OCP\IRequest $request) { - $userSession = self::$server->getUserSession(); + public static function handleLogin(OCP\IRequest $request): bool { + if ($request->getHeader('X-Nextcloud-Federation')) { + return false; + } + $userSession = Server::get(\OC\User\Session::class); if (OC_User::handleApacheAuth()) { return true; } + if (self::tryAppAPILogin($request)) { + return true; + } if ($userSession->tryTokenLogin($request)) { return true; } @@ -1043,13 +1142,13 @@ class OC { && $userSession->loginWithCookie($_COOKIE['nc_username'], $_COOKIE['nc_token'], $_COOKIE['nc_session_id'])) { return true; } - if ($userSession->tryBasicAuthLogin($request, \OC::$server->getBruteForceThrottler())) { + if ($userSession->tryBasicAuthLogin($request, Server::get(IThrottler::class))) { return true; } return false; } - protected static function handleAuthHeaders() { + protected static function handleAuthHeaders(): void { //copy http auth headers for apache+php-fcgid work around if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) { $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION']; @@ -1061,7 +1160,7 @@ class OC { 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative ]; foreach ($vars as $var) { - if (isset($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) { + if (isset($_SERVER[$var]) && is_string($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) { $credentials = explode(':', base64_decode($matches[1]), 2); if (count($credentials) === 2) { $_SERVER['PHP_AUTH_USER'] = $credentials[0]; @@ -1071,6 +1170,22 @@ class OC { } } } + + protected static function tryAppAPILogin(OCP\IRequest $request): bool { + if (!$request->getHeader('AUTHORIZATION-APP-API')) { + return false; + } + $appManager = Server::get(OCP\App\IAppManager::class); + if (!$appManager->isEnabledForAnyone('app_api')) { + return false; + } + try { + $appAPIService = Server::get(OCA\AppAPI\Service\AppAPIService::class); + return $appAPIService->validateExAppRequestToNC($request); + } catch (\Psr\Container\NotFoundExceptionInterface|\Psr\Container\ContainerExceptionInterface $e) { + return false; + } + } } OC::init(); |