Commit graph

34 commits

Author SHA1 Message Date
Thomas Müller
b1ee51f255 Merge pull request #21630 from owncloud/add-some-security-headers-as-hardening
Add X-Download-Options and X-Permitted-Cross-Domain-Policies
2016-01-13 10:33:58 +01:00
Thomas Müller
682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Lukas Reschke
4d0dcd3c53 Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
2016-01-12 10:37:16 +01:00
Lukas Reschke
bafb86fb9f Use getHttpProtocol instead of $_SERVER 2015-10-30 18:05:30 +01:00
Lukas Reschke
e735a9915c Add blob: scheme to default CSP policy
Fixes https://github.com/owncloud/core/issues/19438
2015-09-29 14:27:35 +02:00
Olivier Paroz
c4bac1655d Fix CSP for images for legacy apps
Fixes #19425
2015-09-28 23:21:26 +02:00
Morris Jobke
f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Lukas Reschke
a98b819366 Add version to deprecation notice
As requested by @MorrisJobke
2015-04-20 10:30:16 +02:00
Lukas Reschke
f672e120fc Deprecate unused \OCP\Response::sendFile
This function is unused in our own code and can be better achieved using the AppFramework. Also very easy to do grave mistaked using this function.
2015-04-20 10:02:34 +02:00
Thomas Müller
3bf269e565 Merge pull request #15229 from owncloud/response-setContentLengthHeader
Add OC_Response::setContentLengthHeader() for Apache PHP SAPI workaround...
2015-04-03 22:51:36 +02:00
Lukas Reschke
9d1ce53cb1 Add some generic default headers as well via PHP 2015-03-26 22:32:57 +01:00
Andreas Fischer
0f58315543 Add OC_Response::setContentLengthHeader() for Apache PHP SAPI workaround.
Do not send Content-Length headers with a value larger than PHP_INT_MAX
(2147483647) on Apache PHP SAPI 32-bit. PHP will eat them and send 2147483647
instead.

When X-Sendfile is enabled, Apache will send a correct Content-Length header,
even for files larger than 2147483647 bytes. When X-Sendfile is not enabled,
ownCloud will not send a Content-Length header. This prevents progress bars
from working, but allows the actual transfer to work properly.
2015-03-26 16:37:38 +01:00
Jenkins for ownCloud
b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Lukas Reschke
bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00
Morris Jobke
06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Jenkins for ownCloud
6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Clark Tomlinson
8d09cc3b91 Merge pull request #13989 from owncloud/enhancment/security/11857
Allow AppFramework applications to specify a custom CSP header
2015-02-18 10:27:29 -05:00
Lukas Reschke
886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Lukas Reschke
b20174bdad Allow AppFramework applications to specify a custom CSP header
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.

Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```

Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
2015-02-16 11:00:41 +01:00
Lukas Reschke
b3f881748d Allow any outgoing XHR connections
Quickfix for https://github.com/owncloud/core/issues/11064
2014-10-30 00:00:40 +01:00
Thomas Müller
51a6764f31 Merge branch 'master' into cleanup-list-code
Conflicts:
	apps/files_sharing/ajax/list.php
2014-05-19 20:52:25 +02:00
Morris Jobke
dc36d30953 Remove all occurences of @brief and @returns from PHPDoc
* test case added to avoid adding them later
2014-05-19 17:50:53 +02:00
Robin McCorkell
87b548ed91 Fix all PHPDoc types and variable names, in /lib 2014-05-13 19:08:14 +01:00
Thomas Müller
3cd32dcb7c adding X-Robots-Tag to all responses of ownCloud + move addSecurityHeaders() to OC_Response, which seems to be a more reasonable place 2014-05-12 15:14:01 +02:00
Lukas Reschke
0b7d9e2668 Cleanup code a little bit
- Use OCP\Response constants instead of the HTTP error code
- Use checkAppEnabled() instead of OC_App::isEnabled with an if statement
- Remove uneeded variable $baseURL
- Rename $isvalid to $isValid
2014-05-04 15:51:08 +02:00
Lukas Reschke
e88731a477 Some more PHPDoc fixes 2014-04-21 15:44:54 +02:00
Vincent Petry
b619ff6076 Return 503 when a config/data dir error exists 2014-03-14 21:05:15 +01:00
Thomas Müller
9fac95c2ab Merge branch 'master' into scrutinizer_documentation_patches
Conflicts:
	lib/private/appconfig.php
2014-02-14 23:03:27 +01:00
Jörn Friedrich Dreyer
2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Martial Saunois
c2ed8d5aa1 New user agent added for the Freebox.
The Freebox is the multimedia device of a french Internet provider: Free. This device provides a seedbox which uses the user agent "Mozilla/5.0". In the "Content-Disposition" header, if the "filename" key is used with the "filename*=UTF-8''" value, the seedbox does not take care about the header and saves the file name with the origin URL. This patch brings the support for the Freebox users.
2014-01-26 18:46:09 +01:00
Vincent Petry
09bd5bd517 Added isUserAgent() method to request
- added isUserAgent() method to OC_Request which makes it possible to
  test it
- OC_Response::setContentDisposition now uses OC_Request::isUserAgent()
2013-12-19 18:40:22 +01:00
Vincent Petry
82bf1f9c8c Added workaround for Android content disposition
Fixes #5807
2013-12-10 12:42:41 +01:00
Vincent Petry
409b510889 Moved content disposition code+workarounds to OCP\Response
Added new OC\Response API called setContentDispositionHeader() that
contains the needed workarounds for UTF8 and IE.

Refactored download code to use the new API.

Removed unused trashbin download file.
2013-12-10 12:42:26 +01:00
Thomas Müller
9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00
Renamed from lib/response.php (Browse further)