nextcloud-server.git - Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server

	Commit message (Collapse)	Author	Age	Files	Lines
*	Move tests/ to PSR-4 (#24731)	Joas Schilling	2016-05-20	5	-1175/+0
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	* Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader
*	Fix namespaces in AppFramework tests	Joas Schilling	2016-05-18	5	-5/+7
\|
*	Fix inconsistent nameing of AppFramework	Roeland Jago Douma	2016-04-22	1	-4/+4
\|
*	Move login form into controller	Lukas Reschke	2016-04-15	1	-4/+9
\| \| \| \|	First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.
*	Add public API to give developers the possibility to adjust the global CSP ↵	Lukas Reschke	2016-01-28	1	-2/+35
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
*	Show error template	Lukas Reschke	2015-11-30	2	-35/+105
\| \| \| \|	Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
*	Remove dependency on ICrypto + use XOR	Lukas Reschke	2015-10-21	5	-14/+0
\|
*	Add mitigation against BREACH	Lukas Reschke	2015-08-14	5	-0/+14
\| \| \| \| \| \| \| \| \| \| \| \|	While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
*	Return proper status code in case of a CORS exception	Lukas Reschke	2015-07-20	1	-0/+51
\| \| \| \| \| \|	When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
*	fix #16713	Bernhard Posselt	2015-06-03	1	-0/+7
\|
*	disallow cookie auth for cors requests	Bernhard Posselt	2015-05-22	1	-4/+71
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	testing ... fixes fix test add php doc fix small mistake add another phpdoc remove not working cors annotations from files app
*	Refactor OC_Request into TrustedDomainHelper and IRequest	Lukas Reschke	2015-02-16	5	-10/+26
\| \| \| \| \| \| \| \| \| \|	This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
*	Respect `mod_unique_id` and refactor `OC_Request::getRequestId`	Lukas Reschke	2015-02-09	5	-13/+49
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
*	Make remaining files extend the test base	Joas Schilling	2014-11-19	5	-7/+15
\|
*	Check if app is enabled for user	Lukas Reschke	2014-11-15	1	-2/+2
\| \| \| \|	Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
*	introduce SessionMiddleWare to control session handling via an annotation	Thomas Müller	2014-10-22	1	-0/+89
\|
*	fix redirect URL unit test	Morris Jobke	2014-07-02	1	-1/+3
\|
*	fix assertions	Bernhard Posselt	2014-05-28	1	-9/+14
\|
*	fix 8757, get rid of service locator antipattern	Bernhard Posselt	2014-05-28	3	-106/+84
\|
*	use new controllermethodreflector for corsmiddleware	Bernhard Posselt	2014-05-11	1	-5/+15
\|
*	adjust license headers to new mail address	Bernhard Posselt	2014-05-11	3	-3/+3
\|
*	implement most of the basic stuff that was suggested in #8290	Bernhard Posselt	2014-05-11	1	-11/+22
\|
*	add cors middleware	Bernhard Posselt	2014-05-09	1	-0/+77
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	remove methodannotationreader namespace fix namespace for server container fix tests fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request remove uneeded local in cors middleware registratio dont uppercase cors to easily use it from routes fix indention comment fixes explicitely set allow credentials header to false dont depend on better controllers PR, fix that stuff later split cors methods to be in a seperate controller for exposing apis remove protected definitions from apicontroller since controller has it
*	make download and redirectresponse public	Bernhard Posselt	2014-04-20	1	-1/+1
\|
*	default to GET request when no method is set to fix unittests, also set ↵	Bernhard Posselt	2014-04-12	1	-1/+1
\| \| \| \|	parsed json parameters on the post attribute
*	Scrutinizer Auto-Fixes	Scrutinizer Auto-Fixer	2014-02-19	2	-0/+14
\| \| \| \| \| \| \| \| \| \| \|	This patch was automatically generated as part of the following inspection: https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720 Enabled analysis tools: - PHP Analyzer - JSHint - PHP Copy/Paste Detector - PHP PDepend
*	Fix namespace for OCP\Appframework\Http	Thomas Tanghus	2013-10-23	1	-1/+1
\| \| \| \| \|	To avoid having to use OCP\Appframework\Http\Http in the public - and stable - API OCP\Appframework\Http is now both a class and a namespace.
*	re-enable test in SecurityMiddlewareTest	Thomas Müller	2013-10-16	1	-5/+0
\|
*	Merge branch 'master' into fixing-appframework-master	Thomas Müller	2013-10-16	1	-0/+5
\|\ \| \| \| \| \| \| \| \| \| \|	Conflicts: lib/private/appframework/middleware/security/securitymiddleware.php tests/lib/appframework/middleware/security/SecurityMiddlewareTest.php
\| *	Merge pull request #5067 from owncloud/urlParams_fix	Thomas Müller	2013-10-16	1	-1/+7
\| \|\ \| \| \| \| \| \|	Get urlParams registered before Request is instantiated
\| \| *	Get urlParams registered before Request is instantiated	Thomas Tanghus	2013-10-01	1	-1/+7
\| \| \|
* \| \|	OCP\AppFramework\Controller\Controller => OCP\AppFramework\Controller	Thomas Tanghus	2013-10-11	3	-4/+4
\| \| \|
* \| \|	fixing all appframework unit tests	Thomas Müller	2013-10-07	3	-22/+52
\|/ /
* /	Make abstract Middleware class public	Thomas Tanghus	2013-10-05	2	-5/+5
\|/ \| \| \| \|	It doesn't make sense for subclasses to have to implement all methods.
*	cleanup of tests	Thomas Müller	2013-08-21	1	-5/+14
\|
*	kill superfluent classloader from tests - this approach might be of interest ↵	Thomas Müller	2013-08-21	3	-15/+8
\| \| \| \|	within the apps
*	reducing controller annotations to:	Thomas Müller	2013-08-20	1	-122/+34
\| \| \| \| \| \|	@PublicPage - No user logon is expected @NoAdminRequired - the login user requires no admin rights @NoCSRFRequired - the incoming request will not check for CSRF token
*	initial import of appframework	Thomas Müller	2013-08-17	3	-0/+750