aboutsummaryrefslogtreecommitdiffstats
path: root/lib/private/Security
Commit message (Collapse)AuthorAgeFilesLines
...
* | move verification token logic out of lost password controllerArthur Schiwon2021-09-091-0/+111
|/ | | | | | | - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* Throw exception if encrypting the data failed.Daniel Kesselberg2021-07-051-6/+16
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* Update php licensesJohn Molakvoæ (skjnldsv)2021-06-0427-44/+20
| | | | Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* Merge pull request #26626 from J0WI/strict-securityRoeland Jago Douma2021-05-185-29/+45
|\ | | | | Make Security module strict
| * Make Security module strictJ0WI2021-04-195-29/+45
| | | | | | | | Signed-off-by: J0WI <J0WI@users.noreply.github.com>
* | Merge pull request #25714 from ↵Morris Jobke2021-04-221-3/+19
|\ \ | |/ |/| | | | | nextcloud/fix/23197/explicitly_check_hex2bin_input Explicitly check hex2bin input
| * Explicitly check hex2bin inputRoeland Jago Douma2021-02-181-3/+19
| | | | | | | | | | | | For #23197 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Increase subnet matcherLukas Reschke2021-04-071-2/+2
|/ | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Bump nextcloud/coding-standard from 0.3.0 to 0.5.0dependabot-preview[bot]2021-02-181-1/+1
| | | | | | | | | | Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/nextcloud/coding-standard/releases) - [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md) - [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove unneeded casts that were found by PsalmMorris Jobke2021-01-111-2/+2
| | | | | | In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Update all license headers for Nextcloud 21Christoph Wurst2020-12-165-3/+6
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Avoid checking for brute force protection capabilities when upgradingJulius Härtl2020-12-091-0/+4
| | | | | | This might happen a releases that doesn't have this table yet Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Replace the credentials table with one that can have empty userJoas Schilling2020-11-101-1/+1
| | | | | | Primary key columns on Oracle can not have empty strings Signed-off-by: Joas Schilling <coding@schilljs.com>
* Fix comparing the empty string for global credentialsJoas Schilling2020-11-101-6/+15
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Don't leave cursors open when tests failJoas Schilling2020-11-091-1/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Always return the default path if we canRoeland Jago Douma2020-11-031-0/+28
| | | | | | | | Just check in the certifcate manager. So every part of the system that request the certificatebundle gets the defaullt one (the 99% case) if we can. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Improve CertificateManager to not be user context dependentMorris Jobke2020-11-031-51/+15
| | | | | | | | | * removes the ability for users to import their own certificates (for external storage) * reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions) The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths. Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Derive encryption key & MAC key from a single key.lynn-stephenson2020-10-151-7/+15
| | | | Signed-off-by: lynn-stephenson <lynn.stephenson@protonmail.com>
* Limit throttler to 48 hoursRoeland Jago Douma2020-10-081-0/+5
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add cleanup job for old brutefoce attemptsRoeland Jago Douma2020-10-081-0/+55
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Format code to a single space around binary operatorsChristoph Wurst2020-10-052-4/+4
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Remove @suppress SqlInjectionCheckerMorris Jobke2020-09-161-1/+0
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Don't break when the IP is emptyJoas Schilling2020-09-101-0/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Update the license headers for Nextcloud 20Christoph Wurst2020-08-244-1/+6
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Fix CSJoas Schilling2020-08-191-0/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Correctly return ms delay when at maxJoas Schilling2020-08-191-3/+4
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add missing defaultJoas Schilling2020-08-191-1/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Simplify array filterJoas Schilling2020-08-191-2/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Fix wrong doc + type hintJoas Schilling2020-08-191-2/+2
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Only throw when also the last 30 mins were attackingJoas Schilling2020-08-191-8/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make the throttling O(2^n) instead of O(n^n)Joas Schilling2020-08-191-9/+9
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make Throttler strictJoas Schilling2020-08-191-9/+10
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Split delay calculation from getting the attemptsJoas Schilling2020-08-191-5/+17
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Let the database count the entriesJoas Schilling2020-08-191-2/+6
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Send "429 Too Many Requests" in case of brute force protectionJoas Schilling2020-08-191-1/+21
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Prefer typed event over string based onesMorris Jobke2020-08-102-2/+2
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ipMorris Jobke2020-05-251-6/+29
|\ | | | | Implement occ command to reset bruteforce attemps from a given IP address
| * Fix code styleMorris Jobke2020-05-251-1/+1
| | | | | | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
| * Implement occ command security:bruteforceattemps:reset-for-ipJohannes Riedel2020-03-191-6/+29
| | | | | | | | Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>
* | Use random_bytesRoeland Jago Douma2020-05-111-7/+13
| | | | | | | | | | | | | | Since we don't care if it is human readbale. The code is backwards compatible with the old format. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Apply Argon2 options for Argon2id hashing as wellMichaIng2020-05-011-1/+1
| | | | | | Signed-off-by: MichaIng <micha@dietpi.com>
* | Fix Argon2 options checksMichaIng2020-04-301-10/+5
| | | | | | | | | | | | | | | | | | | | | | The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum. Options are now applied the following way: - If config.php contains the setting with an integer higher or equal to the minimum, it is applied. - If config.php contains the setting with an integer lower than the minimum, the minimum is applied. - If config.php does not contain the setting or with no integer value, the PHP default is applied. Signed-off-by: MichaIng <micha@dietpi.com> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Update license headers for 19Christoph Wurst2020-04-2915-1/+16
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | fix credentialsManager documentation and ensure userId to be used as stringArthur Schiwon2020-04-151-6/+6
| | | | | | | | Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
* | Add visibility to all constantsChristoph Wurst2020-04-102-2/+2
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Format control structures, classes, methods and functionChristoph Wurst2020-04-1018-46/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use elseif instead of else ifChristoph Wurst2020-04-101-1/+1
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Unify function spacing to PSR2 recommendationChristoph Wurst2020-04-092-2/+2
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use exactly one empty line after the namespace declarationChristoph Wurst2020-04-091-0/+1
| | | | | | | | | | | | For PSR2 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Fix (array) indent style to always use one tabChristoph Wurst2020-04-091-4/+4
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>