1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
<?php
/**
* @copyright Copyright (c) 2016, ownCloud, Inc.
*
* @author Andreas Fischer <bantu@owncloud.com>
* @author Bart Visscher <bartv@thisnet.nl>
* @author Joas Schilling <coding@schilljs.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Lukas Reschke <lukas@statuscode.ch>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Robin McCorkell <robin@mccorkell.me.uk>
* @author Sergio Bertolín <sbertolin@solidgear.es>
* @author Stefan Weil <sw@weilnetz.de>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Vincent Petry <pvince81@owncloud.com>
*
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
class OC_Response {
const STATUS_FOUND = 304;
const STATUS_NOT_MODIFIED = 304;
const STATUS_TEMPORARY_REDIRECT = 307;
const STATUS_BAD_REQUEST = 400;
const STATUS_FORBIDDEN = 403;
const STATUS_NOT_FOUND = 404;
const STATUS_INTERNAL_SERVER_ERROR = 500;
const STATUS_SERVICE_UNAVAILABLE = 503;
/**
* Set response status
* @param int $status a HTTP status code, see also the STATUS constants
*/
static public function setStatus($status) {
$protocol = \OC::$server->getRequest()->getHttpProtocol();
switch($status) {
case self::STATUS_NOT_MODIFIED:
$status = $status . ' Not Modified';
break;
case self::STATUS_TEMPORARY_REDIRECT:
if ($protocol == 'HTTP/1.1') {
$status = $status . ' Temporary Redirect';
break;
} else {
$status = self::STATUS_FOUND;
// fallthrough
}
case self::STATUS_FOUND;
$status = $status . ' Found';
break;
case self::STATUS_NOT_FOUND;
$status = $status . ' Not Found';
break;
case self::STATUS_INTERNAL_SERVER_ERROR;
$status = $status . ' Internal Server Error';
break;
case self::STATUS_SERVICE_UNAVAILABLE;
$status = $status . ' Service Unavailable';
break;
}
header($protocol.' '.$status);
}
/**
* Sets the content disposition header (with possible workarounds)
* @param string $filename file name
* @param string $type disposition type, either 'attachment' or 'inline'
*/
static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
if (\OC::$server->getRequest()->isUserAgent(
[
\OC\AppFramework\Http\Request::USER_AGENT_IE,
\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
])) {
header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
} else {
header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
. '; filename="' . rawurlencode( $filename ) . '"' );
}
}
/**
* Sets the content length header (with possible workarounds)
* @param string|int|float $length Length to be sent
*/
static public function setContentLengthHeader($length) {
if (PHP_INT_SIZE === 4) {
if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
// Apache PHP SAPI casts Content-Length headers to PHP integers.
// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
// platforms). So, if the length is greater than PHP_INT_MAX,
// we just do not send a Content-Length header to prevent
// bodies from being received incompletely.
return;
}
// Convert signed integer or float to unsigned base-10 string.
$lfh = new \OC\LargeFileHelper;
$length = $lfh->formatUnsignedInteger($length);
}
header('Content-Length: '.$length);
}
/**
* This function adds some security related headers to all requests served via base.php
* The implementation of this function has to happen here to ensure that all third-party
* components (e.g. SabreDAV) also benefit from this headers.
*/
public static function addSecurityHeaders() {
/**
* FIXME: Content Security Policy for legacy ownCloud components. This
* can be removed once \OCP\AppFramework\Http\Response from the AppFramework
* is used everywhere.
* @see \OCP\AppFramework\Http\Response::getHeaders
*/
$policy = 'default-src \'self\'; '
. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
. 'style-src \'self\' \'unsafe-inline\'; '
. 'frame-src *; '
. 'img-src * data: blob:; '
. 'font-src \'self\' data:; '
. 'media-src *; '
. 'connect-src *; '
. 'object-src \'none\'; '
. 'base-uri \'self\'; ';
header('Content-Security-Policy:' . $policy);
header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
// Send fallback headers for installations that don't have the possibility to send
// custom headers on the webserver side
if(getenv('modHeadersAvailable') !== 'true') {
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
}
}
}
|
