Commit graph

155 commits

Author SHA1 Message Date
Lukas Reschke
bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00
Morris Jobke
06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Robin McCorkell
695f43a1ed Merge pull request #10735 from owncloud/use_remote_addr
Use getRemoteAddress which supports reverse proxies
2015-02-25 13:24:39 +00:00
Lukas Reschke
276824299c Merge pull request #13340 from owncloud/use-http-only
Use "HTTPOnly" for cookies when logging out
2015-02-24 13:50:49 +01:00
Lukas Reschke
165afb004b Use getRemoteAddress which supports reverse proxies
Breaking change for 8.1 wiki (Security > Administrators):

The log format for failed logins has changed and uses now the remote address and is considering reverse proxies for such scenarios when configured correctly.
2015-02-24 11:49:40 +01:00
Jenkins for ownCloud
6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Robin Appelman
8eda661761 Throw an exception when login is canceled by an app 2015-01-22 14:13:17 +01:00
Lukas Reschke
a2e355a7fe Use "HTTPOnly" for cookies when logging out
This has no other reason than preventing some insane automated scanners from reporting this as security bug (which it obviously isn't as the cookie contains nothing of value)

Thus it generally results in an happier Lukas and hopefully less reports to our support and security mail addresses...
2015-01-14 11:20:53 +01:00
Robin Appelman
857695ec87 Return false if the login is canceled in a hook 2015-01-13 13:25:20 +01:00
Morris Jobke
5d296aa6b1 Merge pull request #12969 from owncloud/clarify-docs
Clarify return values
2014-12-22 10:01:39 +01:00
Lukas Reschke
f671b232cc Merge pull request #12923 from owncloud/ultra-slim-version-of-incognito-mode
Add ultra-slim hack for incognito mode
2014-12-19 14:54:11 +01:00
Lukas Reschke
dbbf568192 Fix typo 2014-12-19 14:36:00 +01:00
Lukas Reschke
a022e65285 Clarify return values
This function returns `null` when no user is logged-in.
2014-12-19 14:17:40 +01:00
Morris Jobke
6da33e1ea7 introduce names for user backends - IUserBackend
* LDAP with multiple servers also proved backendName
2014-12-19 10:17:17 +01:00
Robin McCorkell
619dcae7af Merge pull request #12901 from owncloud/move-ldap-check-to-manager
Move the Null-Byte LDAP check to the user manager
2014-12-18 00:28:00 +00:00
Lukas Reschke
e3230b5bc2 Add ultra-slim hack for incognito mode
As discussed at https://github.com/owncloud/core/pull/12912#issuecomment-67391155
2014-12-17 21:53:43 +01:00
Bernhard Posselt
236632702c add a isLoggedIn method to the usersession and deprecate the isLoggedIn method on the api 2014-12-17 17:40:52 +01:00
Lukas Reschke
f6820406b6 Move the Null-Byte LDAP check to the user manager
The existing method is deprecated and just a wrapper around the manager method. Since in the future other code paths might call this function instead we need to perform that check here.

Related to http://owncloud.org/security/advisory/?id=oc-sa-2014-020
2014-12-17 12:47:00 +01:00
Lukas Reschke
d0716d2c7d Use public interface 2014-12-11 12:29:58 +01:00
Lukas Reschke
5dc6406b70 Add filter for 'backend' to user REST route
This adds a "backend" type filter to the index REST route which is a pre-requisite for https://github.com/owncloud/core/issues/12620

For example when calling `index.php/settings/users/users?offset=0&limit=10&gid=&pattern=&backend=OC_User_Database` only users within the backend `OC_User_Database` would be shown. (requires sending a CSRF token as well)

Depends upon https://github.com/owncloud/core/pull/12711
2014-12-10 12:07:34 +01:00
Lukas Reschke
5398bbdc00 Merge pull request #12711 from owncloud/add-backend-to-rest-index
Expose backend type via REST API
2014-12-10 11:56:45 +01:00
Lukas Reschke
4c13918bd8 Expose backend type via REST API
This change will expose the user backend via the REST API which is a pre-requisite for https://github.com/owncloud/core/issues/12620.

For example:
````json
[{"name":"9707A09E-CA9A-4ABE-A66A-3F632F16C409","displayname":"Document Conversion User Account","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/9707A09E-CA9A-4ABE-A66A-3F632F16C409","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"ED86733E-745C-4E4D-90CB-278A9737DB3C","displayname":"Hacker","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/ED86733E-745C-4E4D-90CB-278A9737DB3C","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"71CDF45B-E125-450D-983C-D9192F36EC88","displayname":"admin","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/71CDF45B-E125-450D-983C-D9192F36EC88","lastLogin":0,"backend":"OCA\\user_ldap\\USER_LDAP"},{"name":"admin","displayname":"admin","groups":["admin"],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/admin","lastLogin":"1418057287","backend":"OC_User_Database"},{"name":"test","displayname":"test","groups":[],"subadmin":[],"quota":"default","storageLocation":"\/Users\/lreschke\/Programming\/core\/data\/test","lastLogin":0,"backend":"OC_User_Database"}]
```
2014-12-09 12:04:19 +01:00
Morris Jobke
0d4f0ab871 reduce OC_Preferences, OC_Config and \OCP\Config usage
* files_encryption
* files_versions
* files_trashbin
* tests
* status.php
* core
* server container
2014-12-08 22:42:37 +01:00
Morris Jobke
a9e411e076 migrate \OC\AllConfig to \OCP\IConfig 2014-12-08 22:29:43 +01:00
Lukas Reschke
fe7d9a7ca0 Add REST route for user & group management
First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future.
2014-12-08 12:11:01 +01:00
Joas Schilling
0ed86c0993 Move OC_USER_BACKEND_* constants to OC_User_Backend class 2014-11-27 13:47:32 +01:00
Thomas Müller
5097d4dc05 remove deprecated \OC:$session 2014-11-26 15:32:47 +01:00
michag86
7e70c4ee95 removal of wrong/double implemented check
Check already implemented in core/settings/ajax/changedisplayname.php
2014-11-13 13:02:02 +01:00
Lukas Reschke
d383c45c13 Merge pull request #12003 from owncloud/password-migration
Use new hashing API for OC_User_Database
2014-11-06 22:43:57 +01:00
Robin Appelman
c21d1da01a Support displaynames for dummy user backend 2014-11-06 18:31:40 +01:00
Lukas Reschke
c4d7483a0a Use new hashing API for OC_User_Database
This will use the new Hashing API for OC_User_Database and migrate old passwords upon initial login of the user.
2014-11-06 15:42:06 +01:00
Robin Appelman
1eefc21329 Remove confusingly names \OC\User\Manager::delete and fix the automatic cache cleanup instead 2014-11-05 15:45:58 +01:00
Lukas Reschke
770c62c5d8 Clear session after logout
Fixes https://github.com/owncloud/core/issues/8420
2014-10-30 12:10:39 +01:00
Bjoern Schiessle
239bff5766 strip whitespace from the beginning and end of the display name to avoid empty display names 2014-10-15 14:54:35 +02:00
Robin Appelman
912fbfab01 Unset the cached active user when using a different session object 2014-10-13 13:11:48 +02:00
Lukas Reschke
3da6b3b533 Merge pull request #11229 from kofemann/for-upstream
user/backed: use pow of two for backed action constants
2014-09-24 15:19:11 +02:00
Tigran Mkrtchyan
276f50a1ba user/backed: use pow of two for backed action constants
the current implementation limits number of possible backed actions
to 8 as it uses pow of 16 for constants. This change introduces pow
of two and allows up-to 32 actions to be defined.

The old values are preserved for backward compatibility.
2014-09-23 15:18:01 +02:00
Lukas Reschke
6eeb905871 Do only follow HTTP and HTTPS redirects
We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)

Get final redirect manually using get_headers()

Migrate to HTTPHelper class and add unit tests
2014-09-22 20:02:32 +02:00
Lukas Reschke
63a90a129b Use proper RNG generator
OC_Util::generateRandomBytes() only returns lowercase alphanumeric values.
We should use the new RNG which has a broader characterset.
2014-09-03 17:46:48 +02:00
Robin Appelman
d0266c0bf8 Use public api for getting l10n 2014-08-31 10:08:22 +02:00
Arthur Schiwon
0bb460c9b5 retrieve local users, groups and group members in a sorted way 2014-08-29 15:17:37 +02:00
Jörn Friedrich Dreyer
f551917a3c kill OC::$session
maintain deprecated \OC::$session when getting or setting the session via the server container or UserSession

restore order os OC::$session and OC::$CLI

remove unneded initialization of dummy session

write back session when $useCustomSession is true

log warning when deprecated app is used
2014-08-29 10:22:21 +02:00
Lukas Reschke
a82cd1ff67 Fix unit test 2014-08-15 14:15:27 +02:00
Lukas Reschke
5bb4772858 Move authentication failed logging to checkPassword
Fixes https://github.com/owncloud/core/issues/10366
2014-08-15 12:13:00 +02:00
Thomas Müller
a72dae6842 Merge pull request #10144 from owncloud/issue/9972
Issue/9972 Fix issues with group and username `0`
2014-08-06 09:53:13 +02:00
Joas Schilling
4865c52aa6 Fix isLoggedIn() check for user '0'
Fix #9972
2014-08-04 15:53:55 +02:00
Thomas Müller
a8b6cc6a07 - adding default value for $recoveryPassword
- set password correctly in lost password
2014-07-24 12:50:39 +02:00
Robin Appelman
20c1ce7f47 Add public interfaces for User, UserManager and UserSession 2014-07-14 15:10:51 +02:00
Arthur Schiwon
16275eca84 loop over usernames, not passwords 2014-06-30 20:43:50 +02:00
Arthur Schiwon
f3ecf819ec extend Dummy user and group implementation to pass tests 2014-06-25 13:13:53 +02:00
Arthur Schiwon
01a012980a search term for users and groups may occur anywhere in the name or displayname, not just in the beginning 2014-06-23 12:03:09 +02:00
Arthur Schiwon
4a4ea67a31 drop superflous statement in phpdoc 2014-05-26 13:56:08 +02:00
Arthur Schiwon
748a219243 add preRememberedLogin hook and document this and postRememberedLogin in class descripttion. Also fixes documentation of postLogin hook 2014-05-26 13:53:26 +02:00
Arthur Schiwon
2e85d5a852 increase scrutinizer happyiness by removing minor/informational issues 2014-05-23 11:20:46 +02:00
Arthur Schiwon
2c89962919 clean up tryRememberLogin and save the timestamp of users last login 2014-05-21 18:03:37 +02:00
Morris Jobke
dc36d30953 Remove all occurences of @brief and @returns from PHPDoc
* test case added to avoid adding them later
2014-05-19 17:50:53 +02:00
Morris Jobke
804020bb6d Merge pull request #7363 from owncloud/optimize-startup-queries
Optimize some queries that are always executed when loading base.php
2014-05-19 01:21:37 +02:00
Robin McCorkell
bac8962bbc Fix Scrutinizer errors 2014-05-13 19:08:14 +01:00
Robin McCorkell
8ab01599a9 Use OC_User_Interface instead of OC_User_Backend 2014-05-13 19:08:14 +01:00
Robin McCorkell
87b548ed91 Fix all PHPDoc types and variable names, in /lib 2014-05-13 19:08:14 +01:00
Robin McCorkell
a7ae2e874a Squash 'a | b' into 'a|b', in /lib 2014-05-13 19:08:14 +01:00
Robin McCorkell
b5bc37d2e4 Fix @return array PHPDocs, in /lib 2014-05-13 19:08:14 +01:00
Robin McCorkell
b653ad164b Replace @returns with @return, in /lib 2014-05-13 19:08:14 +01:00
Bart Visscher
f569c721a6 Merge branch 'master' into optimize-startup-queries
Conflicts:
	apps/files_sharing/lib/sharedstorage.php
	tests/lib/group/manager.php

removed hasFilesSharedWith from lib/public/share.php and
sharedstorage.php to fix merge
2014-05-07 17:54:38 +02:00
Lukas Reschke
c4109d9aef Use strict type comparison
We certainly don't want to have type juggling on that.
2014-05-07 15:11:42 +02:00
Arthur Schiwon
45e42c25de Group Database backend must not gather user details itself but ask user
backends. This is a port to master from PR #7745

remove OC_GROUP_BACKEND_GET_DISPLAYNAME option for group backends

Conflicts:
	lib/private/group/backend.php

LDAP: getDisplayNamesInGroup is not an option for group backends anymore

Conflicts:
	apps/user_ldap/group_ldap.php
	apps/user_ldap/group_proxy.php

clean up group backends

Conflicts:
	lib/private/group/database.php

remove now unnecessary test

implement getDisplayNames in group manager

adjust user manager tests

test for group manager's displayNamesInGroup

trim must not be used in empty in PHP < 5.5

keep the constant to not provoke PHP warnings

Conflicts:
	lib/private/group/backend.php
2014-04-28 13:49:56 +02:00
Thomas Müller
535e6ff71f Merge pull request #7617 from nishiki/cache_user
Cache user
2014-04-23 12:32:30 +02:00
Morris Jobke
707658c00a Merge pull request #8205 from owncloud/fix-8202
Add one more LOWER.
2014-04-17 16:10:33 +02:00
Arthur Schiwon
64679b2e62 Remove limit and offset manipulation when getting users or groups, because it does not work when more than one user or group backend. Fixing it would be too costly performancewise, so we switch back to the model used in OC 5: limit and offset are effective per backend, and not a general constraint 2014-04-15 17:46:48 +02:00
Victor Dubiniuk
91d40f5033 remove unneeded LOWER. Fixes #8202 2014-04-14 22:19:21 +03:00
Volkan Gezer
a4f42676ea Make hardcoded exception messages translatable 2014-04-08 20:07:25 +02:00
adrien
0da61a26ee remove cache all user 2014-03-21 15:50:25 +01:00
adrien
ea6f8ba352 fix remove cache when delete 2014-03-11 16:58:10 +01:00
adrien
f827761e71 remove static variable, add limit and offset 2014-03-11 11:56:46 +01:00
adrien
415b1d03bc fix cache when remove an user 2014-03-10 17:27:51 +01:00
nishiki
ba9d8f7c1a fix undifined uid 2014-03-09 12:47:19 +01:00
nishiki
75011c2e09 add query result (boolean) for update or delete 2014-03-09 12:22:47 +01:00
nishiki
d8843f6cd3 minor clean code 2014-03-09 12:01:35 +01:00
adrien
fbde24c89a fix undefined in loadUsers 2014-03-07 08:46:34 +01:00
adrien
5cdfc56867 update the cache when add user 2014-03-06 22:34:43 +01:00
adrien
dde4f2f917 upgrade the cache user 2014-03-06 22:23:17 +01:00
adrien
08a46e3080 add cache for single users 2014-03-06 17:57:09 +01:00
Bart Visscher
f4f72e77d8 Delay fetching the display name until it is requested 2014-02-21 23:07:35 +01:00
Lukas Reschke
f7fa8662e2 Remove session_id_regenerate from here
Jenkins somewhat complains that there are already sent headers.
2014-02-21 08:12:45 +01:00
Lukas Reschke
0241ddc759 Merge pull request #6519 from nhirokinet/master
Security Update: session fixation
2014-02-20 14:28:26 +01:00
Scrutinizer Auto-Fixer
adaee6a5a1 Scrutinizer Auto-Fixes
This patch was automatically generated as part of the following inspection:
https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720

Enabled analysis tools:
 - PHP Analyzer
 - JSHint
 - PHP Copy/Paste Detector
 - PHP PDepend
2014-02-19 09:31:54 +01:00
Jörn Friedrich Dreyer
2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Thomas Müller
9b7c3a5c66 fixing PHPDoc and use cameCase names 2014-01-09 10:27:47 +01:00
Arthur Schiwon
4585b4ea3f Infowarning about 32bit 2014-01-08 19:41:10 +01:00
Arthur Schiwon
d7cb5ab080 add tests for user counting 2014-01-08 13:26:48 +01:00
Arthur Schiwon
cb6a3e2617 if backends have the same class name, sum their users up instead of overwriting 2014-01-08 13:24:28 +01:00
Arthur Schiwon
1e1ced7772 Introduce user count action to user management 2014-01-07 23:05:37 +01:00
NARUKAWA Hiroki
068688063e Security Update: session fixation
Previous version is vulnerable to session fixation attack in some situations, guessing non-apache-module-php5 environment. Regeneration of session id should be done here.
2013-12-20 03:38:51 +09:00
Robin Appelman
e7a5c90cab Replace static usage of OC_Config and OC_Preferences with the injected \OC\ConfigAll 2013-12-18 13:03:19 +01:00
Robin Appelman
a6c1b3ece3 fix the config option to remove the ability for users to set their displayname 2013-12-18 13:03:19 +01:00
Arthur Schiwon
91d6a6dd7c On webdav sesssions, loginname was compared to username which does not need to match necessarily 2013-12-13 16:58:03 +01:00
Robin Appelman
f23b7a262f fix fallback overwriting result of getHome 2013-12-12 12:57:25 +01:00
Robin Appelman
366d75e947 cache the home folder of a User 2013-12-11 16:22:26 +01:00
Arthur Schiwon
8ccac86c98 Enable user backends to provide avatar images 2013-11-22 13:25:20 +01:00
Vincent Petry
013444813e Now removing stray old cookies from 5.0.12
Cookies from 5.0.12 seemed to have an extra slash in the path.
Firefox doesn't allow to remove them if the trailing slash isn't
there,
thus making it impossible to logout correctly.

This fix adds extra code to delete such stray cookies.

Ported from stable5 branch 99e5c6f7eb
2013-11-07 18:49:50 +01:00