Commit graph

13 commits

Author SHA1 Message Date
Roeland Jago Douma
8eefc5c4e1 Move remaining setupchecks to new fomat 2015-08-18 14:42:57 +02:00
Jan-Christoph Borchardt
12eec397e3 Merge pull request #17975 from owncloud/settings_admin_warning_levels
Settings admin warning levels
2015-08-18 13:38:08 +02:00
Robin McCorkell
2579999373 Add setup check for reverse proxy header configuration 2015-08-10 23:28:16 +01:00
Roeland Jago Douma
8bde72c4bd All setup messages are now properly types 2015-07-30 09:57:08 +02:00
Roeland Jago Douma
5d15051da4 Allow setupchecks to specify a warning level 2015-07-30 09:57:08 +02:00
Roeland Jago Douma
72ba67815e Display warning in security & setup warnings if php version is EOL 2015-07-29 10:07:01 +02:00
Lukas Reschke
eec8d776b7 Align recommended settings
This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well.

Fixes https://github.com/owncloud/core/issues/16673
2015-06-15 10:39:25 +02:00
Lukas Reschke
bc6d17ed74 Add check for availability of /dev/urandom
Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system:

1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop
2. MTRand: chr((mt_rand() ^ mt_rand()) % 256)
3. Rand: chr((rand() ^ rand()) % 256)
4. UniqId: Plain uniqid()

An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour.

One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface.

Thanks to David Black from d1b.org for bringing this again to our attention.
2015-05-26 14:16:07 +02:00
Joas Schilling
81ec1c8a1a Remove hardcoded link to performance docs 2015-04-07 12:25:30 +02:00
Lukas Reschke
65202d2a18 Add check for activated local memcache
Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it.

Fixes https://github.com/owncloud/core/issues/14956
2015-03-28 13:59:22 +01:00
Lukas Reschke
9d1ce53cb1 Add some generic default headers as well via PHP 2015-03-26 22:32:57 +01:00
Vincent Petry
b4cfc79b5a Added missing done() calls for async tests 2015-03-03 13:59:03 +01:00
Lukas Reschke
bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00