| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
* Also moved the autoloader setup a bit up since we need it in initpaths
|
| |
|
|
| |
Testable code. Yay.
|
| |
|
|
| |
First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.
|
| |
|
|
| |
Signed-off-by: Stefan Weil <sw@weilnetz.de>
|
| | |
|
| |
|
|
|
|
| |
There are authentication backends such as Shibboleth that do send no Basic Auth credentials for DAV requests. This means that the ownCloud DAV backend would consider these requests coming from an untrusted source and require higher levels of security checks. (e.g. a CSRF check)
While an elegant solution would rely on authenticating via token (so that one can properly ensure that the request came indeed from a trusted client) this is a okay'ish workaround for this problem until we have something more reliable in the authentication code.
|
| |
|
|
|
|
|
| |
* Added proper @property tags
* RunTimeException => RuntimeException
Makes code analyzers happier
|
| | |
|
| |
|
|
| |
Probably nice for the people that contributed to 9.0 to see themselves in the AUTHORS file :)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
defaults
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.
To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.
To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');
$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```
If you now open the files app the policy should be:
```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
|
| | |
|
| |
|
|
| |
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
|
| |\
| |
| | |
Move the notification API to public namespace
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CredentialsManager performs a simple role, of storing and retrieving
encrypted credentials from the database. Credentials are stored by user
ID (which may be null) and credentials identifier. Credentials
themselves may be of any type that can be JSON encoded.
The rationale behind this is to avoid further (mis)use of
oc_preferences, which was being used for all manner of data not related
to user preferences.
|
| |/
|
|
|
| |
setValues() attempts to insert a new row, or failing that, update an
existing row. The ability to set preconditions is also available.
|
| | |
|
| | |
|
| |
|
|
| |
* Added test to server container as well
|
| |
|
|
|
|
| |
use method exists lookup to be safe and not break on old hhvm versions
add test that checks if type hint is preferred over annotation
|
| | |
|
| |\
| |
| | |
Add polyfills for PHP55, PHP56 and PHP70 functionalities
|
| | | |
|
| |/
|
|
| |
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
|
| |
|
|
| |
Allows IDEs and static code analyzers. Would have saved me some minutes today :)
|
| |
|
|
| |
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
|
| |\
| |
| |
| |
| | |
owncloud/dont-append-redirect-url-if-user-is-already-logged-in
Don't append redirect URL if user is logged-in
|
| | |
| |
| |
| | |
Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Also allow empty value for no-HTTPS
|
| | |
| |
| |
| | |
This makes it work better with old version of Nginx.
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
|
| |
1. Allows it to use the more secure CSP rules of the AppFramework.
2. Adds some unit tests.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Prevent warning decoding content
|
| | | |
|
| |\ \
| | |
| | | |
Use `/` if installed in main folder
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Otherwise an empty string is used indicating the cookie is only valid for those resources. This can lead to eunexpected behaviour.
Fixes https://github.com/owncloud/core/issues/19196
|
| |/ /
| |
| |
| |
| |
| | |
Only allow valid HTTP protocols.
Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
|
