Commit graph

23 commits

Author SHA1 Message Date
Lukas Reschke
8133d46620 Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
Lukas Reschke
e735a9915c Add blob: scheme to default CSP policy
Fixes https://github.com/owncloud/core/issues/19438
2015-09-29 14:27:35 +02:00
Lukas Reschke
8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
sualko
5590d64612 add more unit tests for data: as allowed image domain 2015-08-10 12:42:42 +02:00
Clark Tomlinson
8d09cc3b91 Merge pull request #13989 from owncloud/enhancment/security/11857
Allow AppFramework applications to specify a custom CSP header
2015-02-18 10:27:29 -05:00
Lukas Reschke
886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke
b20174bdad Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
2015-02-16 11:00:41 +01:00
Lukas Reschke
770fa761b8 Respect mod_unique_id and refactor OC_Request::getRequestId
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.

Testplan:

- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request

Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.

Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 11:53:11 +01:00
Lukas Reschke
d2e8358da2 Fix unit test 2014-12-04 15:54:32 +01:00
Joas Schilling
6202ca33ba Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
Bernhard Posselt
0696099bad add dataresponse
fix docstrings

adjust copyright date

another copyright date update

another header update

implement third headers argument, fix indention, fix docstrings

fix docstrings
2014-10-29 09:43:47 +01:00
Bernhard Posselt
93169eca1e also handle lowercase headers 2014-06-11 01:20:09 +02:00
Bernhard Posselt
1002281dae handle http accept headers more gracefully 2014-06-11 00:54:25 +02:00
Bernhard Posselt
587a8df566 remove controller serializers 2014-06-05 18:00:36 +02:00
Bernhard Posselt
1d45239c65 adjust license headers to new mail address 2014-05-11 17:54:08 +02:00
Bernhard Posselt
cb666c18d6 rename formatter to responder, formatResponse to buildResponse 2014-05-11 17:54:08 +02:00
Bernhard Posselt
80648da431 implement most of the basic stuff that was suggested in #8290 2014-05-11 17:54:08 +02:00
Bernhard Posselt
9a4d204b55 add cors middleware
remove methodannotationreader namespace

fix namespace for server container

fix tests

fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request

remove uneeded  local in cors middleware registratio

dont uppercase cors to easily use it from routes

fix indention

comment fixes

explicitely set allow credentials header to false

dont depend on better controllers PR, fix that stuff later

split cors methods to be in a seperate controller for exposing apis

remove protected definitions from apicontroller since controller has it
2014-05-09 23:34:41 +02:00
Thomas Tanghus
d75d80ba13 OCP\AppFramework\Controller\Controller => OCP\AppFramework\Controller 2013-10-11 10:07:57 +02:00
Thomas Müller
1e5012fc1d fixing all appframework unit tests 2013-10-07 11:25:50 +02:00
Thomas Tanghus
8b4f4a79e2 Still some session leftovers. 2013-09-17 19:46:08 +02:00
Thomas Müller
33db8a3089 kill superfluent classloader from tests - this approach might be of interest within the apps 2013-08-21 00:41:20 +02:00
Thomas Müller
fde9cabe97 initial import of appframework 2013-08-17 11:16:48 +02:00