wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
server/lib/private
History
Christoph Wurst 87aeae21e3
Fix failing csp/nonce check due to timed out session 
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-04 17:29:26 +02:00
..
Accounts
Activity More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
App Fix L10N::t 2017-08-01 08:20:17 +02:00
AppFramework extend the identity proof manager to allow system wide key pairs 2017-08-10 14:27:35 +02:00
Archive More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
Authentication Improve 2FA 2017-08-29 20:27:36 +02:00
BackgroundJob Add |null to PHPDoc 2017-08-01 08:20:15 +02:00
Cache
Command More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
Comments Can not insert auto increment on oracle 2017-08-02 09:48:16 +02:00
Console
Contacts/ContactsMenu
DB Add a method to compare empty strings with an expression 2017-08-02 09:50:41 +02:00
Diagnostics Run phan over code base 2017-07-19 10:28:11 +02:00
Encryption only collect detailed access list if it is really needed 2017-07-06 11:33:08 +02:00
Federation
Files Merge pull request #6064 from nextcloud/fix-5219-absolute-path-must-be-relative-to-files-on-theming-update 2017-09-04 14:05:34 +02:00
GlobalScale add new config switched for the global scale architecture 2017-05-29 18:19:28 +02:00
Group Take IUser instead of User 2017-08-01 08:20:15 +02:00
Hooks Add workaround for https://github.com/etsy/phan/issues/1033 2017-07-19 11:08:43 +02:00
Http/Client
IntegrityCheck
L10N Use symfony/translation for L10N plurals 2017-08-07 19:53:36 +02:00
legacy Inject \OCP\IURLGenerator to make tests work 2017-08-18 15:32:40 +02:00
Lock Add Phan plugin to check for SQL injections 2017-07-20 22:48:13 +02:00
Lockdown Make declaration compatible 2017-08-09 15:12:01 +02:00
Log Ensure log message is UTF-8 encoded 2017-08-17 15:01:50 +02:00
Mail Add meta information to emails for better customisation 2017-08-24 17:54:22 +02:00
Memcache More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
Migration Add |null to PHPDoc 2017-08-01 08:20:15 +02:00
Notification More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
OCS Fix OCS Exception 2017-08-01 08:20:17 +02:00
Preview Use IConfig instead of static OCP\Config 2017-07-27 13:43:18 +02:00
Repair Merge pull request #6331 from nextcloud/update-repair-step 2017-09-04 11:59:34 +02:00
RichObjectStrings
Route Fix require once for actionInclude 2017-08-09 23:51:49 +02:00
Search Properly name variable 2017-08-01 08:20:16 +02:00
Security add prefix to user and system keys to avoid name collisions 2017-08-10 14:27:35 +02:00
Session Fix MigrationSchemaChecker and CryptoWrapper 2017-08-01 08:20:16 +02:00
Settings Always log cron execution 2017-08-17 09:45:11 +02:00
Setup Install from migrations 2017-07-25 12:47:37 +02:00
Share Merge pull request #6123 from nextcloud/cleanup-shareItem 2017-08-15 13:57:00 +02:00
Share20 Add shareWith to email template metadata 2017-08-29 16:09:25 +02:00
SystemTag More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
Tagging
Template Rebuild SCSS files if frontend controller value changes 2017-09-03 17:32:41 +02:00
Updater
User Fix failing csp/nonce check due to timed out session 2017-09-04 17:29:26 +02:00
AllConfig.php More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
AppConfig.php
AppHelper.php
Avatar.php Pass new value to triggerChange 2017-08-31 21:59:27 +02:00
AvatarManager.php
CapabilitiesManager.php Simplify if condition for public capabilities 2017-06-30 14:18:16 +02:00
Config.php
ContactsManager.php
DatabaseException.php Remove unneeded parameter in DatabaseException 2017-07-24 13:44:12 +02:00
DatabaseSetupException.php
DateTimeFormatter.php
DateTimeZone.php
ForbiddenException.php
HintException.php
HTTPHelper.php
Installer.php Register autoloading before running migrations 2017-07-07 12:01:11 +02:00
LargeFileHelper.php
Log.php Don't log passwords on dav exceptions 2017-06-29 17:20:10 +02:00
NaturalSort.php
NaturalSort_DefaultCollator.php
NavigationManager.php Inject \OCP\IURLGenerator to make tests work 2017-08-18 15:32:40 +02:00
NeedsUpdateException.php
NotSquareException.php
PreviewManager.php
PreviewNotAvailableException.php
RedisFactory.php
Repair.php move repair step to stable12 2017-09-01 11:05:11 +02:00
RepairException.php
Search.php
Server.php Improve 2FA 2017-08-29 20:27:36 +02:00
ServerContainer.php
ServerNotAvailableException.php
ServiceUnavailableException.php
Setup.php Fix L10N::t 2017-08-01 08:20:17 +02:00
Streamer.php Revert "Always enable Zip64 extension for zipstreamer" 2017-06-09 10:21:26 +02:00
SubAdmin.php
SystemConfig.php Don't show mail domain and from in config report 2017-07-07 09:53:55 +02:00
TagManager.php
Tags.php Fix L10N::t 2017-08-01 08:20:17 +02:00
TemplateLayout.php Properly handle if the deps file if for some reason empty 2017-07-19 00:10:46 +02:00
TempManager.php More phpstorm inspection fixes 2017-07-24 11:39:29 +02:00
Updater.php Use the existing array of OC versions 2017-08-07 12:09:05 +02:00
URLGenerator.php Prefer custom theme over theming app 2017-07-12 11:42:15 +02:00