Commit graph

140 commits

Author SHA1 Message Date
Thomas Müller
020bb33150 Merge pull request #19034 from owncloud/http-request-warning
Prevent warning decoding content
2015-10-08 21:51:47 +02:00
Lukas Reschke
80a232da6a Add \OCP\IRequest::getHttpProtocol
Only allow valid HTTP protocols.

Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
2015-10-06 14:18:46 +02:00
Thomas Müller
ff75652cb7 Merge pull request #19299 from owncloud/fixgetRawPathInfo
Fix get raw path info, always return a string
2015-09-30 22:17:02 +02:00
Lukas Reschke
e735a9915c Add blob: scheme to default CSP policy
Fixes https://github.com/owncloud/core/issues/19438
2015-09-29 14:27:35 +02:00
Robin McCorkell
ebe9bea709 Unit test for preventing warning decoding content 2015-09-23 14:16:41 +01:00
Jörn Friedrich Dreyer
ca8d589f27 use assertSame, add failing case 2015-09-23 12:31:45 +02:00
Lukas Reschke
0943781ccf Rename data provider to avoid risky test warning
```
06:49:56 There was 1 risky test:
06:49:56
06:49:56 1) OC\AppFramework\Http\JSONResponseTest::testRenderProvider
06:49:56 This test did not perform any assertions
```
2015-09-09 12:52:54 +02:00
Lukas Reschke
f9e90e92d4 Encode HTML tags in JSON
While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
2015-09-03 00:44:46 +02:00
Roeland Jago Douma
f12caf930e Properly return 304
The ETag set in the IF_NONE_MODIFIED header is wraped in quotes (").
However the ETag that is set in response is not (yet). Also we need to
cast the ETag to a string.

* Added unit test
2015-09-01 11:04:41 +02:00
Lukas Reschke
8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Thomas Müller
abd3d5c6a5 Merge pull request #17982 from owncloud/appframework-sanitize-name
Sanitize class names before registerService/query
2015-08-12 12:19:24 +02:00
Robin McCorkell
cd0a2874de Merge pull request #17852 from owncloud/register-alias-factory
Add test for factories
2015-08-11 13:30:56 +01:00
Morris Jobke
d56e03bb94 Merge pull request #18096 from sualko/patch-1
add data: to allowed image domains
2015-08-10 23:05:07 +02:00
sualko
5590d64612 add more unit tests for data: as allowed image domain 2015-08-10 12:42:42 +02:00
sualko
930841b67a add unit test for data: as allowed image domain 2015-08-07 12:14:30 +02:00
Bernhard Posselt
7cb0934fa2 Merge pull request #18035 from owncloud/ocs-2.0
Adding ocs/v2.php with status code mapper
2015-08-05 17:28:08 +02:00
Lukas Reschke
4efa7c09b1 Use StringUtils::equals on CSRF token and add unit tests 2015-08-04 18:34:33 +02:00
Thomas Müller
3ecf7fce79 Fix unit test within OCSController 2015-08-03 22:19:04 +02:00
Thomas Müller
649cc2fa89 Remove duplicate and unused code 2015-08-03 21:03:11 +02:00
Robin McCorkell
182bc17aeb Sanitize class names before registerService/query
Leading backslashes are removed, so a `registerService('\\OC\\Foo')`
can still be resolved with `query('OC\\Foo')`.
2015-07-30 21:02:16 +01:00
Robin McCorkell
0223221a64 Fix incorrect test naming
`tesOverrideService()` was incorrect and wasn't getting called by
PHPUnit. Also, the unit test itself was wrong, but went unnoticed
because of point 1.
2015-07-30 16:06:26 +01:00
Bernhard Posselt
d8673dabe3 add test for factories
use ref for factory test

use a factory for registerAlias

Ensure we construct SimpleContainer

Use single instance of DIContainer in routing tests
2015-07-25 01:59:30 +02:00
Thomas Müller
1f8ee61006 Merge pull request #17755 from owncloud/alias-container-alive
Add registerAlias method to shortcut interface registration #17714
2015-07-24 13:11:32 +02:00
Lukas Reschke
7dda86f371 Return proper status code in case of a CORS exception
When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus.

Fixes https://github.com/owncloud/core/issues/17742
2015-07-20 12:54:22 +02:00
Bernhard Posselt
a4e3939204 add registerAlias method to shorcut interface registration
remove unused import

add since tag

fix typo
2015-07-18 13:43:54 +02:00
Thomas Müller
bd71540c8a Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460 2015-07-16 16:40:57 +02:00
Lukas Reschke
62e3de1bdb Check if response could get generated
`json_encode` fails hard on PHP >= 5.5 if a non UTF-8 value is specified by returning false. Older PHP versions just nullify the value which makes it at least somewhat usable.

This leads to very confusing errors which are very hard to debug since developers are usually not aware of this. In this case I'd consider throwing a fatal exception – since it arguably is an error situation – is a fair solution since this makes developers and administrators aware of any occurence of the problem so that these bugs can get fixed.

Fixes https://github.com/owncloud/core/issues/17265
2015-07-02 11:42:51 +02:00
Morris Jobke
da45fad3eb Merge pull request #17078 from owncloud/fix-initial-server-host
Fix undefined offset
2015-07-01 08:55:12 +02:00
Lukas Reschke
4d23e06097 Fix undefined offset
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
2015-06-22 12:28:07 +02:00
Robin McCorkell
f1e3e25158 AppFramework annotation whitespace unit test 2015-06-21 20:26:57 +01:00
Lukas Reschke
34f5541088 Add no-store to AppFramework 2015-06-15 18:35:41 +02:00
Lukas Reschke
3a233b8698 Merge pull request #16714 from owncloud/fix-cors-test
Fix #16713
2015-06-03 13:52:14 +02:00
Bernhard Posselt
21ce5d034b fix #16713 2015-06-03 12:56:50 +02:00
Joas Schilling
d3e3a84cae Move the helpful method to the TestCase class 2015-06-03 12:33:29 +02:00
Bernhard Posselt
c8e3599cad disallow cookie auth for cors requests
testing ...

fixes

fix test

add php doc

fix small mistake

add another phpdoc

remove not working cors annotations from files app
2015-05-22 14:06:26 +02:00
Lukas Reschke
a62190a72d Add support for disallowing domains to the ContentSecurityPolicy
For enhanced security it is important that there is also a way to disallow domains, including the default ones.

With this commit every method gets added a new "disallow" function.
2015-05-20 11:44:37 +02:00
Bernhard Posselt
df24a014b8 If the execute method on the mapper receives an assoc array, it binds by value instead of index 2015-03-19 17:08:46 +01:00
Lukas Reschke
b29940d956 Add support for 'child-src' directive
This is required when working with stuff such as PDF.js in the files_pdfviewer application. Opt-in only.

Master change only because the stable CSP policies has a failback that allows nearly anything 🙈
2015-02-28 12:27:46 +01:00
Bernhard Posselt
95239ad21e AppFramework StreamResponse
First stab at the StreamResponse, see #12988

The idea is to use an interface ICallbackResponse (I'm not 100% happy with the name yet, suggestions?) that allow the response to output things in its own way, for instance stream the file using readfile

Unittests are atm lacking, plan is to

check if a mock of ICallbackResponse will be used by calling its callback (also unhappy with this name) method
Usage is:

$response = new StreamResponse('path/to/file');

rename io to output, add additional methods and handle error and not modified cases when using StreamResponse

fix indention and uppercasing, also handle forbidden cases

fix indention

fix indention

no forbidden, figuring out if a file is really readable is too complicated to get to work across OSes and streams

remove useless import

remove useless import

fix intendation
2015-02-27 15:42:33 +01:00
Bernhard Posselt
f993ed823e fix tabs and spaces 2015-02-25 22:21:24 +01:00
Bernhard Posselt
aaf753bc9a fix mappertestutility 2015-02-25 22:21:24 +01:00
Bernhard Posselt
7b2fdbfb0b use IDBConnection and close cursors after insert/update/delete 2015-02-25 22:21:24 +01:00
Lukas Reschke
1c6eae9017 Get the real protocol behind several proxies
X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies.

This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
2015-02-24 12:24:55 +01:00
Lukas Reschke
fcc5f5a4f4 Merge pull request #13777 from owncloud/close-cursor
Close cursor for appframework and manipulation queries if applicable
2015-02-20 20:15:22 +01:00
Clark Tomlinson
8d09cc3b91 Merge pull request #13989 from owncloud/enhancment/security/11857
Allow AppFramework applications to specify a custom CSP header
2015-02-18 10:27:29 -05:00
Lukas Reschke
886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke
a9d1a01440 Rename to allowEval 2015-02-16 12:30:21 +01:00
Lukas Reschke
b20174bdad Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
2015-02-16 11:00:41 +01:00
Lukas Reschke
bd5440a8a3 Merge pull request #13780 from owncloud/cmreflector-inheritance
Additional controllermethodreflector inheritance tests
2015-02-12 18:34:07 +01:00
Thomas Müller
c60dabd11b Request requires a second parameter 2015-02-09 23:06:55 +01:00