Commit graph

39 commits

Author SHA1 Message Date
Roeland Jago Douma
ad676c0102
Set default frame-ancestors to 'self'
For #13042

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-08 15:36:40 +01:00
Roeland Jago Douma
64244e1a4f
CSP: Allow fonts to be provided in data
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-07 15:07:06 +01:00
Roeland Jago Douma
514426e27d
Only trust the X-FORWARDED-HOST header for trusted proxies
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 15:54:45 +01:00
Oliver Wegner
401ca28f07 Adding handling of CIDR notation to trusted_proxies for IPv4
Signed-off-by: Oliver Wegner <void1976@gmail.com>
2018-10-30 09:15:42 +01:00
Roeland Jago Douma
579822b6a5
Add report-uri to CSP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma
5b61ef9213
Disallow unsafe-eval by default
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-14 20:45:34 +02:00
Roeland Jago Douma
a34495933e
Move caching logic to response
This avoids having to do it at all the places we want cached responses.

We can't inject the ITimeFactor without breaking public API.
However we can perfectly overwrite the service (resulting in the same
testable effect).

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-06-04 08:48:54 +02:00
Roeland Jago Douma
d179186430
Remove testcase
Since a token now always requires a string we don't need to test for
null

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 16:14:46 +01:00
Julius Härtl
5a4aa2b7dd
Add test for PublicTemplateResponse
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2018-02-27 12:25:53 +01:00
Roeland Jago Douma
0ee45d3d20
Fix proper types
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma
ca9f364fd4
Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Joas Schilling
870023365c
Fix "Undefined method setExpectedException()"
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-24 18:10:16 +01:00
Morris Jobke
c70927eaa0
Remove not needed 3rdparty app disabling during upgrade for PHP 5.x
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-19 14:00:27 +01:00
Joas Schilling
7bc9a69c3f
Remove deprecated core API
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-01-15 17:54:50 +01:00
Bjoern Schiessle
f0202245ee
allow 'Nextcloud' in the user agent string of Android
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-12-12 12:16:01 +01:00
Morris Jobke
43e498844e
Use ::class in test mocks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-10-24 17:45:32 +02:00
Roeland Jago Douma
c257cd57d4
Handle SameSiteCookie check for index.php in AppFramework Middleware
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Thomas Citharel
ecf347bd1a Add CSP frame-ancestors support
Didn't set the @since annotation yet.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Lukas Reschke
f22ab3e665
Add metadata to \OCP\AppFramework\Http\Response::throttle
Fixes https://github.com/nextcloud/server/issues/5891

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-27 14:17:45 +02:00
Lukas Reschke
8149945a91
Make BruteForceProtection annotation more clever
This makes the new `@BruteForceProtection` annotation more clever and moves the relevant code into it's own middleware.

Basically you can now set `@BruteForceProtection(action=$key)` as annotation and that will make the controller bruteforce protected. However, the difference to before is that you need to call `$responmse->throttle()` to increase the counter. Before the counter was increased every time which leads to all kind of unexpected problems.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 23:05:33 +02:00
Roeland Jago Douma
2a9192334e
Don't try to parse empty body if there is no body
Fixes #3890

If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.

See RFC 2616 Section 4.3

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Morris Jobke
f9bc53146d
Fix unit tests
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-03-28 21:00:12 -06:00
Lukas Reschke
5f8f29508f
Adjust tests to include base-uri
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 18:12:10 +01:00
Lukas Reschke
adfd1e63f6
Add base-uri to CSP policy
As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-16 15:16:20 +01:00
Robin Appelman
9a8cef965f
add test for skipping cookie checks for ocs
Signed-off-by: Robin Appelman <robin@icewind.nl>
2017-03-10 14:11:00 +01:00
Christoph Wurst
5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Christoph Wurst
e3815b382d
fix data response test expected cache headers
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-10 10:13:08 +01:00
Christoph Wurst
fe6416072d
set 'no-store' cache header if we do not want FF to cache
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-01-09 21:29:59 +01:00
Lukas Reschke
a05b8b7953
Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Robin Appelman
e4d1cf0f6d
add tests for http/output
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:37 +01:00
Joas Schilling
c20ab0049f
Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Lukas Reschke
9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Roeland Jago Douma
777c3ee325
Add FileDisplayResponse
A lazy implementation of the DisplayResponse that only hits the
filesystem if the etag and mtime do not match.
2016-09-05 15:09:54 +02:00
Joas Schilling
f9cea0b582 Merge pull request #797 from nextcloud/only-match-for-auth-cookie
Match only for actual session cookie
2016-08-31 15:59:16 +02:00
Lukas Reschke
d50e7ee36c
Remove reading PATH_INFO from server variable
Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used.

Fixes https://github.com/nextcloud/server/issues/983
2016-08-19 14:48:13 +02:00
Lukas Reschke
b53ea18ea5
Match only for actual session cookie
OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
2016-08-09 19:23:08 +02:00
Lukas Reschke
a299fa38a9
[master] Port Same-Site Cookies to master
Fixes https://github.com/nextcloud/server/issues/50
2016-07-20 18:37:57 +02:00
Roeland Jago Douma
2fa9e67294
Fix phpunit-5.4 wargning
* getMock is deprecated.
* \PDOStatement mocking fails hard on phpunit 4.8
2016-07-11 08:50:07 +02:00
Joas Schilling
94ad54ec9b Move tests/ to PSR-4 (#24731)
* Move a-b to PSR-4

* Move c-d to PSR-4

* Move e+g to PSR-4

* Move h-l to PSR-4

* Move m-r to PSR-4

* Move s-u to PSR-4

* Move files/ to PSR-4

* Move remaining tests to PSR-4

* Remove Test\ from old autoloader
2016-05-20 15:38:20 +02:00