diff options
Diffstat (limited to 'lib/base.php')
| -rw-r--r-- | lib/base.php | 520 |
1 files changed, 277 insertions, 243 deletions
diff --git a/lib/base.php b/lib/base.php index b5c5845b5a0..ab838d366b1 100644 --- a/lib/base.php +++ b/lib/base.php @@ -1,85 +1,35 @@ <?php declare(strict_types=1); - /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Adam Williamson <awilliam@redhat.com> - * @author Andreas Fischer <bantu@owncloud.com> - * @author Arthur Schiwon <blizzz@arthur-schiwon.de> - * @author Bart Visscher <bartv@thisnet.nl> - * @author Bernhard Posselt <dev@bernhard-posselt.com> - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Björn Schießle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Côme Chilliet <come.chilliet@nextcloud.com> - * @author Damjan Georgievski <gdamjan@gmail.com> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author davidgumberg <davidnoizgumberg@gmail.com> - * @author Eric Masseran <rico.masseran@gmail.com> - * @author Florin Peter <github@florin-peter.de> - * @author Greta Doci <gretadoci@gmail.com> - * @author J0WI <J0WI@users.noreply.github.com> - * @author Jakob Sack <mail@jakobsack.de> - * @author jaltek <jaltek@mailbox.org> - * @author Jan-Christoph Borchardt <hey@jancborchardt.net> - * @author Joachim Sokolowski <github@sokolowski.org> - * @author Joas Schilling <coding@schilljs.com> - * @author John Molakvoæ <skjnldsv@protonmail.com> - * @author Jörn Friedrich Dreyer <jfd@butonic.de> - * @author Jose Quinteiro <github@quinteiro.org> - * @author Juan Pablo Villafáñez <jvillafanez@solidgear.es> - * @author Julius Härtl <jus@bitgrid.net> - * @author Ko- <k.stoffelen@cs.ru.nl> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author MartB <mart.b@outlook.de> - * @author Michael Gapczynski <GapczynskiM@gmail.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Owen Winkler <a_github@midnightcircus.com> - * @author Phil Davis <phil.davis@inf.org> - * @author Ramiro Aparicio <rapariciog@gmail.com> - * @author Robin Appelman <robin@icewind.nl> - * @author Robin McCorkell <robin@mccorkell.me.uk> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Sebastian Wessalowski <sebastian@wessalowski.org> - * @author Stefan Weil <sw@weilnetz.de> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * @author Thomas Tanghus <thomas@tanghus.net> - * @author Tobia De Koninck <tobia@ledfan.be> - * @author Vincent Petry <vincent@nextcloud.com> - * @author Volkan Gezer <volkangezer@gmail.com> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2013-2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ -use OC\Encryption\HookManager; -use OC\EventDispatcher\SymfonyAdapter; -use OC\Files\Filesystem; +use OC\Profiler\BuiltInProfiler; +use OC\Share20\GroupDeletedListener; use OC\Share20\Hooks; +use OC\Share20\UserDeletedListener; +use OC\Share20\UserRemovedListener; +use OC\User\DisabledUserException; use OCP\EventDispatcher\IEventDispatcher; +use OCP\Files\Events\BeforeFileSystemSetupEvent; +use OCP\Group\Events\GroupDeletedEvent; use OCP\Group\Events\UserRemovedEvent; +use OCP\IConfig; use OCP\ILogger; use OCP\IRequest; use OCP\IURLGenerator; use OCP\IUserSession; +use OCP\Security\Bruteforce\IThrottler; use OCP\Server; -use OCP\Share; +use OCP\Template\ITemplateManager; use OCP\User\Events\UserChangedEvent; +use OCP\User\Events\UserDeletedEvent; +use OCP\Util; use Psr\Log\LoggerInterface; +use Symfony\Component\Routing\Exception\MethodNotAllowedException; use function OCP\Log\logger; require_once 'public/Constants.php'; @@ -91,10 +41,6 @@ require_once 'public/Constants.php'; */ class OC { /** - * Associative array for autoloading. classname => filename - */ - public static array $CLASSPATH = []; - /** * The installation path for Nextcloud on the server (e.g. /srv/http/nextcloud) */ public static string $SERVERROOT = ''; @@ -103,7 +49,7 @@ class OC { */ private static string $SUBURI = ''; /** - * the Nextcloud root path for http requests (e.g. nextcloud/) + * the Nextcloud root path for http requests (e.g. /nextcloud) */ public static string $WEBROOT = ''; /** @@ -124,8 +70,6 @@ class OC { */ public static bool $CLI = false; - public static \OC\Autoloader $loader; - public static \Composer\Autoload\ClassLoader $composerAutoloader; public static \OC\Server $server; @@ -134,7 +78,7 @@ class OC { /** * @throws \RuntimeException when the 3rdparty directory is missing or - * the app path list is empty or contains an invalid path + * the app path list is empty or contains an invalid path */ public static function initPaths(): void { if (defined('PHPUNIT_CONFIG_DIR')) { @@ -148,7 +92,7 @@ class OC { } self::$config = new \OC\Config(self::$configDir); - OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"] ?? ''), strlen(OC::$SERVERROOT))); + OC::$SUBURI = str_replace('\\', '/', substr(realpath($_SERVER['SCRIPT_FILENAME'] ?? ''), strlen(OC::$SERVERROOT))); /** * FIXME: The following lines are required because we can't yet instantiate * Server::get(\OCP\IRequest::class) since \OC::$server does not yet exist. @@ -159,6 +103,9 @@ class OC { 'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'] ?? null, ], ]; + if (isset($_SERVER['REMOTE_ADDR'])) { + $params['server']['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR']; + } $fakeRequest = new \OC\AppFramework\Http\Request( $params, new \OC\AppFramework\Http\RequestId($_SERVER['UNIQUE_ID'] ?? '', new \OC\Security\SecureRandom()), @@ -176,7 +123,6 @@ class OC { } } - if (OC::$CLI) { OC::$WEBROOT = self::$config->getValue('overwritewebroot', ''); } else { @@ -196,9 +142,9 @@ class OC { // Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing // slash which is required by URL generation. - if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT && - substr($_SERVER['REQUEST_URI'], -1) !== '/') { - header('Location: '.\OC::$WEBROOT.'/'); + if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT + && substr($_SERVER['REQUEST_URI'], -1) !== '/') { + header('Location: ' . \OC::$WEBROOT . '/'); exit(); } } @@ -237,29 +183,29 @@ class OC { } public static function checkConfig(): void { - $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); - // Create config if it does not already exist - $configFilePath = self::$configDir .'/config.php'; + $configFilePath = self::$configDir . '/config.php'; if (!file_exists($configFilePath)) { @touch($configFilePath); } // Check if config is writable $configFileWritable = is_writable($configFilePath); - if (!$configFileWritable && !OC_Helper::isReadOnlyConfigEnabled() + $configReadOnly = Server::get(IConfig::class)->getSystemValueBool('config_is_read_only'); + if (!$configFileWritable && !$configReadOnly || !$configFileWritable && \OCP\Util::needUpgrade()) { $urlGenerator = Server::get(IURLGenerator::class); + $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); if (self::$CLI) { - echo $l->t('Cannot write into "config" directory!')."\n"; - echo $l->t('This can usually be fixed by giving the web server write access to the config directory.')."\n"; + echo $l->t('Cannot write into "config" directory!') . "\n"; + echo $l->t('This can usually be fixed by giving the web server write access to the config directory.') . "\n"; echo "\n"; - echo $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.')."\n"; - echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ])."\n"; + echo $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . "\n"; + echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]) . "\n"; exit; } else { - OC_Template::printErrorPage( + Server::get(ITemplateManager::class)->printErrorPage( $l->t('Cannot write into "config" directory!'), $l->t('This can usually be fixed by giving the web server write access to the config directory.') . ' ' . $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . ' ' @@ -288,15 +234,16 @@ class OC { public static function checkMaintenanceMode(\OC\SystemConfig $systemConfig): void { // Allow ajax update script to execute without being stopped - if (((bool) $systemConfig->getValue('maintenance', false)) && OC::$SUBURI != '/core/ajax/update.php') { + if (((bool)$systemConfig->getValue('maintenance', false)) && OC::$SUBURI != '/core/ajax/update.php') { // send http status 503 http_response_code(503); header('X-Nextcloud-Maintenance-Mode: 1'); header('Retry-After: 120'); // render error page - $template = new OC_Template('', 'update.user', 'guest'); + $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.user', 'guest'); \OCP\Util::addScript('core', 'maintenance'); + \OCP\Util::addScript('core', 'common'); \OCP\Util::addStyle('core', 'guest'); $template->printPage(); die(); @@ -307,11 +254,12 @@ class OC { * Prints the upgrade page */ private static function printUpgradePage(\OC\SystemConfig $systemConfig): void { + $cliUpgradeLink = $systemConfig->getValue('upgrade.cli-upgrade-link', ''); $disableWebUpdater = $systemConfig->getValue('upgrade.disable-web', false); $tooBig = false; if (!$disableWebUpdater) { $apps = Server::get(\OCP\App\IAppManager::class); - if ($apps->isInstalled('user_ldap')) { + if ($apps->isEnabledForAnyone('user_ldap')) { $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder(); $result = $qb->select($qb->func()->count('*', 'user_count')) @@ -322,7 +270,7 @@ class OC { $tooBig = ($row['user_count'] > 50); } - if (!$tooBig && $apps->isInstalled('user_saml')) { + if (!$tooBig && $apps->isEnabledForAnyone('user_saml')) { $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder(); $result = $qb->select($qb->func()->count('*', 'user_count')) @@ -335,24 +283,26 @@ class OC { } if (!$tooBig) { // count users - $stats = Server::get(\OCP\IUserManager::class)->countUsers(); - $totalUsers = array_sum($stats); + $totalUsers = Server::get(\OCP\IUserManager::class)->countUsersTotal(51); $tooBig = ($totalUsers > 50); } } - $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup']) && - $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis'; + $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup']) + && $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis'; if ($disableWebUpdater || ($tooBig && !$ignoreTooBigWarning)) { // send http status 503 http_response_code(503); header('Retry-After: 120'); + $serverVersion = \OCP\Server::get(\OCP\ServerVersion::class); + // render error page - $template = new OC_Template('', 'update.use-cli', 'guest'); + $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.use-cli', 'guest'); $template->assign('productName', 'nextcloud'); // for now - $template->assign('version', OC_Util::getVersionString()); + $template->assign('version', $serverVersion->getVersionString()); $template->assign('tooBig', $tooBig); + $template->assign('cliUpgradeLink', $cliUpgradeLink); $template->printPage(); die(); @@ -375,29 +325,34 @@ class OC { /** @var \OC\App\AppManager $appManager */ $appManager = Server::get(\OCP\App\IAppManager::class); - $tmpl = new OC_Template('', 'update.admin', 'guest'); - $tmpl->assign('version', OC_Util::getVersionString()); + $tmpl = Server::get(ITemplateManager::class)->getTemplate('', 'update.admin', 'guest'); + $tmpl->assign('version', \OCP\Server::get(\OCP\ServerVersion::class)->getVersionString()); $tmpl->assign('isAppsOnlyUpgrade', $isAppsOnlyUpgrade); // get third party apps $ocVersion = \OCP\Util::getVersion(); $ocVersion = implode('.', $ocVersion); $incompatibleApps = $appManager->getIncompatibleApps($ocVersion); + $incompatibleOverwrites = $systemConfig->getValue('app_install_overwrite', []); $incompatibleShippedApps = []; + $incompatibleDisabledApps = []; foreach ($incompatibleApps as $appInfo) { if ($appManager->isShipped($appInfo['id'])) { $incompatibleShippedApps[] = $appInfo['name'] . ' (' . $appInfo['id'] . ')'; } + if (!in_array($appInfo['id'], $incompatibleOverwrites)) { + $incompatibleDisabledApps[] = $appInfo; + } } if (!empty($incompatibleShippedApps)) { $l = Server::get(\OCP\L10N\IFactory::class)->get('core'); - $hint = $l->t('The files of the app %1$s were not replaced correctly. Make sure it is a version compatible with the server.', [implode(', ', $incompatibleShippedApps)]); - throw new \OCP\HintException('The files of the app ' . implode(', ', $incompatibleShippedApps) . ' were not replaced correctly. Make sure it is a version compatible with the server.', $hint); + $hint = $l->t('Application %1$s is not present or has a non-compatible version with this server. Please check the apps directory.', [implode(', ', $incompatibleShippedApps)]); + throw new \OCP\HintException('Application ' . implode(', ', $incompatibleShippedApps) . ' is not present or has a non-compatible version with this server. Please check the apps directory.', $hint); } $tmpl->assign('appsToUpgrade', $appManager->getAppsNeedingUpgrade($ocVersion)); - $tmpl->assign('incompatibleAppsList', $incompatibleApps); + $tmpl->assign('incompatibleAppsList', $incompatibleDisabledApps); try { $defaults = new \OC_Defaults(); $tmpl->assign('productName', $defaults->getName()); @@ -410,13 +365,17 @@ class OC { public static function initSession(): void { $request = Server::get(IRequest::class); - $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; - if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest && !isset($_COOKIE['nc_session_id'])) { - setcookie('cookie_test', 'test', time() + 3600); - // Do not initialize the session if a request is authenticated directly - // unless there is a session cookie already sent along - return; - } + + // TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies + // TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments + // TODO: for further information. + // $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + // if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest && !isset($_COOKIE['nc_session_id'])) { + // setcookie('cookie_test', 'test', time() + 3600); + // // Do not initialize the session if a request is authenticated directly + // // unless there is a session cookie already sent along + // return; + // } if ($request->getServerProtocol() === 'https') { ini_set('session.cookie_secure', 'true'); @@ -425,16 +384,37 @@ class OC { // prevents javascript from accessing php session cookies ini_set('session.cookie_httponly', 'true'); + // Do not initialize sessions for 'status.php' requests + // Monitoring endpoints can quickly flood session handlers + // and 'status.php' doesn't require sessions anyway + if (str_ends_with($request->getScriptName(), '/status.php')) { + return; + } + // set the cookie path to the Nextcloud directory $cookie_path = OC::$WEBROOT ? : '/'; ini_set('session.cookie_path', $cookie_path); + // set the cookie domain to the Nextcloud domain + $cookie_domain = self::$config->getValue('cookie_domain', ''); + if ($cookie_domain) { + ini_set('session.cookie_domain', $cookie_domain); + } + // Let the session name be changed in the initSession Hook $sessionName = OC_Util::getInstanceId(); try { + $logger = null; + if (Server::get(\OC\SystemConfig::class)->getValue('installed', false)) { + $logger = logger('core'); + } + // set the session name to the instance id - which is unique - $session = new \OC\Session\Internal($sessionName); + $session = new \OC\Session\Internal( + $sessionName, + $logger, + ); $cryptoWrapper = Server::get(\OC\Session\CryptoWrapper::class); $session = $cryptoWrapper->wrapSession($session); @@ -444,13 +424,12 @@ class OC { } catch (Exception $e) { Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'base','exception' => $e]); //show the user a detailed error page - OC_Template::printExceptionErrorPage($e, 500); + Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500); die(); } //try to set the session lifetime $sessionLifeTime = self::getSessionLifeTime(); - @ini_set('gc_maxlifetime', (string)$sessionLifeTime); // session timeout if ($session->exists('LAST_ACTIVITY') && (time() - $session->get('LAST_ACTIVITY') > $sessionLifeTime)) { @@ -481,6 +460,27 @@ class OC { * Try to set some values to the required Nextcloud default */ public static function setRequiredIniValues(): void { + // Don't display errors and log them + @ini_set('display_errors', '0'); + @ini_set('log_errors', '1'); + + // Try to configure php to enable big file uploads. + // This doesn't work always depending on the webserver and php configuration. + // Let's try to overwrite some defaults if they are smaller than 1 hour + + if (intval(@ini_get('max_execution_time') ?: 0) < 3600) { + @ini_set('max_execution_time', strval(3600)); + } + + if (intval(@ini_get('max_input_time') ?: 0) < 3600) { + @ini_set('max_input_time', strval(3600)); + } + + // Try to set the maximum execution time to the largest time limit we have + if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) { + @set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time')))); + } + @ini_set('default_charset', 'UTF-8'); @ini_set('gd.jpeg_ignore_warning', '1'); } @@ -525,7 +525,7 @@ class OC { * We use an additional cookie since we want to protect logout CSRF and * also we can't directly interfere with PHP's session mechanism. */ - private static function performSameSiteCookieProtection(\OCP\IConfig $config): void { + private static function performSameSiteCookieProtection(IConfig $config): void { $request = Server::get(IRequest::class); // Some user agents are notorious and don't really properly follow HTTP @@ -553,18 +553,23 @@ class OC { $processingScript = explode('/', $requestUri); $processingScript = $processingScript[count($processingScript) - 1]; - // index.php routes are handled in the middleware - if ($processingScript === 'index.php') { + if ($processingScript === 'index.php' // index.php routes are handled in the middleware + || $processingScript === 'cron.php' // and cron.php does not need any authentication at all + || $processingScript === 'public.php' // For public.php, auth for password protected shares is done in the PublicAuth plugin + ) { return; } // All other endpoints require the lax and the strict cookie if (!$request->passesStrictCookieCheck()) { + logger('core')->warning('Request does not pass strict cookie check'); self::sendSameSiteCookies(); // Debug mode gets access to the resources without strict cookie // due to the fact that the SabreDAV browser also lives there. - if (!$config->getSystemValue('debug', false)) { - http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE); + if (!$config->getSystemValueBool('debug', false)) { + http_response_code(\OCP\AppFramework\Http::STATUS_PRECONDITION_FAILED); + header('Content-Type: application/json'); + echo json_encode(['error' => 'Strict Cookie has not been found in request']); exit(); } } @@ -574,31 +579,38 @@ class OC { } public static function init(): void { + // First handle PHP configuration and copy auth headers to the expected + // $_SERVER variable before doing anything Server object related + self::setRequiredIniValues(); + self::handleAuthHeaders(); + + // prevent any XML processing from loading external entities + libxml_set_external_entity_loader(static function () { + return null; + }); + + // Set default timezone before the Server object is booted + if (!date_default_timezone_set('UTC')) { + throw new \RuntimeException('Could not set timezone to UTC'); + } + // calculate the root directories - OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4)); + OC::$SERVERROOT = str_replace('\\', '/', substr(__DIR__, 0, -4)); // register autoloader $loaderStart = microtime(true); - require_once __DIR__ . '/autoloader.php'; - self::$loader = new \OC\Autoloader([ - OC::$SERVERROOT . '/lib/private/legacy', - ]); - if (defined('PHPUNIT_RUN')) { - self::$loader->addValidRoot(OC::$SERVERROOT . '/tests'); - } - spl_autoload_register([self::$loader, 'load']); - $loaderEnd = microtime(true); self::$CLI = (php_sapi_name() == 'cli'); - // Add default composer PSR-4 autoloader + // Add default composer PSR-4 autoloader, ensure apcu to be disabled self::$composerAutoloader = require_once OC::$SERVERROOT . '/lib/composer/autoload.php'; - self::$composerAutoloader->setApcuPrefix('composer_autoload'); + self::$composerAutoloader->setApcuPrefix(null); + try { self::initPaths(); // setup 3rdparty autoloader - $vendorAutoLoad = OC::$SERVERROOT. '/3rdparty/autoload.php'; + $vendorAutoLoad = OC::$SERVERROOT . '/3rdparty/autoload.php'; if (!file_exists($vendorAutoLoad)) { throw new \RuntimeException('Composer autoloader not found, unable to continue. Check the folder "3rdparty". Running "git submodule update --init" will initialize the git submodule that handles the subfolder "3rdparty".'); } @@ -612,11 +624,29 @@ class OC { print($e->getMessage()); exit(); } + $loaderEnd = microtime(true); + + // Enable lazy loading if activated + \OC\AppFramework\Utility\SimpleContainer::$useLazyObjects = (bool)self::$config->getValue('enable_lazy_objects', true); // setup the basic server self::$server = new \OC\Server(\OC::$WEBROOT, self::$config); self::$server->boot(); + try { + $profiler = new BuiltInProfiler( + Server::get(IConfig::class), + Server::get(IRequest::class), + ); + $profiler->start(); + } catch (\Throwable $e) { + logger('core')->error('Failed to start profiler: ' . $e->getMessage(), ['app' => 'base']); + } + + if (self::$CLI && in_array('--' . \OCP\Console\ReservedOptions::DEBUG_LOG, $_SERVER['argv'])) { + \OC\Core\Listener\BeforeMessageLoggedEventListener::setup(); + } + $eventLogger = Server::get(\OCP\Diagnostics\IEventLogger::class); $eventLogger->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd); $eventLogger->start('boot', 'Initialize'); @@ -626,50 +656,19 @@ class OC { error_reporting(E_ALL); } - // Don't display errors and log them - @ini_set('display_errors', '0'); - @ini_set('log_errors', '1'); - - if (!date_default_timezone_set('UTC')) { - throw new \RuntimeException('Could not set timezone to UTC'); - } - - - //try to configure php to enable big file uploads. - //this doesn´t work always depending on the webserver and php configuration. - //Let´s try to overwrite some defaults if they are smaller than 1 hour - - if (intval(@ini_get('max_execution_time') ?? 0) < 3600) { - @ini_set('max_execution_time', strval(3600)); - } - - if (intval(@ini_get('max_input_time') ?? 0) < 3600) { - @ini_set('max_input_time', strval(3600)); - } - - //try to set the maximum execution time to the largest time limit we have - if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) { - @set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time')))); - } - - self::setRequiredIniValues(); - self::handleAuthHeaders(); - $systemConfig = Server::get(\OC\SystemConfig::class); - self::registerAutoloaderCache($systemConfig); - // initialize intl fallback if necessary OC_Util::isSetLocaleWorking(); - $config = Server::get(\OCP\IConfig::class); + $config = Server::get(IConfig::class); if (!defined('PHPUNIT_RUN')) { $errorHandler = new OC\Log\ErrorHandler( \OCP\Server::get(\Psr\Log\LoggerInterface::class), ); $exceptionHandler = [$errorHandler, 'onException']; - if ($config->getSystemValue('debug', false)) { + if ($config->getSystemValueBool('debug', false)) { set_error_handler([$errorHandler, 'onAll'], E_ALL); if (\OC::$CLI) { - $exceptionHandler = ['OC_Template', 'printExceptionErrorPage']; + $exceptionHandler = [Server::get(ITemplateManager::class), 'printExceptionErrorPage']; } } else { set_error_handler([$errorHandler, 'onError']); @@ -683,7 +682,18 @@ class OC { $bootstrapCoordinator->runInitialRegistration(); $eventLogger->start('init_session', 'Initialize session'); - OC_App::loadApps(['session']); + + // Check for PHP SimpleXML extension earlier since we need it before our other checks and want to provide a useful hint for web users + // see https://github.com/nextcloud/server/pull/2619 + if (!function_exists('simplexml_load_file')) { + throw new \OCP\HintException('The PHP SimpleXML/PHP-XML extension is not installed.', 'Install the extension or make sure it is enabled.'); + } + + $systemConfig = Server::get(\OC\SystemConfig::class); + $appManager = Server::get(\OCP\App\IAppManager::class); + if ($systemConfig->getValue('installed', false)) { + $appManager->loadApps(['session']); + } if (!self::$CLI) { self::initSession(); } @@ -696,13 +706,14 @@ class OC { self::performSameSiteCookieProtection($config); if (!defined('OC_CONSOLE')) { + $eventLogger->start('check_server', 'Run a few configuration checks'); $errors = OC_Util::checkServer($systemConfig); if (count($errors) > 0) { if (!self::$CLI) { http_response_code(503); - OC_Util::addStyle('guest'); + Util::addStyle('guest'); try { - OC_Template::printGuestPage('', 'error', ['errors' => $errors]); + Server::get(ITemplateManager::class)->printGuestPage('', 'error', ['errors' => $errors]); exit; } catch (\Exception $e) { // In case any error happens when showing the error page, we simply fall back to posting the text. @@ -727,17 +738,19 @@ class OC { echo('Writing to database failed'); } exit(1); - } elseif (self::$CLI && $config->getSystemValue('installed', false)) { + } elseif (self::$CLI && $config->getSystemValueBool('installed', false)) { $config->deleteAppValue('core', 'cronErrors'); } + $eventLogger->end('check_server'); } // User and Groups - if (!$systemConfig->getValue("installed", false)) { + if (!$systemConfig->getValue('installed', false)) { self::$server->getSession()->set('user_id', ''); } - OC_User::useBackend(new \OC\User\Database()); + $eventLogger->start('setup_backends', 'Setup group and user backends'); + Server::get(\OCP\IUserManager::class)->registerBackend(new \OC\User\Database()); Server::get(\OCP\IGroupManager::class)->addBackend(new \OC\Group\Database()); // Subscribe to the hook @@ -755,6 +768,7 @@ class OC { // Run upgrades in incognito mode OC_User::setIncognitoMode(true); } + $eventLogger->end('setup_backends'); self::registerCleanupHooks($systemConfig); self::registerShareHooks($systemConfig); @@ -766,10 +780,8 @@ class OC { self::registerAppRestrictionsHooks(); // Make sure that the application class is not loaded before the database is setup - if ($systemConfig->getValue("installed", false)) { - OC_App::loadApp('settings'); - /* Build core application to make sure that listeners are registered */ - Server::get(\OC\Core\Application::class); + if ($systemConfig->getValue('installed', false)) { + $appManager->loadApp('settings'); } //make sure temporary files are cleaned up @@ -781,7 +793,7 @@ class OC { // Check whether the sample configuration has been copied if ($systemConfig->getValue('copied_sample_config', false)) { $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); - OC_Template::printErrorPage( + Server::get(ITemplateManager::class)->printErrorPage( $l->t('Sample configuration detected'), $l->t('It has been detected that the sample configuration has been copied. This can break your installation and is unsupported. Please read the documentation before performing changes on config.php'), 503 @@ -797,7 +809,7 @@ class OC { */ if (!OC::$CLI && !Server::get(\OC\Security\TrustedDomainHelper::class)->isTrustedDomain($host) - && $config->getSystemValue('installed', false) + && $config->getSystemValueBool('installed', false) ) { // Allow access to CSS resources $isScssRequest = false; @@ -823,7 +835,7 @@ class OC { ] ); - $tmpl = new OCP\Template('core', 'untrustedDomain', 'guest'); + $tmpl = Server::get(ITemplateManager::class)->getTemplate('core', 'untrustedDomain', 'guest'); $tmpl->assign('docUrl', Server::get(IURLGenerator::class)->linkToDocs('admin-trusted-domains')); $tmpl->printPage(); @@ -837,6 +849,21 @@ class OC { register_shutdown_function(function () use ($eventLogger) { $eventLogger->end('request'); }); + + register_shutdown_function(function () { + $memoryPeak = memory_get_peak_usage(); + $logLevel = match (true) { + $memoryPeak > 500_000_000 => ILogger::FATAL, + $memoryPeak > 400_000_000 => ILogger::ERROR, + $memoryPeak > 300_000_000 => ILogger::WARN, + default => null, + }; + if ($logLevel !== null) { + $message = 'Request used more than 300 MB of RAM: ' . Util::humanFileSize($memoryPeak); + $logger = Server::get(LoggerInterface::class); + $logger->log($logLevel, $message, ['app' => 'core']); + } + }); } /** @@ -852,7 +879,7 @@ class OC { // reset brute force delay for this IP address and username $uid = $userSession->getUser()->getUID(); $request = Server::get(IRequest::class); - $throttler = Server::get(\OC\Security\Bruteforce\Throttler::class); + $throttler = Server::get(IThrottler::class); $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]); } @@ -877,15 +904,16 @@ class OC { } private static function registerEncryptionWrapperAndHooks(): void { + /** @var \OC\Encryption\Manager */ $manager = Server::get(\OCP\Encryption\IManager::class); - \OCP\Util::connectHook('OC_Filesystem', 'preSetup', $manager, 'setupStorage'); + Server::get(IEventDispatcher::class)->addListener( + BeforeFileSystemSetupEvent::class, + $manager->setupStorage(...), + ); $enabled = $manager->isEnabled(); if ($enabled) { - \OCP\Util::connectHook(Share::class, 'post_shared', HookManager::class, 'postShared'); - \OCP\Util::connectHook(Share::class, 'post_unshare', HookManager::class, 'postUnshared'); - \OCP\Util::connectHook('OC_Filesystem', 'post_rename', HookManager::class, 'postRename'); - \OCP\Util::connectHook('\OCA\Files_Trashbin\Trashbin', 'post_restore', HookManager::class, 'postRestore'); + \OC\Encryption\EncryptionEventListener::register(Server::get(IEventDispatcher::class)); } } @@ -919,7 +947,7 @@ class OC { } private static function registerResourceCollectionHooks(): void { - \OC\Collaboration\Resources\Listener::register(Server::get(SymfonyAdapter::class), Server::get(IEventDispatcher::class)); + \OC\Collaboration\Resources\Listener::register(Server::get(IEventDispatcher::class)); } private static function registerFileReferenceEventListener(): void { @@ -935,29 +963,11 @@ class OC { */ public static function registerShareHooks(\OC\SystemConfig $systemConfig): void { if ($systemConfig->getValue('installed')) { - OC_Hook::connect('OC_User', 'post_deleteUser', Hooks::class, 'post_deleteUser'); - OC_Hook::connect('OC_User', 'post_deleteGroup', Hooks::class, 'post_deleteGroup'); - /** @var IEventDispatcher $dispatcher */ $dispatcher = Server::get(IEventDispatcher::class); - $dispatcher->addServiceListener(UserRemovedEvent::class, \OC\Share20\UserRemovedListener::class); - } - } - - protected static function registerAutoloaderCache(\OC\SystemConfig $systemConfig): void { - // The class loader takes an optional low-latency cache, which MUST be - // namespaced. The instanceid is used for namespacing, but might be - // unavailable at this point. Furthermore, it might not be possible to - // generate an instanceid via \OC_Util::getInstanceId() because the - // config file may not be writable. As such, we only register a class - // loader cache if instanceid is available without trying to create one. - $instanceId = $systemConfig->getValue('instanceid', null); - if ($instanceId) { - try { - $memcacheFactory = Server::get(\OCP\ICacheFactory::class); - self::$loader->setMemoryCache($memcacheFactory->createLocal('Autoloader')); - } catch (\Exception $ex) { - } + $dispatcher->addServiceListener(UserRemovedEvent::class, UserRemovedListener::class); + $dispatcher->addServiceListener(GroupDeletedEvent::class, GroupDeletedListener::class); + $dispatcher->addServiceListener(UserDeletedEvent::class, UserDeletedListener::class); } } @@ -971,21 +981,13 @@ class OC { // Check if Nextcloud is installed or in maintenance (update) mode if (!$systemConfig->getValue('installed', false)) { \OC::$server->getSession()->clear(); - $setupHelper = new OC\Setup( - $systemConfig, - Server::get(\bantu\IniGetWrapper\IniGetWrapper::class), - Server::get(\OCP\L10N\IFactory::class)->get('lib'), - Server::get(\OCP\Defaults::class), - Server::get(\Psr\Log\LoggerInterface::class), - Server::get(\OCP\Security\ISecureRandom::class), - Server::get(\OC\Installer::class) - ); - $controller = new OC\Core\Controller\SetupController($setupHelper); + $controller = Server::get(\OC\Core\Controller\SetupController::class); $controller->run($_POST); exit(); } $request = Server::get(IRequest::class); + $request->throwDecodingExceptionIfAny(); $requestPath = $request->getRawPathInfo(); if ($requestPath === '/heartbeat') { return; @@ -997,55 +999,63 @@ class OC { if (function_exists('opcache_reset')) { opcache_reset(); } - if (!((bool) $systemConfig->getValue('maintenance', false))) { + if (!((bool)$systemConfig->getValue('maintenance', false))) { self::printUpgradePage($systemConfig); exit(); } } } - // emergency app disabling - if ($requestPath === '/disableapp' - && $request->getMethod() === 'POST' - ) { - \OC_JSON::callCheck(); - \OC_JSON::checkAdminUser(); - $appIds = (array)$request->getParam('appid'); - foreach ($appIds as $appId) { - $appId = \OC_App::cleanAppId($appId); - Server::get(\OCP\App\IAppManager::class)->disableApp($appId); - } - \OC_JSON::success(); - exit(); - } + $appManager = Server::get(\OCP\App\IAppManager::class); // Always load authentication apps - OC_App::loadApps(['authentication']); + $appManager->loadApps(['authentication']); + $appManager->loadApps(['extended_authentication']); // Load minimum set of apps if (!\OCP\Util::needUpgrade() - && !((bool) $systemConfig->getValue('maintenance', false))) { + && !((bool)$systemConfig->getValue('maintenance', false))) { // For logged-in users: Load everything if (Server::get(IUserSession::class)->isLoggedIn()) { - OC_App::loadApps(); + $appManager->loadApps(); } else { // For guests: Load only filesystem and logging - OC_App::loadApps(['filesystem', 'logging']); + $appManager->loadApps(['filesystem', 'logging']); // Don't try to login when a client is trying to get a OAuth token. // OAuth needs to support basic auth too, so the login is not valid // inside Nextcloud and the Login exception would ruin it. if ($request->getRawPathInfo() !== '/apps/oauth2/api/v1/token') { - self::handleLogin($request); + try { + self::handleLogin($request); + } catch (DisabledUserException $e) { + // Disabled users would not be seen as logged in and + // trying to log them in would fail, so the login + // exception is ignored for the themed stylesheets and + // images. + if ($request->getRawPathInfo() !== '/apps/theming/theme/default.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/light.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/dark.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/light-highcontrast.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/dark-highcontrast.css' + && $request->getRawPathInfo() !== '/apps/theming/theme/opendyslexic.css' + && $request->getRawPathInfo() !== '/apps/theming/image/background' + && $request->getRawPathInfo() !== '/apps/theming/image/logo' + && $request->getRawPathInfo() !== '/apps/theming/image/logoheader' + && !str_starts_with($request->getRawPathInfo(), '/apps/theming/favicon') + && !str_starts_with($request->getRawPathInfo(), '/apps/theming/icon')) { + throw $e; + } + } } } } if (!self::$CLI) { try { - if (!((bool) $systemConfig->getValue('maintenance', false)) && !\OCP\Util::needUpgrade()) { - OC_App::loadApps(['filesystem', 'logging']); - OC_App::loadApps(); + if (!\OCP\Util::needUpgrade()) { + $appManager->loadApps(['filesystem', 'logging']); + $appManager->loadApps(); } Server::get(\OC\Route\Router::class)->match($request->getRawPathInfo()); return; @@ -1097,10 +1107,12 @@ class OC { try { Server::get(\OC\Route\Router::class)->match('/error/404'); } catch (\Exception $e) { - logger('core')->emergency($e->getMessage(), ['exception' => $e]); + if (!$e instanceof MethodNotAllowedException) { + logger('core')->emergency($e->getMessage(), ['exception' => $e]); + } $l = Server::get(\OCP\L10N\IFactory::class)->get('lib'); - OC_Template::printErrorPage( - $l->t('404'), + Server::get(ITemplateManager::class)->printErrorPage( + '404', $l->t('The page could not be found on the server.'), 404 ); @@ -1111,10 +1123,16 @@ class OC { * Check login: apache auth, auth token, basic auth */ public static function handleLogin(OCP\IRequest $request): bool { + if ($request->getHeader('X-Nextcloud-Federation')) { + return false; + } $userSession = Server::get(\OC\User\Session::class); if (OC_User::handleApacheAuth()) { return true; } + if (self::tryAppAPILogin($request)) { + return true; + } if ($userSession->tryTokenLogin($request)) { return true; } @@ -1124,7 +1142,7 @@ class OC { && $userSession->loginWithCookie($_COOKIE['nc_username'], $_COOKIE['nc_token'], $_COOKIE['nc_session_id'])) { return true; } - if ($userSession->tryBasicAuthLogin($request, Server::get(\OC\Security\Bruteforce\Throttler::class))) { + if ($userSession->tryBasicAuthLogin($request, Server::get(IThrottler::class))) { return true; } return false; @@ -1152,6 +1170,22 @@ class OC { } } } + + protected static function tryAppAPILogin(OCP\IRequest $request): bool { + if (!$request->getHeader('AUTHORIZATION-APP-API')) { + return false; + } + $appManager = Server::get(OCP\App\IAppManager::class); + if (!$appManager->isEnabledForAnyone('app_api')) { + return false; + } + try { + $appAPIService = Server::get(OCA\AppAPI\Service\AppAPIService::class); + return $appAPIService->validateExAppRequestToNC($request); + } catch (\Psr\Container\NotFoundExceptionInterface|\Psr\Container\ContainerExceptionInterface $e) { + return false; + } + } } OC::init(); |