Commit graph

24852 commits

Author SHA1 Message Date
Lukas Reschke
4dfdaf741c Merge pull request #15834 from owncloud/make-temporary-file-really-unique
Fix collision on temporary files + adjust permissions
2015-04-25 23:18:26 +02:00
Jenkins for ownCloud
7855174879 [tx-robot] updated from transifex 2015-04-25 01:55:13 -04:00
Lukas Reschke
b9df932e3c Merge pull request #15683 from owncloud/block-legacy-clients
Block old legacy clients
2015-04-24 18:21:10 +02:00
Vincent Petry
f63a0c99a4 Merge pull request #15774 from owncloud/jknockaert-patch-1
fix encryption header error
2015-04-24 17:24:32 +02:00
Bjoern Schiessle
9a5783b284 fix unit tests 2015-04-24 16:47:27 +02:00
jknockaert
4554df2512 enable testWriteWriteRead 2015-04-24 16:44:00 +02:00
jknockaert
18a1225b0c enable testRewind 2015-04-24 16:44:00 +02:00
jknockaert
49df8ef525 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
27ea23ea6b Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
d6841aa706 disable r+ test 2015-04-24 16:44:00 +02:00
jknockaert
238302ee7d fixed name 2015-04-24 16:44:00 +02:00
jknockaert
7a34f75da6 add two tests
testRewind tests reading and writing after rewind on an encrypted stream; testWriteWriteRead tests r+ mode
2015-04-24 16:44:00 +02:00
jknockaert
1756562501 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
735f6cc037 fix encryption header error
When moving back the pointer to position 0 (using stream_seek), the pointer on the encrypted stream will be moved to the position immediately after the header. Reading the header again (invoked by stream_read) will cause an error, writing the header again (invoked by stream_write) will corrupt the file. Reading/writing the header should therefore happen when opening the file rather than upon read or write. Note that a side-effect of this PR is that empty files will still get an encryption header; I think that is OK, but it is different from how it was originally implemented.
2015-04-24 16:43:16 +02:00
Clark Tomlinson
8c0856779b change error codes to 400 2015-04-24 09:42:02 -04:00
Joas Schilling
4334e77035 Merge pull request #15839 from owncloud/enc_fix_moving_shared_files
[encryption] fix moving files to a shared folder
2015-04-24 15:07:36 +02:00
Joas Schilling
8cefc657a1 Merge pull request #15838 from owncloud/code-checker-to-ignore-tests
Ignore test folders when checking the code for compliance
2015-04-24 14:52:40 +02:00
Joas Schilling
411f7893bf Add test "operation on keys failed" 2015-04-24 14:27:23 +02:00
Lukas Reschke
a2f9a2dc6d Merge pull request #15855 from owncloud/teardownaftercommand
Tear down FS after running trash expire
2015-04-24 13:52:55 +02:00
Joas Schilling
781cfff221 Deduplicate data provider and fix method visibility 2015-04-24 13:12:45 +02:00
Joas Schilling
1592be117a Use public interfaces for type hinting 2015-04-24 13:06:03 +02:00
Vincent Petry
18506387c0 Tear down FS after running trash expire 2015-04-24 12:09:09 +02:00
Jan-Christoph Borchardt
5b998e13d7 Merge pull request #15835 from owncloud/delete-permission-icon
Show hint if there is no delete permission
2015-04-24 11:57:47 +02:00
Bjoern Schiessle
24128d1384 only update share keys if the file was encrypted 2015-04-24 10:19:09 +02:00
Jenkins for ownCloud
33d197db29 [tx-robot] updated from transifex 2015-04-24 01:55:15 -04:00
Lukas Reschke
6fed28271b Merge pull request #15846 from owncloud/fix-missing-loading-indicator
Add missing loading indicator for enabled apps
2015-04-23 23:30:09 +02:00
blizzz
61c6d64125 Merge pull request #15826 from owncloud/issue-15804-occ-user-delete-exception
Issue 15804 occ user delete exception
2015-04-23 22:58:24 +02:00
Morris Jobke
f4bc852db3 Show hint if there is no delete permission
* add class .no-permission which shows the default delete icon
* fixes #15172
* add unit test for no permission and for delete permission
2015-04-23 21:49:59 +02:00
Morris Jobke
62bac7de91 Add missing loading indicator for enabled apps
* happened when an app gets activated, because the
  new appended HTML doesn't contain the loading
  image
* fixes #15806
2015-04-23 21:40:51 +02:00
Olivier Paroz
0729fc2fbc Remove overflow+watermark 2015-04-23 18:19:34 +02:00
Olivier Paroz
58a87d0bab Use authorization headers for better compatibility
+ add ellipsis
+ fix OC.generateUrl calls
2015-04-23 18:19:29 +02:00
Olivier Paroz
a968877a8b An idea to suggest that this is just a sample of the full text 2015-04-23 18:19:21 +02:00
Olivier Paroz
530c290555 Use webDAV to have access to HTTP byte ranges 2015-04-23 18:19:17 +02:00
Olivier Paroz
e113d67430 Cache the token value 2015-04-23 18:19:12 +02:00
Olivier Paroz
8d3f88cf16 Show a text preview instead of a bitmap preview of text
+ fix the preview height
2015-04-23 18:19:07 +02:00
Bjoern Schiessle
2646bccb83 update share keys if file gets copied 2015-04-23 17:18:48 +02:00
Bjoern Schiessle
2990b0e07e update share keys if a file is moved to a shared folder 2015-04-23 17:18:48 +02:00
Thomas Müller
b1bb6a3d36 Ignore test folders when checking the code for compliance 2015-04-23 16:59:26 +02:00
Lukas Reschke
ab9ea97d3a Catch not existing User-Agent header
In case of an not sent UA header consider the client as valid
2015-04-23 16:33:51 +02:00
Vincent Petry
a672e9d556 Merge pull request #15814 from owncloud/public-reshare-webdav
Fix webdav access for public reshare
2015-04-23 15:28:10 +02:00
Lukas Reschke
155ae44bc6 Fix collision on temporary files + adjust permissions
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.

**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".

Effectively this leaves us with:

1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647

Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.

This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.

**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)**

Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.

**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)**

Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
Thomas Müller
d1ef96dc9b Merge pull request #15828 from owncloud/smb-1.0.1
update icewind/smb to 1.0.1
2015-04-23 14:48:25 +02:00
Thomas Müller
3b1a3cc27b Merge pull request #15831 from owncloud/enc2-unittestcleanuptmpfile
Delete temp files after testing encryption stream wrapper
2015-04-23 14:43:22 +02:00
Thomas Müller
6d3f120d23 Merge pull request #15617 from mmattel/getenv_system_check_and_warning
Checks if getenv returns proper system environment variable results
2015-04-23 14:42:58 +02:00
Thomas Müller
8997d2f0d1 Merge pull request #15830 from owncloud/enc2-ajaxstatuswhenloggedin
Only get encryption status when logged in
2015-04-23 14:41:06 +02:00
Robin Appelman
7a3a8e4032 fix subfolder reshares over webdav 2015-04-23 13:42:51 +02:00
Vincent Petry
b88d0ba0ac Delete temp files after testing encryption stream wrapper 2015-04-23 13:42:18 +02:00
Vincent Petry
cc3bc6345b Only get encryption status when logged in
This removes useless warnings in the logs.
2015-04-23 13:06:00 +02:00
Joas Schilling
cb641b4c29 Fix file names 2015-04-23 12:53:01 +02:00
Joas Schilling
cfa23e60d3 Add tests for occ user:lastseen 2015-04-23 12:41:06 +02:00