| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| | |
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
|
| |
| |
| | |
:cry: Seems like Apache is inconsistent fun between versions. Let's remove it thus for now.
|
| | |
|
| |
| |
| |
| | |
Some httpd versions have problem with the old logic leading to resourced served with multiple headers.
|
|\ \
| | |
| | | |
Do not rewrite letsencrypt .well-known URI
|
| |\ \ |
|
| | | | |
|
| |\ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | | |
See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot
|
| |_|/ /
|/| | | |
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
owncloud/proper-htaccess-support-in-code-signing-checker
Also run .htaccess routine when installing on another system than Apache
|
| | |/ /
| |/| |
| | | |
| | | | |
This can now be achieved using the new code signing.
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When `DirectorySlash off` is set then Apache will not lookup folders anymore. This is required for example when we use the rewrite directives on an existing path such as `/core/search`. By default Apache would load `/core/search/` instead `/core/search` so the redirect would fail here.
This leads however to the problem that URLs such as `localhost/owncloud` would not load anymore while `localhost/owncloud/` would. This has caused problems such as https://github.com/owncloud/core/pull/21015
With this change we add the `DirectorySlash off` directive only when the `.htaccess` is writable to the dynamic part of it. This would also make `localhost/owncloud` work again as it would trigger the 404 directive which triggers the redirect in base.php.
|
| | |
| | |
| | |
| | | |
Makes `/core/img/favicon.ico` accessible again via web.
|
|/ /
| |
| |
| | |
Fixes https://github.com/owncloud/core/issues/16164
|
| | |
|
| | |
|
| |
| |
| |
| | |
Required for routes that might otherwise collide with existing folders on the system
|
| |
| |
| |
| | |
mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.
Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.
Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP
http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/
Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
|
| |
| |
| |
| | |
This reverts commit 68321efd29184fbc1bef409ec41f9b38501116ef.
|
| |
| |
| |
| | |
This reverts commit d831c255ea726b8e8aaa0b3c1a8186808b82f73e.
|
|/ |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
.htaccess RewriteRules: use permanent redirect for .well-known/(cal|card)dav, add 'L' flag
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
| |
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
|
| |
|
| |
|
|
|
|
|
|
| |
Apparently a boolean in php.ini is according to the documentation "on" or "off"…
Fixes itself.
|
| |
|
| |
|
|
|
|
| |
Fixes https://github.com/owncloud/core/issues/13657
|
|
|
|
|
|
| |
PHP 5.6 otherwise throws notices for perfectly valid code which results in broken endpoints.
Fixes https://github.com/owncloud/core/issues/13592
|
|
|
|
|
|
|
|
|
| |
Currently if a user does not replace the .htaccess file with the new update this can lead to serious problems in case Apache is used as webserver.
This commit adds the version to the .htaccess file and the update routine fails in case not the newest version is specified in there. This obviously means that every release has to update the version specified in .htaccess as well. But I see no better solution for it.
Conflicts:
lib/private/updater.php
|
| |
|
| |
|
|
|
| |
use mod_rewrite to pretend theese files are not existend for security purposes
|
| |
|
|
|
|
| |
https://github.com/owncloud/core/commit/f2fc214ce0455ce9a9def36bd09285e82b5eabec
|
|
|
|
|
|
| |
This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way.
Port of https://github.com/owncloud/core/pull/9033
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application.
This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app.
Testplan:
[x] Installation works
[x] Login with DB works
[x] Logout works
[x] Login with alternate backend works (tested with user_webdavauth)
[x] Other apps are accessible
[x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled)
[x] Personal settings are accessible
[x] Admin settings are accessible
[x] Sharing files works
[x] DAV works
[x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications
|
| |
|
| |
|
|
|
|
|
| |
1. We're maintaining the same code twice which leads inevitably to problems as this one. The createHtaccess routine is only used to use the correct paths to the 404 and 403 document.
2. Updating the ownCloud instance as described in our documentation (`Delete everything from your ownCloud installation directory, except data and config.`) will break the links to the ErrorDocuments anyways and show the default error handlers if ownCloud is not installed in the root directory.
|