| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
* Also moved the autoloader setup a bit up since we need it in initpaths
|
| |
|
|
| |
Testable code. Yay.
|
| |
|
|
| |
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
| | |
|
| |
|
|
|
|
| |
There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check)
While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.
|
| |
|
|
|
|
|
| |
* Added proper @property tags
* RunTimeException => RuntimeException
Makes code analyzers happier
|
| |
|
|
| |
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This makes it work better with old version of Nginx.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Prevent warning decoding content
|
| | | |
|
| |\ \
| | |
| | | |
Use `/` if installed in main folder
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Otherwise an empty string is used indicating the cookie is only valid for those resources. This can lead to eunexpected behaviour.
Fixes https://github.com/owncloud/core/issues/19196
|
| |/ /
| |
| |
| |
| |
| | |
Only allow valid HTTP protocols.
Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
|
| | |
|
| |
|
|
| |
Ref https://bugs.php.net/bug.php?id=66773
|
| | |
|
| | |
|
| |\
| |
| | |
Fix undefined offset
|
| | |
| |
| |
| | |
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
|
| |/ |
|
| |\
| |
| | |
Fix visibility of interfaces in \OCP
|
| | | |
|
| |/
|
|
|
| |
* should make scrutinizer a lot more happy
* reduces maybe memory footprint
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First stab at the StreamResponse, see #12988
The idea is to use an interface ICallbackResponse (I'm not 100% happy with the name yet, suggestions?) that allow the response to output things in its own way, for instance stream the file using readfile
Unittests are atm lacking, plan is to
check if a mock of ICallbackResponse will be used by calling its callback (also unhappy with this name) method
Usage is:
$response = new StreamResponse('path/to/file');
rename io to output, add additional methods and handle error and not modified cases when using StreamResponse
fix indention and uppercasing, also handle forbidden cases
fix indention
fix indention
no forbidden, figuring out if a file is really readable is too complicated to get to work across OSes and streams
remove useless import
remove useless import
fix intendation
|
| |
|
|
| |
This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
|
| |\
| |
| | |
Get the real protocol behind several proxies
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies.
This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
|
| |\ \
| |/
|/| |
Sabre Update to 2.1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- VObject fixes for Sabre\VObject 3.3
- Remove VObject property workarounds
- Added prefetching for tags in sabre tags plugin
- Moved oc_properties logic to separate PropertyStorage backend (WIP)
- Fixed Sabre connector namespaces
- Improved files plugin to handle props on-demand
- Moved allowed props from server class to files plugin
- Fixed tags caching for files that are known to have no tags
(less queries)
- Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin
- Replace OC\Connector\Sabre\Request with direct call to
httpRequest->setUrl()
- Fix exception detection in DAV client when using Sabre\DAV\Client
- Added setETag() on Node instead of using the static FileSystem
- Also preload tags/props when depth is infinity
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| | |
|
