aboutsummaryrefslogtreecommitdiffstats
path: root/core/js/setupchecks.js
Commit message (Collapse)AuthorAgeFilesLines
* Use 6 months as SSL STS header thresholdMorris Jobke2016-04-131-1/+1
| | | | | | * this uses 6 months (6 * 30 * 24 * 60 * 60 = 15552000) * old value was half a year (365 / 2 * 24 * 60 * 60 = 15768000) * fixes #23957
* Consistently use rel=noreferrerLukas Reschke2016-03-201-8/+8
| | | | When linking to external entities we should consistently use rel=noreferrer
* Adjust wording a bitLukas Reschke2016-03-111-1/+1
| | | | | | | | | | **Before:** > Your PHP version (5.4.16) is no longer supported by PHP. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP. **After:** > You are currently running PHP 5.4.0. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by the PHP Group as soon as your distribution supports it. Fixes https://github.com/owncloud/enterprise/issues/1170
* Fix error ins source language stringsThomas Müller2016-02-191-1/+1
| | | | | https://www.transifex.com/owncloud-org/owncloud/translate/#en_GB/core/50786279 https://www.transifex.com/owncloud-org/owncloud/translate/#en_GB/settings-1/50555028
* Add handler for global ajax errorsVincent Petry2016-02-151-3/+6
|
* Add check for contentLukas Reschke2016-02-041-1/+1
| | | | | | The response may be a redirect which is always followed by jQuery. Thus leading to false positives depending on the server configuration (e.g. when it issues a 302) To prevent that there is also a check performed on the response content.
* Move data protection check to javascriptVincent Chan2016-02-011-7/+24
| | | | fixes #20199
* Merge pull request #21630 from owncloud/add-some-security-headers-as-hardeningThomas Müller2016-01-131-1/+3
|\ | | | | Add X-Download-Options and X-Permitted-Cross-Domain-Policies
| * Add X-Download-Options and X-Permitted-Cross-Domain-PoliciesLukas Reschke2016-01-121-1/+3
| | | | | | | | Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
* | Merge pull request #21640 from owncloud/add-config-to-disable-wellknown-checkThomas Müller2016-01-121-1/+7
|\ \ | | | | | | Add config switch to disable the .well-known URL check
| * | Add config switch to disable the .well-known URL checkMorris Jobke2016-01-121-1/+7
| |/
* / Show the well-known URL check as info instead of errorMorris Jobke2016-01-121-1/+1
|/ | | | * ref https://github.com/owncloud/core/pull/21562#issuecomment-170344549
* Add check for .well-known URL in the root of the webservers URLMorris Jobke2016-01-081-0/+29
| | | | * fixes #20012
* add _blank to hrefRenaud Fortier2015-12-211-6/+6
|
* Add code integrity checkLukas Reschke2015-12-011-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
* [admin] check for correct PHP memcached moduleMorris Jobke2015-10-061-0/+6
|
* Move remaining setupchecks to new fomatRoeland Jago Douma2015-08-181-6/+8
|
* Merge pull request #17975 from owncloud/settings_admin_warning_levelsJan-Christoph Borchardt2015-08-181-28/+54
|\ | | | | Settings admin warning levels
| * All setup messages are now properly typesRoeland Jago Douma2015-07-301-26/+45
| |
| * Allow setupchecks to specify a warning levelRoeland Jago Douma2015-07-301-3/+10
| |
* | Add setup check for reverse proxy header configurationRobin McCorkell2015-08-101-0/+5
| |
* | Display warning in security & setup warnings if php version is EOLRoeland Jago Douma2015-07-291-0/+5
|/
* Detect old NSS and OpenSSL versionsLukas Reschke2015-07-281-0/+3
| | | | | | This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
* Align recommended settingsLukas Reschke2015-06-151-4/+5
| | | | | | This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
* Add check for availability of /dev/urandomLukas Reschke2015-05-261-0/+5
| | | | | | | | | | | | | | | Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
* Remove hardcoded link to performance docsJoas Schilling2015-04-071-1/+1
|
* Add check for activated local memcacheLukas Reschke2015-03-281-0/+5
| | | | | | Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
* Add some generic default headers as well via PHPLukas Reschke2015-03-261-2/+2
|
* Let users configure security headers in their WebserverLukas Reschke2015-03-021-1/+95
| | | | | | | | | | Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
* Update setupchecks.jscmeh2015-02-161-1/+1
| | | Changed *"won't work"* to "will not work" (as proposed by @DeepDiver1975).
* Message clean-upcmeh2015-02-161-3/+3
| | | | | | | | | *Changes:* * "… is not yet properly setup" in line 24 is changed to " … is not yet set up properly" (better word order and space in the middle of "set up", as it is a participle of the verb "to set up"). * "internet" is corrected to "Internet" with a capitalized "I" in lines 54 and 59. * Also in line 54: "3rd party" is changed to "third-party" to for a more coherent spelling across the different ownCloud components. * "… apps don´t work" is corrected to "… apps won't work" (with a proper (and hopefully correctly escaped) (apostrophe)[http://en.wikipedia.org/wiki/Apostrophe#Typographic_form] instead of the (acute accent)[http://en.wikipedia.org/wiki/Acute_accent]). * Still in line 54: The negation is corrected from "… might also not work" to "… might not work, either".
* Check for working .htaccess via AJAXLukas Reschke2014-12-061-1/+6
| | | | Fixes https://github.com/owncloud/core/issues/12650
* Moved WebDAV and internet checks to client side JSVincent Petry2014-09-231-0/+71
- Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-07 18:25:28 +0000