summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Add Psalm Taint Flow AnalysisLukas Reschke2020-11-204-0/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Merge pull request #24241 from ↵Roeland Jago Douma2020-11-202-0/+8
|\ | | | | | | | | nextcloud/enh/harden_EncryptionLegacyCipher_repair Harden EncryptionLegacyCipher a bit
| * Harden EncryptionLegacyCipher a bitRoeland Jago Douma2020-11-202-0/+8
| | | | | | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Merge pull request #24243 from nextcloud/techdebt/composer-require-libxmlRoeland Jago Douma2020-11-202-4/+8
|\ \ | | | | | | Require libxml in composer
| * | Require xmlreader via composerChristoph Wurst2020-11-202-4/+6
| | | | | | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| * | Require libxml in composerChristoph Wurst2020-11-202-1/+3
|/ / | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Merge pull request #24234 from nextcloud/dependabot/composer/vimeo/psalm-4.2.0Roeland Jago Douma2020-11-202-95/+42
|\ \ | |/ |/| Bump vimeo/psalm from 4.1.1 to 4.2.0
| * Bump vimeo/psalm from 4.1.1 to 4.2.0dependabot-preview[bot]2020-11-202-132/+43
| | | | | | | | | | | | | | | | | | Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 4.1.1 to 4.2.0. - [Release notes](https://github.com/vimeo/psalm/releases) - [Commits](https://github.com/vimeo/psalm/compare/4.1.1...4.2.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Merge pull request #24235 from ↵Roeland Jago Douma2020-11-201-37/+1
|\ \ | | | | | | | | | | | | nextcloud-pr-bot/automated/noid/psalm-baseline-update [Automated] Update psalm-baseline.xml
| * | Update psalm baselineNextcloud-PR-Bot2020-11-201-37/+1
|/ / | | | | | | Signed-off-by: GitHub <noreply@github.com>
* / [tx-robot] updated from transifexNextcloud bot2020-11-206-10/+10
|/
* Merge pull request #24017 from nextcloud/enh/share_expirationMorris Jobke2020-11-192-25/+43
|\ | | | | Make the expire shares cron job actually expire the shares
| * Make the expire shares cron job actually expire the sharesRoeland Jago Douma2020-11-192-25/+43
| | | | | | | | | | | | | | | | | | | | Right now we just delete the shares from the DB. Which is efficient sure. But doesn't trigger any real cleanup. So no Admin audit entries or any other post processing is done. This makes sure we really trigger this. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Merge pull request #24203 from nextcloud/enh/search_regex_file_sharesMorris Jobke2020-11-191-0/+16
|\ \ | | | | | | Use regex when searching on single file shares
| * | Limit shared cache search if it is just a fileRoeland Jago Douma2020-11-191-0/+16
| | | | | | | | | | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | Merge pull request #24211 from nextcloud/bugfix/noid/theming-imageMorris Jobke2020-11-191-4/+5
|\ \ \ | | | | | | | | Fix setting images through occ for theming
| * | | Fix setting images through occ for themingJulius Härtl2020-11-191-4/+5
| | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | | | Merge pull request #24007 from nextcloud/select-distinct-multipleMorris Jobke2020-11-192-1/+45
|\ \ \ \ | | | | | | | | | | allow selecting multiple columns with SELECT DISTINCT
| * | | | allow selecting multiple columns with SELECT DISTINCTRobin Appelman2020-11-162-1/+45
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* | | | | Merge pull request #24103 from ↵Morris Jobke2020-11-191-1/+1
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | nextcloud/bugfix/noid/groupfolder-share-object-storage Only check path for being accessible when the storage is a object home
| * | | | | Only check path for being accessible when the storage is a object homeJulius Härtl2020-11-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | | | | | Merge pull request #24164 from nextcloud/fix/lazy-app-registrationMorris Jobke2020-11-194-14/+26
|\ \ \ \ \ \ | | | | | | | | | | | | | | Allow lazy app registration
| * | | | | | Allow lazy app registrationChristoph Wurst2020-11-184-14/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During app installation we run migration steps. Those steps may use services the app registers or classes from composer. Hence we have to make sure the app runs through the registration. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | | | | | | Merge pull request #24094 from nextcloud/bugfix/noid/trash-appdataMorris Jobke2020-11-191-1/+1
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Only attempt to move to trash if a file is not in appdata
| * | | | | | | Only attempt to move to trash if a file is not in appdataJulius Härtl2020-11-131-1/+1
| | |/ / / / / | |/| | | | | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | | | | | | Merge pull request #24225 from nextcloud/enh/dataresponse_typehintsMorris Jobke2020-11-191-4/+4
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Fix DataResponse typehints
| * | | | | | | Fix DataResponse typehintsRoeland Jago Douma2020-11-191-4/+4
|/ / / / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We use this already in several places where we just pass strings or numbers. This all works because we just convert it to a json response in the end. So better to have the typehints reflect this. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | | | | | Merge pull request #24135 from ↵Roeland Jago Douma2020-11-195-14/+14
|\ \ \ \ \ \ \ | |_|_|_|_|/ / |/| | | | | | | | | | | | | | | | | | | | medical-cloud/fix/23357-nextcloud-logo-in-email-notifications-is-misaligned-in-version-20 Fix nextcloud logo in email notifications misalignment
| * | | | | | Fix #23357medcloud2020-11-185-14/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: medcloud <42641918+medcloud@users.noreply.github.com>
* | | | | | | Merge pull request #24207 from nextcloud/bugfix/noid/missing-level-psrloggedChristoph Wurst2020-11-191-0/+1
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | missing level in ScopedPsrLogger
| * | | | | | | missing levelMaxence Lange2020-11-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
* | | | | | | | [tx-robot] updated from transifexNextcloud bot2020-11-1918-32/+664
|/ / / / / / /
* | | | | | | Merge pull request #24189 from nextcloud/enh/csp/frame-ancestorsRoeland Jago Douma2020-11-186-61/+63
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Set frame-ancestors to none if none are filled
| * | | | | | | Set frame-ancestors to none if none are filledRoeland Jago Douma2020-11-186-61/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | | | | | | Merge pull request #24198 from nextcloud/bugfix/noid/no-fs-setup-dashboardRoeland Jago Douma2020-11-181-20/+38
|\ \ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | Only setup filesystem if needed for dashboard background service
| * | | | | | | | Only setup filesystem if needed for dashboard background serviceJulius Härtl2020-11-181-20/+38
| | |_|_|_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* | | | | | | | Merge pull request #24186 from nextcloud/enh/password_to_postChristoph Wurst2020-11-181-1/+1
|\ \ \ \ \ \ \ \ | |_|_|_|_|/ / / |/| | | | | | | Move the password fiels of chaging passwords to post
| * | | | | | | Move the password fiels of chaging passwords to postRoeland Jago Douma2020-11-171-1/+1
| | |/ / / / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * This is not actually used with GET (obviously). But else some scanners trip on it Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | | | | | [tx-robot] updated from transifexNextcloud bot2020-11-1820-4/+350
| | | | | | |
* | | | | | | Merge pull request #21716 from nextcloud/td/remove/irouter_cleanupRoeland Jago Douma2020-11-178-95/+17
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | Remove some IRouter methods
| * | | | | | Remove some IRouter methodsRoeland Jago Douma2020-11-178-95/+17
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is not the end. IRouter needs to burn. But it is a start. 🎵 we didn't start the fire 🎵 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | | | | Merge pull request #24188 from nextcloud/enh/password_external_postRoeland Jago Douma2020-11-171-1/+1
|\ \ \ \ \ \ | | | | | | | | | | | | | | Move the global password for files external to post
| * | | | | | Move the global password for files external to postRoeland Jago Douma2020-11-171-1/+1
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Again more false positives in some scanners Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | | | | | Merge pull request #24192 from ↵Julius Härtl2020-11-1712-18/+18
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | nextcloud/dependachristoph/npm_and_yarn/jquery-3.3 Bump jquery from 3.2 to 3.3
| * | | | | | Bump jquery from 3.2 to 3.3Christoph Wurst2020-11-1712-18/+18
|/ / / / / / | | | | | | | | | | | | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | | | | | Merge pull request #24179 from ↵Christoph Wurst2020-11-1712-18/+18
|\ \ \ \ \ \ | |/ / / / / |/| | | | | | | | | | | | | | | | | nextcloud/dependachristoph/npm_and_yarn/jquery-3.2 Bump jquery from 3.1 to 3.2
| * | | | | Bump jquery from 3.1 to 3.2Christoph Wurst2020-11-1712-18/+18
|/ / / / / | | | | | | | | | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | | | | Merge pull request #24102 from nextcloud/bugfix/noid/quota-uploadChristoph Wurst2020-11-179-7/+30
|\ \ \ \ \ | | | | | | | | | | | | Check quota of subdirectories when uploading to them
| * | | | | Check for target folder available quota when uploadingJulius Härtl2020-11-177-7/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
| * | | | | Fetch quota with files propfindJulius Härtl2020-11-172-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-30 05:56:57 +0000