Commit graph

24608 commits

Author SHA1 Message Date
Vincent Petry
a672e9d556 Merge pull request #15814 from owncloud/public-reshare-webdav
Fix webdav access for public reshare
2015-04-23 15:28:10 +02:00
Lukas Reschke
155ae44bc6 Fix collision on temporary files + adjust permissions
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.

**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".

Effectively this leaves us with:

1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647

Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.

This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.

**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)**

Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.

**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)**

Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
Thomas Müller
d1ef96dc9b Merge pull request #15828 from owncloud/smb-1.0.1
update icewind/smb to 1.0.1
2015-04-23 14:48:25 +02:00
Thomas Müller
3b1a3cc27b Merge pull request #15831 from owncloud/enc2-unittestcleanuptmpfile
Delete temp files after testing encryption stream wrapper
2015-04-23 14:43:22 +02:00
Thomas Müller
6d3f120d23 Merge pull request #15617 from mmattel/getenv_system_check_and_warning
Checks if getenv returns proper system environment variable results
2015-04-23 14:42:58 +02:00
Thomas Müller
8997d2f0d1 Merge pull request #15830 from owncloud/enc2-ajaxstatuswhenloggedin
Only get encryption status when logged in
2015-04-23 14:41:06 +02:00
Robin Appelman
7a3a8e4032 fix subfolder reshares over webdav 2015-04-23 13:42:51 +02:00
Vincent Petry
b88d0ba0ac Delete temp files after testing encryption stream wrapper 2015-04-23 13:42:18 +02:00
Vincent Petry
cc3bc6345b Only get encryption status when logged in
This removes useless warnings in the logs.
2015-04-23 13:06:00 +02:00
Joas Schilling
cb641b4c29 Fix file names 2015-04-23 12:53:01 +02:00
Joas Schilling
cfa23e60d3 Add tests for occ user:lastseen 2015-04-23 12:41:06 +02:00
Joas Schilling
eec92a16d6 Unify the output of the user commands and use DI 2015-04-23 12:40:13 +02:00
Joas Schilling
bb5b6e5f63 Add unit tests for occ user:delete 2015-04-23 12:33:12 +02:00
Joas Schilling
07627084e4 Check if the user exists before trying to delete him 2015-04-23 12:32:46 +02:00
root
35dbef55b5 Checks if getenv returns proper system variable results
Updated texts and changed the variable name to match the query

Updated text + info which path for php config is used

removed the term ownCloud and squashed the commits

Updated text
2015-04-23 10:58:13 +02:00
Jenkins for ownCloud
f8f354b351 [tx-robot] updated from transifex 2015-04-23 01:54:51 -04:00
Morris Jobke
37a5b62abb Merge pull request #15639 from rullzer/fix_15368
Reset sharedialog values
2015-04-23 00:18:23 +02:00
Robin Appelman
57f49391dc remove unneeded readonlycache 2015-04-22 20:07:54 +02:00
Robin Appelman
7eabd96e4c update icewind/smb to 1.0.1 2015-04-22 20:05:38 +02:00
Robin Appelman
2adb79c794 resolve reshares in public webdav 2015-04-22 16:19:52 +02:00
Robin Appelman
03b7f1d015 use the permissions mask cache wrapper instead of the read only cache 2015-04-22 15:28:06 +02:00
Morris Jobke
42d9ba0f83 Merge pull request #15787 from owncloud/trash-partfiles
Do not trash part files, delete directly
2015-04-22 14:10:26 +02:00
Morris Jobke
a971fa8a90 Merge pull request #15549 from owncloud/jcf-fix-cache-update
don't update identical values
2015-04-22 13:34:08 +02:00
Martin
676e86b314 Improve error messge text for app upgrade try (#15375) 2015-04-22 13:24:11 +02:00
Björn Schießle
570718fb6b Merge pull request #15757 from owncloud/enc-fixfeofforlastblock
Fix encryption feof to not return too early
2015-04-22 11:32:21 +02:00
Jenkins for ownCloud
d7bdf60559 [tx-robot] updated from transifex 2015-04-22 01:55:38 -04:00
Thomas Müller
40fcc7480c Merge pull request #15734 from owncloud/add-deprecate-tags
Add @deprecated to all methods with a proper method in \OCP
2015-04-21 23:57:49 +02:00
Vincent Petry
ffc796edcb Do not trash part files, delete directly 2015-04-21 18:28:15 +02:00
Morris Jobke
9dc12d40d8 Merge pull request #15782 from owncloud/hide-modified-multiselect
hide modified header when multiselect is active, fix #15779
2015-04-21 16:41:41 +02:00
Thomas Müller
438cb27471 Merge pull request #15721 from oparoz/fix-readonly-cache
Fix read-only cache
2015-04-21 16:30:56 +02:00
Björn Schießle
1ee2ee8432 Merge pull request #15690 from owncloud/enc_fix_upload
[encryption] fix upload to sftp
2015-04-21 15:41:45 +02:00
Jan-Christoph Borchardt
723804ffd7 hide modified header when multiselect is active, fix #15779 2015-04-21 15:38:34 +02:00
Jan-Christoph Borchardt
1d1e188a7a Merge pull request #15769 from owncloud/files-emptycontentreadonly
Added empty content message for empty read-only folders
2015-04-21 15:30:57 +02:00
Morris Jobke
503243e191 Merge pull request #15770 from owncloud/fix-15764
bring back border in host input field for consistency
2015-04-21 14:59:46 +02:00
Bjoern Schiessle
19e8c4fcb1 get dirname from sharePath 2015-04-21 14:58:01 +02:00
Olivier Paroz
9695e33e34 Renamed class + split methods 2015-04-21 14:40:11 +02:00
Vincent Petry
53a23364ef Added empty content message for empty read-only folders 2015-04-21 14:31:13 +02:00
Arthur Schiwon
52025e9839 save configs when requesting a config ID. They are empty, but avoid configID collisioning when creating many new configs in the wizard without saving anything directly. 2015-04-21 13:20:31 +02:00
Arthur Schiwon
8593415c12 LDAP Wizard: have always-increasing 'nth Server' number per full page load, fixes #15766 2015-04-21 13:14:35 +02:00
Morris Jobke
4b968da9e6 Merge pull request #15713 from owncloud/fix-15707-master
[enc2] Fixing JS errors
2015-04-21 12:47:43 +02:00
Arthur Schiwon
19a2a22de1 bring back border in host input field for consistency 2015-04-21 12:22:40 +02:00
Thomas Müller
490e779424 doc and indent 2015-04-21 12:19:15 +02:00
Thomas Müller
4a2f8f81ca Don't pollute the global namespace 2015-04-21 12:01:56 +02:00
Björn Schießle
b0fcf0fa0e Merge pull request #15636 from owncloud/enc2_performance_improvement
[encryption2] set size and unencrypted size to zero at the beginning of a write operation
2015-04-21 11:01:33 +02:00
Thomas Müller
edbcb834c7 Merge pull request #15753 from owncloud/remove-app-version-from-disabled-list
Remove the app version from disabled app list
2015-04-21 10:26:16 +02:00
Jenkins for ownCloud
c548066d2c [tx-robot] updated from transifex 2015-04-21 01:55:37 -04:00
Lukas Reschke
21ad4400af Reword configuration text 2015-04-20 21:08:45 +02:00
Thomas Müller
55962c5f5a make jshint happy
This reverts commit ae681f0061.
2015-04-20 20:51:15 +02:00
Thomas Müller
3bc5c1c3cf use a simple function - OC.Encryption is already defined - fixes #15707
This reverts commit 0ca6398aa3.
2015-04-20 20:50:08 +02:00
Thomas Müller
b78e76a1cb Merge pull request #15677 from owncloud/enc_reset_private_key_password
[encryption] let user update the private key password
2015-04-20 20:48:12 +02:00