| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
| |
PHP will handle session cookies with an empty values as an E_WARNING error. ([php/#68063](https://bugs.php.net/bug.php?id=68063))
ownCloud sets the cookie to an empty value in case the session expires, it however after this starts a new session. Due to potential race conditions this can in unlikely cases lead to the fact that the session never gets restarted and the user is left with an empty cookie. PHP tries then to use the empty cookie which makes the instance not usable.
To work around any race condition we now tell PHP to explicitly delete the value which can be done by using `null` as value, PHP will then send a cookie with the value "deleted". Also theepiration has been set to -1.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reduce calls of \OCP\Util::needUpgrade()
where \OCP\Util::needUpgrade() is called we can call as well
self::checkUpgrade and use the cached result
In line 877 the call way unnecessary anyway because of the first part of
the if statement
move caching to \OCP\Util::needUpgrade
renaming variable
fixing testNeedUpgradeCore()
cache result of checkUpgrade() in self::$needUpgrade
reduce calls of \OCP\Util::needUpgrade()
where \OCP\Util::needUpgrade() is called we can call as well
self::checkUpgrade and use the cached result
In line 877 the call way unnecessary anyway because of the first part of
the if statement
move caching to \OCP\Util::needUpgrade
renaming variable
fixing testNeedUpgradeCore()
fix typo in variable name
deleting tabs
|
|\
| |
| | |
[jenkins] do not load unnecessary code in case of webdav
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
changing from "protected static" to "protected"
as suggested by @nickvergessen
https://github.com/owncloud/core/pull/19114#discussion_r39719851
moving initTemplate() into template constr.
reduce to move initTemplate only
cleanup spaces
|
|\ \
| |/
|/| |
fix issue with version rollback and thumbnails
|
| |
| |
| |
| |
| |
| |
| |
| | |
add random number using OC.parseQueryString and _.extend()
version rollback: add missing prefix to OC\Preview::post_delete
add test to assure that the rollback hook is called
|
|/
|
|
| |
that I noticed while looking at some code.
|
|\
| |
| | |
Remove get_temp_dir()
|
| | |
|
|/
|
|
|
|
| |
Given the fact that "/tests" is not shipped by default and this has broken some applications and frustrated quite some people we should add "/tests" to the default allowed autoloading set.
I do consider the security impact marginally since the /tests folder is not shipped within the release as well as usually has a hard requirement on being called by phpunit.
|
|\
| |
| | |
Configurable temporary directory
|
| |
| |
| |
| |
| |
| | |
fix for unit test
some fixes
|
| | |
|
|\ \
| | |
| | | |
reuse existing $systemConfig variable
|
| | | |
|
|/ /
| |
| |
| | |
* fixes #18801
|
|/ |
|
|
|
|
|
| |
* introduces config.php option 'debug' that defaults to false
* migrate DEBUG constant to config value
|
|\
| |
| | |
Add a session wrapper to encrypt the data before storing it on disk
|
| | |
|
|\ \
| |/
|/| |
Add mitigation against BREACH
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
|
|\ \
| |/
|/| |
Display app names in update page for app updates
|
| |
| |
| |
| |
| |
| |
| | |
Apps to update and to disable will always be shown.
Main title changes only when apps need updated, not core.
Added bullet style.
Exclude incompatible apps from updated apps list.
|
| |
| |
| |
| |
| | |
Whenever the update page is displayed for apps, show app names instead
of the core update text.
|
| | |
|
| |
| |
| |
| |
| |
| | |
- less static calls
- use params on sql queries
- handle sql exception on database and user creation gracefully
|
| | |
|
|\ \
| | |
| | | |
Replace jQuery tipsy with bootstrap tooltip
|
| | | |
|
| | | |
|
|\ \ \
| |_|/
|/| | |
[sharing] fix addToGroup hook
|
| | |
| | |
| | |
| | |
| | | |
targets before the user was added to the group otherwise we will always detect
a name collision
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes it possible to retrieve the icon for mimetypes in javascript.
It makes no additional queries to the server to retrieve the mimetype.
* config/mimetypealiases.json added
* mimetype.js: this is where the logic resides to convert from mimetype
to icon url
* mimetypelist.js: generated file with a list of mimetype mapping (aliases)
and the list of icon files
* ./occ maintenance:mimetypesjs : new command for occ to gernerate
mimetypes.js
* unit tests updated and still work
* javascript tests added
* theming support
* folder of the theme is now present in javascript (OC.theme.folder)
|
|/ / |
|
| |
| |
| |
| | |
Just log the exception instead of preventing access to OC.
|
|/ |
|
| |
|
| |
|
|\
| |
| | |
Drop file caching
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
| |
gets renamed/restored, as long as we
are in the storage wrapper the file cache isn't up-to-date
|
| |
|
| |
|
|
|
|
| |
Fixes https://github.com/owncloud/core/issues/16014
|