Christoph Wurst
1b46621cd3
Update license headers for 18
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-20 09:23:25 +01:00
Konrad Bucheli
f2d3e34c96
handle IPv6 addresses with an explict incoming interface at the end (e.g fe80::ae2d:d1e7:fe1e:9a8d%enp2s0)
...
Signed-off-by: Konrad Bucheli <konrad.bucheli@gmx.ch>
Signed-off-by: Konrad Bucheli <kb@open.ch>
2019-12-10 22:47:20 +01:00
Julius Härtl
d05f131929
Move overwritehost check to isTrustedDomain
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2019-12-07 09:53:06 +01:00
Christoph Wurst
5bf3d1bb38
Update license headers
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2019-12-05 15:38:45 +01:00
Roeland Jago Douma
68748d4f85
Some php-cs fixes
...
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-11-22 20:52:10 +01:00
Johannes Koenig
2df8d646c1
make TrustedDomainHelper case insensitive
...
Signed-off-by: Johannes Koenig <mail@jokoenig.de>
2019-10-06 20:43:55 +02:00
Roeland Jago Douma
2b98eea129
Harden identifyproof openssl code
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-09-14 13:52:10 +02:00
Roeland Jago Douma
7927aebdeb
Fix report of phpstan in Limiter
...
* unneeded arguments to constructor
* added return types
* let automatic DI do its work
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-19 19:38:43 +02:00
Roeland Jago Douma
b8c5008acf
Add feature policy header
...
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-10 14:26:22 +02:00
Roeland Jago Douma
f94ee72507
Add form-action CSP element
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-31 15:16:10 +02:00
Roeland Jago Douma
417fbb5d60
setting unsafe-eval is deprecated
...
This will be removed in a future version of Nextcloud.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-30 16:27:38 +02:00
Sam Bull
ea935f65fd
Add support for CSP_NONCE server variable
...
Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server.
Signed-off-by: Sam Bull <git@sambull.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-18 12:16:29 +02:00
Roeland Jago Douma
5ac857bcdc
Add an event to edit the CSP
...
This introduces and event that can be listend to when we actually use
the CSP. This means that apps no longer have to always inject their CSP
but only do so when it is required. Yay for being lazy.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-07-08 20:35:15 +02:00
Morris Jobke
d004164fcc
Merge pull request #13327 from nextcloud/allow-bracket-notation-for-remove-ipv6-address
...
Allow bracket IPv6 address format inside IPAdress Normalizer
2019-03-06 10:34:02 +01:00
Roeland Jago Douma
f1ea56b502
Fix the thorrtler whitelist bitmask
...
Before we actually didn't check each bit of the bitmask. Now we do.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-11 23:22:20 +01:00
Thomas Citharel
c9b588774b
Allow bracket IPv6 address format inside IPAdress Normalizer
...
When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2019-01-03 10:03:46 +01:00
Roeland Jago Douma
372f3d2a60
Remove deprecated functions from SecureRandom
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-07 19:33:32 +01:00
Roeland Jago Douma
be5c050acc
Throw exception if decryption fails
...
For #11868
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-14 12:47:35 +01:00
Morris Jobke
39338aaa67
Merge pull request #11914 from nextcloud/csp/report-uri
...
Add report-uri to CSP
2018-10-23 16:42:24 +02:00
Roeland Jago Douma
0fdc65a15c
Add nonce for Safari 12+
...
As far as I can tell this should work now.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 20:48:12 +02:00
Roeland Jago Douma
579822b6a5
Add report-uri to CSP
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-10-21 13:38:32 +02:00
Roeland Jago Douma
8354c50911
Deprecate the childSrc functions
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Roeland Jago Douma
c8fe4b4fc8
Add workerSrc to CSP
...
Fixes #11035
Since the child-src directive is deprecated (we should kill it at some
point) we need to have the proper worker-src available
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 07:35:44 +02:00
Mark Berezovsky
ad66c6bf08
Fix #9864 : Decrease $maxDelay in Throttler.php
...
Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>
2018-06-15 04:58:08 +03:00
Roeland Jago Douma
84316aec66
Add ARGON2I support to the hasher
...
When on php7.2 we can use the new and improved ARGON2I hashing.
This adds support for that to the hasher. When verifying an old hash
we'll update rehash to move all hashes eventually to the new hash
function.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-04-04 15:43:50 +02:00
Roeland Jago Douma
d8332d43f8
Make \OC\Security\IdentityProof strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 19:33:16 +01:00
Roeland Jago Douma
5457373407
Merge pull request #8659 from nextcloud/csrf_token_strict
...
Make \OC\Security\CSRF strict
2018-03-05 19:28:10 +01:00
Roeland Jago Douma
4ed9b74a6b
Make OC\Security\CSP strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:27:05 +01:00
Roeland Jago Douma
2c8402aa17
Make \OC\Security\CSRF strict
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-03-05 15:01:02 +01:00
Morris Jobke
0a56d2185e
Return value immediately instead of assigning to a one-time variable
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-26 00:02:03 +01:00
Roeland Jago Douma
0e0db37658
Make OCP\Security stricter
...
* Add typehints
* Add return types
* Opcode opts from phpstorm
* Made strict
* Fixed tests: No need to test bogus values anymore strict typing fixes
this
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-16 22:01:19 +01:00
Morris Jobke
c0c4263546
Merge pull request #7850 from nextcloud/strict_ipaddress
...
Make IPAddress typed and strict
2018-01-14 21:16:06 +01:00
Roeland Jago Douma
bb2938a47d
Make IPAddress typed and strict
...
* Added scalar typehints
* Added return statements
* Added strict declaration
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:15:44 +01:00
Morris Jobke
2ed4bea18f
Merge pull request #7852 from nextcloud/strict_ratelimiting
...
Make OC\Security\RateLimiting strict
2018-01-14 21:08:45 +01:00
Roeland Jago Douma
cf0a339997
Make OC\Security\RateLimiting strict
...
* Add return types
* Add scalar argument types
* Made strict
* Cleaned up phpstorm inspections
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:08:23 +01:00
Roeland Jago Douma
6e1ee1e7a7
Fix tests
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-14 21:04:52 +01:00
Roeland Jago Douma
de5d7aa331
Strict ISecure random
...
* Declare strict
* Scalar arguments
* Return type
* Use fully qualified name for strlen
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-01-13 21:39:34 +01:00
Morris Jobke
ca28df6fcc
Adds type hinting for scalar types in ICrypto->decrypt
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-13 00:06:03 +01:00
Morris Jobke
d2d73f1ce8
Also replace all other occurences
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-12-18 20:57:11 +01:00
Morris Jobke
5a270c2715
Reset bruteforce attempt table on successful login
...
* only clear the entries that come from the same subnet, same action and same metadata
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-24 14:58:57 +01:00
Morris Jobke
0eebff152a
Update license headers
...
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Thomas Citharel
ecf347bd1a
Add CSP frame-ancestors support
...
Didn't set the @since annotation yet.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2017-09-15 15:23:10 +02:00
Bjoern Schiessle
bae5be3dc1
add prefix to user and system keys to avoid name collisions
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Bjoern Schiessle
9524badccc
extend the identity proof manager to allow system wide key pairs
...
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
2017-08-10 14:27:35 +02:00
Lukas Reschke
6fb84ebb71
null is a valid parameter
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Lukas Reschke
dfd8125aeb
Replace wrong PHPDocs
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-08-01 08:20:16 +02:00
Roeland Jago Douma
5f227bd93b
More phpstorm inspection fixes
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-24 11:39:29 +02:00
Lukas Reschke
3d2600b039
Add Phan plugin to check for SQL injections
...
This adds a phan plugin which checks for SQL injections on code using our QueryBuilder, while it isn't perfect it should already catch most potential issues.
As always, static analysis will sometimes have false positives and this is also here the case. So in some cases the analyzer just doesn't know if something is potential user input or not, thus I had to add some `@suppress SqlInjectionChecker` in front of those potential injections.
The Phan plugin hasn't the most awesome code but it works and I also added a file with test cases.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-07-20 22:48:13 +02:00
Roeland Jago Douma
6a1f2ac076
Add bruteforce capabilities
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-13 11:23:08 +02:00
Roeland Jago Douma
04f2090698
Write cert bundle to tmp file first
...
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-07-12 19:24:20 +02:00