Commit graph

23 commits

Author SHA1 Message Date
Lukas Reschke
8133d46620 Remove dependency on ICrypto + use XOR 2015-10-21 17:33:41 +02:00
Thomas Müller
020bb33150 Merge pull request #19034 from owncloud/http-request-warning
Prevent warning decoding content
2015-10-08 21:51:47 +02:00
Lukas Reschke
80a232da6a Add \OCP\IRequest::getHttpProtocol
Only allow valid HTTP protocols.

Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
2015-10-06 14:18:46 +02:00
Robin McCorkell
ebe9bea709 Unit test for preventing warning decoding content 2015-09-23 14:16:41 +01:00
Jörn Friedrich Dreyer
ca8d589f27 use assertSame, add failing case 2015-09-23 12:31:45 +02:00
Lukas Reschke
8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Lukas Reschke
4efa7c09b1 Use StringUtils::equals on CSRF token and add unit tests 2015-08-04 18:34:33 +02:00
Thomas Müller
bd71540c8a Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460 2015-07-16 16:40:57 +02:00
Lukas Reschke
4d23e06097 Fix undefined offset
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
2015-06-22 12:28:07 +02:00
Joas Schilling
d3e3a84cae Move the helpful method to the TestCase class 2015-06-03 12:33:29 +02:00
Lukas Reschke
1c6eae9017 Get the real protocol behind several proxies
X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies.

This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
2015-02-24 12:24:55 +01:00
Lukas Reschke
886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke
770fa761b8 Respect mod_unique_id and refactor OC_Request::getRequestId
When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs.

Testplan:

- [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`.
- [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string
- [ ] The generated Id is stable over the lifespan of one request

Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI.

Fixes https://github.com/owncloud/core/issues/13366
2015-02-09 11:53:11 +01:00
Bernhard Posselt
bb0c88a577 always set url parameters when they are available in the app dispatch
prefer url parameters passed into the main method. If they are not present, use the containers urlParameters

add space
2015-01-15 15:22:52 +01:00
Joas Schilling
6202ca33ba Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
Bernhard Posselt
62cce982bb default to GET request when no method is set to fix unittests, also set parsed json parameters on the post attribute 2014-04-12 16:17:49 +02:00
Thomas Tanghus
aedc427ffd Fix fix of POST :P 2013-10-03 03:56:37 +02:00
Thomas Tanghus
965ce5719f Modified PUT behaviour
Now only non-parable PUT requests return a stream resource.
2013-10-02 22:13:40 +02:00
Thomas Tanghus
7cd8088845 Add assertions for ->params and array access with json 2013-10-01 20:15:03 +02:00
Thomas Tanghus
973bcccd7c Implement PUT an PATCH support 2013-10-01 20:13:13 +02:00
Thomas Tanghus
bdad7697ac Check if accessor matched request method.
It's easier to find errors in the code if an exception is thrown.
2013-10-01 20:13:13 +02:00
Thomas Müller
33db8a3089 kill superfluent classloader from tests - this approach might be of interest within the apps 2013-08-21 00:41:20 +02:00
Thomas Müller
fde9cabe97 initial import of appframework 2013-08-17 11:16:48 +02:00