summaryrefslogtreecommitdiffstats
path: root/lib/private
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #15596 from owncloud/issue/15589Morris Jobke2015-04-291-6/+9
|\ | | | | Correctly generate the feedback URL for remote share
| * Fix scrutinizer complains and return type docJoas Schilling2015-04-281-4/+6
| |
| * Correctly remove the protocol before prepeding itJoas Schilling2015-04-281-0/+1
| |
| * Correctly generate the feedback URL for remote shareJoas Schilling2015-04-281-2/+2
| | | | | | | | | | The trailing slash was added in c78e3c4a7fa1d2f474ab58551e67a50e093f6ed8 to correctly generate the encryption keys
* | Merge pull request #15906 from rullzer/fix_15777Morris Jobke2015-04-291-1/+1
|\ \ | | | | | | Password set via OCS API should not be double escaped
| * | Password set via OCS API should not be double escapedRoeland Jago Douma2015-04-281-1/+1
| | |
* | | Filter potential dangerous filenames for avatarsLukas Reschke2015-04-282-4/+11
| |/ |/| | | | | We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
* | Merge pull request #14764 from owncloud/shared-etag-propagateMorris Jobke2015-04-285-1/+37
|\ \ | | | | | | Propagate etags across shared storages
| * | triger propagation for webdav uploadsRobin Appelman2015-04-271-0/+1
| | | | | | | | | | | | use post hooks for share etag propagator
| * | fix propagation when renaming a directly reshared folderRobin Appelman2015-04-271-0/+4
| | |
| * | propagate etags for all user of a shareRobin Appelman2015-04-271-0/+12
| | |
| * | Allow getting *all* share entries owned by a userRobin Appelman2015-04-271-0/+12
| | |
| * | Make the change propagator an emitterRobin Appelman2015-04-272-1/+8
| | |
* | | Merge pull request #15901 from owncloud/fix-share-docsMorris Jobke2015-04-281-8/+20
|\ \ \ | |_|/ |/| | fix several issues with doc blocks on share.php
| * | fix several issues with doc blocks on share.phpJoas Schilling2015-04-281-8/+20
| | |
* | | Fix return type of the getRootFolder() methodJoas Schilling2015-04-281-1/+1
|/ /
* | Merge pull request #15890 from owncloud/fix-helper-docsThomas Müller2015-04-271-4/+5
|\ \ | | | | | | Fix several type(hint) errors in private/helper.php
| * | Fix several type(hint) errors in private/helper.phpJoas Schilling2015-04-271-4/+5
| | |
* | | Merge pull request #15886 from owncloud/fix-15848-masterThomas Müller2015-04-271-1/+4
|\ \ \ | | | | | | | | Adjust isLocal() on encryption wrapper
| * | | fixes #15848Thomas Müller2015-04-271-1/+4
| |/ /
* | | Merge pull request #15860 from owncloud/enc_fallback_old_encryptionThomas Müller2015-04-272-14/+36
|\ \ \ | |/ / |/| | [encryption] handle encrypted files correctly which where encrypted with a old version of ownCloud (<=oc6)
| * | fall back to the ownCloud default encryption module and aes128 if we read a ↵Bjoern Schiessle2015-04-272-14/+36
| | | | | | | | | | | | encrypted file without a header
* | | Merge pull request #15882 from owncloud/fix-type-annotationMorris Jobke2015-04-271-1/+1
|\ \ \ | |_|/ |/| | Fix type annotation
| * | Fix type annotationLukas Reschke2015-04-271-1/+1
| |/ | | | | | | Obviously should be an int
* | Merge pull request #15411 from mmattel/fix_for_15375_better_message_textThomas Müller2015-04-271-0/+1
|\ \ | | | | | | Improve error messge text for app upgrade try (#15375)
| * | Improve error messge text for app upgrade try (#15375)Martin2015-04-221-0/+1
| | |
* | | Make getDefaultModuleId public and get module protectedJoas Schilling2015-04-273-14/+8
| | |
* | | Verify that the encryption module exists before setting itJoas Schilling2015-04-271-6/+7
| |/ |/|
* | Merge pull request #15834 from owncloud/make-temporary-file-really-uniqueLukas Reschke2015-04-251-38/+61
|\ \ | | | | | | Fix collision on temporary files + adjust permissions
| * | Fix collision on temporary files + adjust permissionsLukas Reschke2015-04-231-38/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug. **[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)** The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems: The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user". Effectively this leaves us with: 1. A timestamp based on seconds (no entropy at all) 2. `rand()` which returns usually a number between 0 and 2,147,483,647 Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed. This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome. **[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)** Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600. **[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)** Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
* | | Merge pull request #15683 from owncloud/block-legacy-clientsLukas Reschke2015-04-241-0/+79
|\ \ \ | | | | | | | | Block old legacy clients
| * | | Catch not existing User-Agent headerLukas Reschke2015-04-231-1/+5
| | | | | | | | | | | | | | | | In case of an not sent UA header consider the client as valid
| * | | Use 403 instead a 50x responseLukas Reschke2015-04-201-10/+9
| | | |
| * | | Block old legacy clientsLukas Reschke2015-04-201-0/+76
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
* | | | fix unit testsBjoern Schiessle2015-04-241-4/+10
| | | |
* | | | Update encryption.phpjknockaert2015-04-241-1/+2
| | | |
* | | | fixed namejknockaert2015-04-241-1/+1
| | | |
* | | | Update encryption.phpjknockaert2015-04-241-8/+8
| | | |
* | | | fix encryption header errorjknockaert2015-04-241-13/+16
| | | | | | | | | | | | When moving back the pointer to position 0 (using stream_seek), the pointer on the encrypted stream will be moved to the position immediately after the header. Reading the header again (invoked by stream_read) will cause an error, writing the header again (invoked by stream_write) will corrupt the file. Reading/writing the header should therefore happen when opening the file rather than upon read or write. Note that a side-effect of this PR is that empty files will still get an encryption header; I think that is OK, but it is different from how it was originally implemented.
* | | | Merge pull request #15839 from owncloud/enc_fix_moving_shared_filesJoas Schilling2015-04-246-52/+125
|\ \ \ \ | | | | | | | | | | [encryption] fix moving files to a shared folder
| * | | | Use public interfaces for type hintingJoas Schilling2015-04-241-12/+12
| | | | |
| * | | | only update share keys if the file was encryptedBjoern Schiessle2015-04-242-4/+19
| | | | |
| * | | | update share keys if file gets copiedBjoern Schiessle2015-04-231-3/+3
| | | | |
| * | | | update share keys if a file is moved to a shared folderBjoern Schiessle2015-04-235-40/+98
| | |/ / | |/| |
* / | | Ignore test folders when checking the code for complianceThomas Müller2015-04-231-1/+1
|/ / /
* | | Merge pull request #15809 from owncloud/view-null-rootVincent Petry2015-04-221-0/+6
|\ \ \ | | | | | | | | dont allow using null as view root
| * | | typoRobin Appelman2015-04-221-1/+1
| | | |
| * | | dont allow using null as view rootRobin Appelman2015-04-221-0/+6
| | | |
* | | | Merge pull request #15799 from owncloud/fix-enc-folder-moveThomas Müller2015-04-225-180/+71
|\ \ \ \ | |/ / / |/| | | Fix enc folder move
| * | | fix PHPDocThomas Müller2015-04-221-7/+8
| | | |
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-26 19:06:28 +0000