Commit graph

24549 commits

Author SHA1 Message Date
Joas Schilling
8f61fbb81f Fix new tests 2015-04-27 11:10:31 +02:00
Joas Schilling
a4c314622a Use interface 2015-04-27 11:03:51 +02:00
Joas Schilling
e4977841b4 Add unit tests for the commands 2015-04-27 11:03:51 +02:00
Joas Schilling
5855d23ff9 Make methods explicit public 2015-04-27 11:03:51 +02:00
Joas Schilling
d600955a51 Make getDefaultModuleId public and get module protected 2015-04-27 11:03:51 +02:00
Joas Schilling
4e97228cde Deduplicate module mock 2015-04-27 11:03:51 +02:00
Joas Schilling
4b7ae395f2 Add test for setDefaultEncryptionModule 2015-04-27 11:03:51 +02:00
Joas Schilling
b35379515c Add a test that the default module is returned before we fall back 2015-04-27 11:03:50 +02:00
Joas Schilling
f6d4bdb1fd Add occ commands to manage the encryption modules 2015-04-27 11:03:50 +02:00
Joas Schilling
a09df6d453 Verify that the encryption module exists before setting it 2015-04-27 11:03:50 +02:00
Jenkins for ownCloud
e58029f8ad [tx-robot] updated from transifex 2015-04-27 01:54:46 -04:00
Jenkins for ownCloud
37adf6df01 [tx-robot] updated from transifex 2015-04-26 01:54:49 -04:00
Lukas Reschke
4dfdaf741c Merge pull request #15834 from owncloud/make-temporary-file-really-unique
Fix collision on temporary files + adjust permissions
2015-04-25 23:18:26 +02:00
Jenkins for ownCloud
7855174879 [tx-robot] updated from transifex 2015-04-25 01:55:13 -04:00
Lukas Reschke
b9df932e3c Merge pull request #15683 from owncloud/block-legacy-clients
Block old legacy clients
2015-04-24 18:21:10 +02:00
Vincent Petry
f63a0c99a4 Merge pull request #15774 from owncloud/jknockaert-patch-1
fix encryption header error
2015-04-24 17:24:32 +02:00
Bjoern Schiessle
9a5783b284 fix unit tests 2015-04-24 16:47:27 +02:00
jknockaert
4554df2512 enable testWriteWriteRead 2015-04-24 16:44:00 +02:00
jknockaert
18a1225b0c enable testRewind 2015-04-24 16:44:00 +02:00
jknockaert
49df8ef525 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
27ea23ea6b Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
d6841aa706 disable r+ test 2015-04-24 16:44:00 +02:00
jknockaert
238302ee7d fixed name 2015-04-24 16:44:00 +02:00
jknockaert
7a34f75da6 add two tests
testRewind tests reading and writing after rewind on an encrypted stream; testWriteWriteRead tests r+ mode
2015-04-24 16:44:00 +02:00
jknockaert
1756562501 Update encryption.php 2015-04-24 16:44:00 +02:00
jknockaert
735f6cc037 fix encryption header error
When moving back the pointer to position 0 (using stream_seek), the pointer on the encrypted stream will be moved to the position immediately after the header. Reading the header again (invoked by stream_read) will cause an error, writing the header again (invoked by stream_write) will corrupt the file. Reading/writing the header should therefore happen when opening the file rather than upon read or write. Note that a side-effect of this PR is that empty files will still get an encryption header; I think that is OK, but it is different from how it was originally implemented.
2015-04-24 16:43:16 +02:00
Joas Schilling
4334e77035 Merge pull request #15839 from owncloud/enc_fix_moving_shared_files
[encryption] fix moving files to a shared folder
2015-04-24 15:07:36 +02:00
Joas Schilling
8cefc657a1 Merge pull request #15838 from owncloud/code-checker-to-ignore-tests
Ignore test folders when checking the code for compliance
2015-04-24 14:52:40 +02:00
Joas Schilling
411f7893bf Add test "operation on keys failed" 2015-04-24 14:27:23 +02:00
Lukas Reschke
a2f9a2dc6d Merge pull request #15855 from owncloud/teardownaftercommand
Tear down FS after running trash expire
2015-04-24 13:52:55 +02:00
Joas Schilling
781cfff221 Deduplicate data provider and fix method visibility 2015-04-24 13:12:45 +02:00
Joas Schilling
1592be117a Use public interfaces for type hinting 2015-04-24 13:06:03 +02:00
Vincent Petry
18506387c0 Tear down FS after running trash expire 2015-04-24 12:09:09 +02:00
Jan-Christoph Borchardt
5b998e13d7 Merge pull request #15835 from owncloud/delete-permission-icon
Show hint if there is no delete permission
2015-04-24 11:57:47 +02:00
Bjoern Schiessle
24128d1384 only update share keys if the file was encrypted 2015-04-24 10:19:09 +02:00
Jenkins for ownCloud
33d197db29 [tx-robot] updated from transifex 2015-04-24 01:55:15 -04:00
Lukas Reschke
6fed28271b Merge pull request #15846 from owncloud/fix-missing-loading-indicator
Add missing loading indicator for enabled apps
2015-04-23 23:30:09 +02:00
blizzz
61c6d64125 Merge pull request #15826 from owncloud/issue-15804-occ-user-delete-exception
Issue 15804 occ user delete exception
2015-04-23 22:58:24 +02:00
Morris Jobke
f4bc852db3 Show hint if there is no delete permission
* add class .no-permission which shows the default delete icon
* fixes #15172
* add unit test for no permission and for delete permission
2015-04-23 21:49:59 +02:00
Morris Jobke
62bac7de91 Add missing loading indicator for enabled apps
* happened when an app gets activated, because the
  new appended HTML doesn't contain the loading
  image
* fixes #15806
2015-04-23 21:40:51 +02:00
Bjoern Schiessle
2646bccb83 update share keys if file gets copied 2015-04-23 17:18:48 +02:00
Bjoern Schiessle
2990b0e07e update share keys if a file is moved to a shared folder 2015-04-23 17:18:48 +02:00
Thomas Müller
b1bb6a3d36 Ignore test folders when checking the code for compliance 2015-04-23 16:59:26 +02:00
Lukas Reschke
ab9ea97d3a Catch not existing User-Agent header
In case of an not sent UA header consider the client as valid
2015-04-23 16:33:51 +02:00
Vincent Petry
a672e9d556 Merge pull request #15814 from owncloud/public-reshare-webdav
Fix webdav access for public reshare
2015-04-23 15:28:10 +02:00
Lukas Reschke
155ae44bc6 Fix collision on temporary files + adjust permissions
This changeset hardens the temporary file and directory creation to address multiple problems that may lead to exposure of files to other users, data loss or other unexpected behaviour that is impossible to debug.

**[CWE-668: Exposure of Resource to Wrong Sphere](https://cwe.mitre.org/data/definitions/668.html)**
The temporary file and folder handling as implemented in ownCloud is performed using a MD5 hash over `time()` concatenated with `rand()`. This is insufficiently and leads to the following security problems:
The generated filename could already be used by another user. It is not verified whether the file is already used and thus temporary files might be used for another user as well resulting in all possible stuff such as "user has file of other user".

Effectively this leaves us with:

1. A timestamp based on seconds (no entropy at all)
2. `rand()` which returns usually a number between 0 and 2,147,483,647

Considering the birthday paradox and that we use this method quite often (especially when handling external storage) this is quite error prone and needs to get addressed.

This behaviour has been fixed by using `tempnam` instead for single temporary files. For creating temporary directories an additional postfix will be appended, the solution is for directories still not absolutely bulletproof but the best I can think about at the moment. Improvement suggestions are welcome.

**[CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)**

Files were created using `touch()` which defaults to a permission of 0644. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0600.

**[CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://cwe.mitre.org/data/definitions/379.html)**

Files were created using `mkdir()` which defaults to a permission of 0777. Thus other users on the machine may read potentially sensitive information as `/tmp/` is world-readable. However, ownCloud always encourages users to use a dedicated machine to run the ownCloud instance and thus this is no a high severe issue. Permissions have been adjusted to 0700.Please enter the commit message for your changes.
2015-04-23 15:07:54 +02:00
Thomas Müller
d1ef96dc9b Merge pull request #15828 from owncloud/smb-1.0.1
update icewind/smb to 1.0.1
2015-04-23 14:48:25 +02:00
Thomas Müller
3b1a3cc27b Merge pull request #15831 from owncloud/enc2-unittestcleanuptmpfile
Delete temp files after testing encryption stream wrapper
2015-04-23 14:43:22 +02:00
Thomas Müller
6d3f120d23 Merge pull request #15617 from mmattel/getenv_system_check_and_warning
Checks if getenv returns proper system environment variable results
2015-04-23 14:42:58 +02:00
Thomas Müller
8997d2f0d1 Merge pull request #15830 from owncloud/enc2-ajaxstatuswhenloggedin
Only get encryption status when logged in
2015-04-23 14:41:06 +02:00