Thomas Müller
358858c9e3
Fix undefined HTTP_USER_AGENT
2015-11-22 16:05:50 +01:00
Lukas Reschke
daa388ce8d
Move index.php from files to AppFramework
...
1. Allows it to use the more secure CSP rules of the AppFramework.
2. Adds some unit tests.
2015-11-16 21:10:11 +01:00
Robin Appelman
d514200b56
Add escapeLikeParameter to IDBConnection
2015-11-05 16:41:30 +01:00
Lukas Reschke
bafb86fb9f
Use getHttpProtocol instead of $_SERVER
2015-10-30 18:05:30 +01:00
Lukas Reschke
8f09d5b67c
Update license headers
2015-10-26 14:04:01 +01:00
Lukas Reschke
8133d46620
Remove dependency on ICrypto + use XOR
2015-10-21 17:33:41 +02:00
Morris Jobke
a0743f12c6
Provide IAppContainer as dependency injection
2015-10-20 10:33:53 +02:00
Morris Jobke
bf579a153f
fix IE8 user agent detection
2015-10-09 11:19:06 +02:00
Thomas Müller
020bb33150
Merge pull request #19034 from owncloud/http-request-warning
...
Prevent warning decoding content
2015-10-08 21:51:47 +02:00
Thomas Müller
8d2c8cf2a2
Merge pull request #19607 from owncloud/use-url
...
Use `/` if installed in main folder
2015-10-08 13:01:41 +02:00
Lukas Reschke
6a4f22c61f
Use /
if installed in main folder
...
Otherwise an empty string is used indicating the cookie is only valid for those resources. This can lead to eunexpected behaviour.
Fixes https://github.com/owncloud/core/issues/19196
2015-10-06 15:24:19 +02:00
Lukas Reschke
80a232da6a
Add \OCP\IRequest::getHttpProtocol
...
Only allow valid HTTP protocols.
Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
2015-10-06 14:18:46 +02:00
Morris Jobke
8366ce2767
deduplicate @xenopathic
2015-10-06 09:52:19 +02:00
Morris Jobke
b945d71384
update licence headers via script
2015-10-05 21:15:52 +02:00
Jörn Friedrich Dreyer
d81416c51d
return '' instead of false
2015-09-23 12:32:49 +02:00
Joas Schilling
ee75f9f594
Fix type hint errors in the container and the interface
2015-09-23 10:13:41 +02:00
Robin McCorkell
31a8949adf
Prevent warning decoding content
2015-09-14 22:36:40 +01:00
Bernhard Posselt
fd74522804
make resolve public to avoid boiler plate code
...
add resolve to public interface
2015-09-13 17:44:24 +02:00
Roeland Jago Douma
f12caf930e
Properly return 304
...
The ETag set in the IF_NONE_MODIFIED header is wraped in quotes (").
However the ETag that is set in response is not (yet). Also we need to
cast the ETag to a string.
* Added unit test
2015-09-01 11:04:41 +02:00
Robin McCorkell
e60c4bada1
Decode request content only on getContent
2015-08-31 01:05:25 +01:00
Thomas Müller
534b2e407a
Merge pull request #17662 from owncloud/locking-db
...
Database backend for locking
2015-08-26 03:56:37 +02:00
Lukas Reschke
8313a3fcb3
Add mitigation against BREACH
...
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:
1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data
Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.
To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00
Thomas Müller
abd3d5c6a5
Merge pull request #17982 from owncloud/appframework-sanitize-name
...
Sanitize class names before registerService/query
2015-08-12 12:19:24 +02:00
Robin McCorkell
cd0a2874de
Merge pull request #17852 from owncloud/register-alias-factory
...
Add test for factories
2015-08-11 13:30:56 +01:00
Robin McCorkell
8944af57cb
Set default forwarded_for_headers
to 'HTTP_X_FORWARDED_FOR'
2015-08-10 23:04:52 +02:00
Robin Appelman
58e96e53b0
add method to check if we're inside a transaction
2015-08-10 14:15:44 +02:00
Roeland Jago Douma
f0b617b508
Use DI
...
* Register OCP\Capability\IManager at DIContainer
* Add register capabilities to appframework
* Register capabilities in DI way
* Make unit test pass again
* Remove CapabiltiesManager from OCP
2015-08-10 10:45:16 +02:00
Robin McCorkell
fcc03e588a
Add \OCP\ISession to AppFramework
2015-08-07 12:29:57 +01:00
Lukas Reschke
90a11efecd
Remove "use" statement
...
Ref https://bugs.php.net/bug.php?id=66773
2015-08-05 09:31:21 +02:00
Lukas Reschke
4efa7c09b1
Use StringUtils::equals on CSRF token and add unit tests
2015-08-04 18:34:33 +02:00
Robin McCorkell
182bc17aeb
Sanitize class names before registerService/query
...
Leading backslashes are removed, so a `registerService('\\OC\\Foo')`
can still be resolved with `query('OC\\Foo')`.
2015-07-30 21:02:16 +01:00
Bernhard Posselt
d8673dabe3
add test for factories
...
use ref for factory test
use a factory for registerAlias
Ensure we construct SimpleContainer
Use single instance of DIContainer in routing tests
2015-07-25 01:59:30 +02:00
Thomas Müller
1f8ee61006
Merge pull request #17755 from owncloud/alias-container-alive
...
Add registerAlias method to shortcut interface registration #17714
2015-07-24 13:11:32 +02:00
Joas Schilling
20cd0ae55b
Add a log message when the Doctrine Query Builder is retrieved
2015-07-21 15:53:28 +02:00
Joas Schilling
516f7e8299
Add unit tests and automatic quoting
2015-07-21 15:25:47 +02:00
Joas Schilling
1bfb944d51
Add QueryBuilder, ExpressionBuilder and CompositeExpression wrappers
2015-07-21 15:25:47 +02:00
Lukas Reschke
7dda86f371
Return proper status code in case of a CORS exception
...
When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus.
Fixes https://github.com/owncloud/core/issues/17742
2015-07-20 12:54:22 +02:00
Bernhard Posselt
a4e3939204
add registerAlias method to shorcut interface registration
...
remove unused import
add since tag
fix typo
2015-07-18 13:43:54 +02:00
Thomas Müller
bd71540c8a
Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460
2015-07-16 16:40:57 +02:00
Morris Jobke
da45fad3eb
Merge pull request #17078 from owncloud/fix-initial-server-host
...
Fix undefined offset
2015-07-01 08:55:12 +02:00
Morris Jobke
f63915d0c8
update license headers and authors
2015-06-25 14:13:49 +02:00
Lukas Reschke
4d23e06097
Fix undefined offset
...
There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
2015-06-22 12:28:07 +02:00
Robin McCorkell
04b6f67f07
Allow multiple whitespace in type hints in AppFramework
...
Type hints such as `@param bool $doSomething` will now correctly get
parsed, allowing for alignment of docblock parameters if the app developer so
wishes.
2015-06-20 23:52:01 +01:00
Bernhard Posselt
c8e3599cad
disallow cookie auth for cors requests
...
testing ...
fixes
fix test
add php doc
fix small mistake
add another phpdoc
remove not working cors annotations from files app
2015-05-22 14:06:26 +02:00
Scrutinizer Auto-Fixer
fdbc21fc6c
Scrutinizer Auto-Fixes
...
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
2015-05-19 11:23:06 +00:00
Andreas Fischer
e418ced656
Check return value of OC_App::getAppPath() and verify info.xml exists.
2015-05-06 17:15:28 +02:00
Bernhard Posselt
1e58538f0e
add aliases to pascal case constructor paramters to make it possible to auto assemble controllers
2015-04-29 22:29:45 +02:00
Morris Jobke
ce2c8533d9
Merge pull request #15735 from owncloud/fix-visibility
...
Fix visibility of interfaces in \OCP
2015-04-20 14:39:15 +02:00
Joas Schilling
6da9e1a742
Fix visibility of public API methods
2015-04-20 12:52:40 +02:00
Morris Jobke
ccf47f40aa
Remove unused variables
...
* should make scrutinizer a lot more happy
* reduces maybe memory footprint
2015-04-18 16:35:19 +02:00