Commit graph

4873 commits

Author SHA1 Message Date
Roeland Jago Douma
50d862e5d1 [Avatars] JS should not load same avatar twice
Old code first dit an ajax request to the avatar. Then a new image
object with the same src was created and since we do not cache avatars
yet :(  this resulted in 2 sequential requests to the exact same URL

Now if you set the displayname it will first set the placeholder and
then load the avatar in the background. Only once this time!
2015-12-04 10:42:11 +01:00
Jenkins for ownCloud
a2848af625 [tx-robot] updated from transifex 2015-12-04 01:56:31 -05:00
Thomas Müller
7fefd4f4d9 Merge pull request #20860 from owncloud/use-user-getEMailAddress-all-over-the-place
User IUser::getEMailAddress() all over the place
2015-12-03 09:21:53 +01:00
Jenkins for ownCloud
5c178a2719 [tx-robot] updated from transifex 2015-12-03 01:55:12 -05:00
Thomas Müller
eebe2b9c23 User IUser::getEMailAddress() all over the place 2015-12-02 21:25:05 +01:00
Lukas Reschke
2515cb17be Support pretty URLs
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.

Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.

Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP
http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/

Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
2015-12-01 16:46:07 +01:00
Lukas Reschke
4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00
Jenkins for ownCloud
8421a43df1 [tx-robot] updated from transifex 2015-12-01 01:55:07 -05:00
Morris Jobke
42272de3a6 update bootstrap from 3.3.5 to 3.3.6 2015-11-30 14:12:57 +01:00
Morris Jobke
d8aa44d458 update backbone.js from 1.2.1 to 1.2.3 2015-11-30 14:12:48 +01:00
Lukas Reschke
f3e9106864 Don't trust update server
In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.

While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
2015-11-28 12:21:53 +01:00
Jenkins for ownCloud
d305412a35 [tx-robot] updated from transifex 2015-11-28 01:55:16 -05:00
Joas Schilling
67a83d8fd6 Add Workflow app to shipped list 2015-11-27 14:26:39 +01:00
Jenkins for ownCloud
39fb320bae [tx-robot] updated from transifex 2015-11-27 01:55:14 -05:00
Jenkins for ownCloud
dd18ea611b [tx-robot] updated from transifex 2015-11-26 01:55:22 -05:00
Thomas Müller
906aea4252 Merge pull request #19212 from owncloud/search-shortcut
Add Ctrl+F shortcut for the search bar
2015-11-25 20:02:13 +01:00
Jan-Christoph Borchardt
cd88854369 update page: fix heading whitespace and unbold less important sections 2015-11-25 13:16:00 +01:00
Jan-Christoph Borchardt
50780e451b fix error page button text when label too long 2015-11-25 13:08:05 +01:00
Vincent Petry
b1ca431852 Fix for parsing pretty printed Webdav responses
Update davclient.js + adjust IE workaround for this
2015-11-24 15:26:53 +01:00
Hendrik Leppelsack
f1b0bf0696 add search fallback to browser 2015-11-24 15:01:20 +01:00
Jenkins for ownCloud
cb69e6c201 [tx-robot] updated from transifex 2015-11-24 01:56:32 -05:00
Thomas Müller
bf672d7e51 Merge pull request #20222 from owncloud/federated_sharing_auto_complete
federated sharing auto-complete, first step
2015-11-23 10:42:14 +01:00
Thomas Müller
43391f8f47 Merge pull request #20623 from owncloud/app-list-enhancements
Add cmdline key to show shipped/non-shipped apps only
2015-11-23 10:07:52 +01:00
Thomas Müller
79bbda994b Merge pull request #16902 from owncloud/jsocclient
Web UI uses Webdav instead of ajax/* calls
2015-11-23 09:38:01 +01:00
Victor Dubiniuk
8d9353a640 Add cmdline key to show shipped/non-shipped apps only 2015-11-23 09:06:35 +01:00
Jenkins for ownCloud
56e05a90af [tx-robot] updated from transifex 2015-11-23 01:54:53 -05:00
Vincent Petry
a05e40932c Now using IE8 workaround of davclient.js for all IE versions 2015-11-22 16:05:52 +01:00
Vincent Petry
fd40b06639 Patch for davclient.js for Firefox 2015-11-22 16:05:51 +01:00
Vincent Petry
7ec83fc9fb Fix OC.FileInfo to copy all properties
This makes it possible to also store custom properties passed through
the data object like tags or shareOwner.
2015-11-22 16:05:50 +01:00
Vincent Petry
e8661a6b56 Update davclient.js 2015-11-22 16:05:52 +01:00
Vincent Petry
a1d0682ef8 Use oc:fileid property instead of oc:id 2015-11-22 16:05:51 +01:00
Thomas Müller
ab1d786d87 Fix port issue - options.host already has the port attached 2015-11-22 16:05:51 +01:00
Vincent Petry
dc8ce87a26 Query tags/favorite through Webdav in file list 2015-11-22 16:05:50 +01:00
Vincent Petry
fa2be0750c Make files app use Webdav for most operations 2015-11-22 16:05:50 +01:00
Vincent Petry
f120846e29 Added OC.Files.Client Webdav-based files client 2015-11-22 16:05:49 +01:00
Vincent Petry
fb3d5c7856 Add evert's davclient.js + es6-promise + IE8 workaround
- Add davclient.js lib
- Add es6-promise required by that lib
- Wrote IE8 workaround lib/shim for davclient.js
2015-11-22 16:05:49 +01:00
Jenkins for ownCloud
2321cc4854 [tx-robot] updated from transifex 2015-11-22 01:54:53 -05:00
Jenkins for ownCloud
eb42340fa3 [tx-robot] updated from transifex 2015-11-21 01:54:59 -05:00
Björn Schießle
c5e41450f6 add federation to shipped.json 2015-11-19 18:07:03 +01:00
Jenkins for ownCloud
c10be07c1b [tx-robot] updated from transifex 2015-11-19 01:55:13 -05:00
Jenkins for ownCloud
cd4380c322 [tx-robot] updated from transifex 2015-11-18 01:55:08 -05:00
Jenkins for ownCloud
56f44a457c [tx-robot] updated from transifex 2015-11-17 01:55:08 -05:00
Thomas Müller
2784907782 password_policy is a shipped app 2015-11-16 16:36:12 +01:00
Thomas Müller
8169e4fdc8 Merge pull request #20465 from owncloud/forms.css
Move form styles from styles.css to inputs.css
2015-11-16 15:29:02 +01:00
Thomas Müller
9ea81b71f5 Merge pull request #20532 from owncloud/ocs-allow-v2
Allow creating OCS v2 links in JS
2015-11-16 15:15:53 +01:00
Jan-Christoph Borchardt
5b72d9026f standardize sizes for headings 2015-11-16 14:42:10 +01:00
Joas Schilling
78c456b895 Allow creating OCS v2 links in JS 2015-11-16 14:23:43 +01:00
Thomas Müller
a03b1f1ee9 Merge pull request #20522 from owncloud/update-strengthify
Update strengthify to 0.4.2
2015-11-16 13:51:11 +01:00
Morris Jobke
b1abef77e4 Update strengthify to 0.4.2
* includes local changes (ported them to upstream - see #10625)
* tipsy -> tooltip
* re-renders the element on scroll of a parent - fixes #20454
2015-11-16 11:16:38 +01:00
Jenkins for ownCloud
19d0884b56 [tx-robot] updated from transifex 2015-11-15 01:55:08 -05:00