Commit graph

21 commits

Author SHA1 Message Date
Lukas Reschke
8133d46620 Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
Lukas Reschke
8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Lukas Reschke
886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke
770fa761b8 Respect mod_unique_id and refactor OC_Request::getRequestId
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.

Testplan:

- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request

Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.

Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 11:53:11 +01:00
Morris Jobke
bf1b62a34a PHP < 5.4 is not supported anymore - see #12606 2014-12-04 11:05:45 +01:00
Morris Jobke
2c5e4b3d3f Remove last traces of travis integration 2014-12-04 10:09:13 +01:00
Lukas Reschke
048139074d Add functions to modify cookies to response class
Currently there is no AppFramework way to modify cookies, which makes it unusable for quite some use-cases or results in untestable code.

This PR adds some basic functionalities to add and invalidate cookies.

Usage:
```php
$response = new TemplateResponse(...);
$response->addCookie('foo', 'bar');
$response->invalidateCookie('foo');
$response->addCookie('bar', 'foo', new \DateTime('2015-01-01 00:00'));
```

Existing cookies can be accessed with the AppFramework using `$this->request->getCookie($name)`.
2014-11-27 14:19:00 +01:00
Joas Schilling
6202ca33ba Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
Bernhard Posselt
0696099bad add dataresponse
fix docstrings

adjust copyright date

another copyright date update

another header update

implement third headers argument, fix indention, fix docstrings

fix docstrings
2014-10-29 09:43:47 +01:00
Morris Jobke
e717833b07 mark tests as skipped - TODO travis
* swift causes some timeouts and test failures
2014-08-05 18:35:47 +02:00
Bernhard Posselt
a152e320f6 make it possible to omit parameters and use the default parameters from the controller method 2014-05-13 10:40:49 +02:00
Bernhard Posselt
1d45239c65 adjust license headers to new mail address 2014-05-11 17:54:08 +02:00
Bernhard Posselt
cb666c18d6 rename formatter to responder, formatResponse to buildResponse 2014-05-11 17:54:08 +02:00
Bernhard Posselt
d8da79cab0 add test for not failing when adding more comments after type parameters, do not limit x-www-form-urlencoded to POST 2014-05-11 17:54:08 +02:00
Bernhard Posselt
80648da431 implement most of the basic stuff that was suggested in #8290 2014-05-11 17:54:08 +02:00
Scrutinizer Auto-Fixer
adaee6a5a1 Scrutinizer Auto-Fixes
This patch was automatically generated as part of the following inspection:
https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720

Enabled analysis tools:
 - PHP Analyzer
 - JSHint
 - PHP Copy/Paste Detector
 - PHP PDepend
2014-02-19 09:31:54 +01:00
Thomas Tanghus
ad017285e1 Fix namespace for OCP\Appframework\Http
To avoid having to use OCP\Appframework\Http\Http in the public - and stable
- API OCP\Appframework\Http is now both a class and a namespace.
2013-10-23 05:57:34 +02:00
Thomas Tanghus
d75d80ba13 OCP\AppFramework\Controller\Controller => OCP\AppFramework\Controller 2013-10-11 10:07:57 +02:00
Thomas Müller
1e5012fc1d fixing all appframework unit tests 2013-10-07 11:25:50 +02:00
Thomas Müller
33db8a3089 kill superfluent classloader from tests - this approach might be of interest within the apps 2013-08-21 00:41:20 +02:00
Thomas Müller
fde9cabe97 initial import of appframework 2013-08-17 11:16:48 +02:00