| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|\
| |
| | |
add upgrade command before repair, handle NeedsUpgradeException better
|
| | |
|
|\ \
| | |
| | | |
Use CSP nonces
|
| | |
| | |
| | |
| | | |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.
At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)
IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.
Implementing this offers the following advantages:
1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.
If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|\ \ \
| | | |
| | | | |
fixing php 32 bit (arm) filemtime on large file issue (#18971) (#25428)
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* fixing php 32 bit (arm) filemtime on large file issue (#18971)
* cast to int
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
- Removes a not existent function call
- Removes a fallback for Windows
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|\ \ \
| | | |
| | | | |
Fix logClientIn for non-existing users (#26292)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The check for two factor enforcement would return true for non-existing
users. This fix makes it return false in order to be able to perform
the regular login which will then fail and return false.
This prevents throwing PasswordLoginForbidden for non-existing users.
|
|\ \ \ \
| | | | |
| | | | | |
Appconfig endpoint
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|\ \ \ \ \
| |_|/ / /
|/| | | | |
Use Webdav PUT for uploads
|
| | |_|/
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we move a file from the temp part file to the original file we don't
need update permissions.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|\ \ \ \
| | | | |
| | | | | |
Fix login page handling for disabled users
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* Changed request to not add a prefix to the url
* Expecting forbidden instead of service unavailable
* Handling login exceptions
|
|\ \ \ \ \
| | | | | |
| | | | | | |
App dependencies are now analysed on app enable as well - not only on…
|
| | |/ / /
| |/| | |
| | | | |
| | | | | |
install.
|
|/ / / / |
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This prevents cryptic messages such as the following, from `user_ldap`:
Could not set avatar for uid=user,ou=People,dc=example,dc=net, because:
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
Add message to NotPermittedException thrown from Files\Nodes\Folder
Ditto.
Don't use translation macros here as this seems to be pretty low-level
errors that generally get caught and prettified, and I don't want to
unduly clog down the lower layers.
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
fixup! Add message to NotPermittedException thrown from Files\Nodes\Folder
|
|\ \ \
| | | |
| | | | |
Allow 4byte unicode filenames on supported platforms
|
| | | |
| | | |
| | | |
| | | | |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
| |/ /
| | |
| | |
| | | |
Signed-off-by: Robin Appelman <robin@icewind.nl>
|
|\ \ \
| |_|/
|/| | |
Select2 into core
|
| |/
| |
| |
| |
| |
| |
| |
| | |
Select2 systemtags removal
Settings again
Fix Script
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
|
|\ \
| | |
| | | |
Move OC\Files\Storage\Shared to the right namespace
|
| | | |
|
| |/ |
|
| | |
|
|\ \
| | |
| | | |
Fix post_unshareFromSelf hook parameter format
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When unsharing from self in a group share situation, the share items
passed to the post_unshareFromSelf hook were using the wrong format in
which the attribute names (ex: "share_type") have non camel-case format.
This fix makes sure that in group sharing case we use the correct
format. It looks like the code was already producing it but in
array_merge it was not using it and adding the unprocessed one.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- `Object.create` supported with IE9+: https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Object/create#Browser_compatibility
- `Object.keys` supported with IE9+: https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Object/keys#Browser_compatibility
- `Array.prototype.filter` supported in IE9+: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter#Browser_compatibility
- `Array.prototype.indexOf` supported in IE9+: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf#Browser_compatibility
- `Array.prototype.map` supported in IE9+: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/map#Browser_compatibility
- `Function.prototype.bind` supported in IE9+: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind#Browser_compatibility
- `String.prototype.trim` supported with IE9+: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim#Browser_compatibility
- `outerHTML` supported with Firefox 11+: https://developer.mozilla.org/en-US/docs/Web/API/Element/outerHTML#Browser_compatibility
- `window.devicePixelRatio` supported in IE11+: http://caniuse.com/#feat=devicepixelratio
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
|
|
|
| |
* placeholders are supported in IE11+
* http://caniuse.com/#feat=input-placeholder
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
| |
|
|
|
|
|
| |
* fully optional
* requires additional options set in the database
|
|\
| |
| | |
AllConfig setUserValue opt
|
| |
| |
| |
| | |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|\ \
| | |
| | | |
hide storage wrapper warning for the readonly storage
|
| |/
| |
| |
| | |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|\ \
| | |
| | | |
Notifications for simple @-mentioning in comments
|