Merge pull request #60148 from nextcloud/fix/unsupported-browser-redirect-buffer

fix(core): use btoa() instead of window.Buffer.from() for base64 encoding

core/src/tests/utils/RedirectUnsupportedBrowsers.spec.ts

@@ -0,0 +1,114 @@
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { testSupportedBrowser } from '../../utils/RedirectUnsupportedBrowsers.js'
+
+// Mock the router so generateUrl returns a predictable path
+vi.mock('@nextcloud/router', () => ({
+	generateUrl: (path: string) => `/index.php${path}`,
+}))
+
+// Mock the logger to suppress output
+vi.mock('../../logger.js', () => ({
+	default: { debug: vi.fn() },
+}))
+
+const browserStorage = vi.hoisted(() => ({ getItem: vi.fn(() => null) }))
+vi.mock('../../services/BrowserStorageService.js', () => ({ default: browserStorage }))
+
+const supportedUA = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36'
+const unsupportedUA = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'
+
+describe('testSupportedBrowser', () => {
+	let originalLocation: Location
+
+	beforeEach(() => {
+		originalLocation = window.location
+
+		// Reset the override flag
+		browserStorage.getItem.mockReturnValue(null)
+
+		// Default to a path that isn't the unsupported-browser page
+		Object.defineProperty(window, 'location', {
+			configurable: true,
+			writable: true,
+			value: {
+				href: 'http://localhost/apps/files',
+				origin: 'http://localhost',
+				pathname: '/apps/files',
+				reload: vi.fn(),
+			},
+		})
+
+		vi.spyOn(window.history, 'pushState').mockImplementation(() => {})
+	})
+
+	afterEach(() => {
+		Object.defineProperty(window, 'location', {
+			configurable: true,
+			writable: true,
+			value: originalLocation,
+		})
+		vi.restoreAllMocks()
+	})
+
+	it('does nothing for a supported browser', () => {
+		Object.defineProperty(window.navigator, 'userAgent', { configurable: true, value: supportedUA })
+
+		testSupportedBrowser()
+
+		expect(window.history.pushState).not.toHaveBeenCalled()
+		expect(window.location.reload).not.toHaveBeenCalled()
+	})
+
+	it('redirects an unsupported browser to the warning page', () => {
+		Object.defineProperty(window.navigator, 'userAgent', { configurable: true, value: unsupportedUA })
+
+		testSupportedBrowser()
+
+		expect(window.history.pushState).toHaveBeenCalledOnce()
+		const [, , url] = (window.history.pushState as ReturnType<typeof vi.fn>).mock.calls[0]
+		expect(url).toMatch(/^\/index\.php\/unsupported\?redirect_url=/)
+		expect(window.location.reload).toHaveBeenCalledOnce()
+	})
+
+	it('encodes the redirect URL with btoa, not window.Buffer', () => {
+		Object.defineProperty(window.navigator, 'userAgent', { configurable: true, value: unsupportedUA })
+
+		testSupportedBrowser()
+
+		const [, , url] = (window.history.pushState as ReturnType<typeof vi.fn>).mock.calls[0]
+		const encoded = new URL(`http://localhost${url}`).searchParams.get('redirect_url')
+		expect(encoded).toBe(btoa('/apps/files'))
+	})
+
+	it('does not throw regardless of override flag state', () => {
+		// isBrowserOverridden is read at module-load time so the mock won't flip it
+		// retroactively — but we can at least assert the function never throws,
+		// which is the regression guard for the window.Buffer removal.
+		Object.defineProperty(window.navigator, 'userAgent', { configurable: true, value: unsupportedUA })
+		expect(() => testSupportedBrowser()).not.toThrow()
+	})
+
+	it('does not redirect when already on the unsupported-browser page', () => {
+		Object.defineProperty(window.navigator, 'userAgent', { configurable: true, value: unsupportedUA })
+		Object.defineProperty(window, 'location', {
+			configurable: true,
+			writable: true,
+			value: {
+				href: 'http://localhost/index.php/unsupported',
+				origin: 'http://localhost',
+				pathname: '/index.php/unsupported',
+				reload: vi.fn(),
+			},
+		})
+
+		testSupportedBrowser()
+
+		expect(window.history.pushState).not.toHaveBeenCalled()
+		expect(window.location.reload).not.toHaveBeenCalled()
+	})
+})

core/src/utils/RedirectUnsupportedBrowsers.js

@@ -33,7 +33,7 @@ export function testSupportedBrowser() {
 	// redirect to the unsupported warning page
 	if (window.location.pathname.indexOf(redirectPath) === -1) {
 		const redirectUrl = window.location.href.replace(window.location.origin, '')
-		const base64Param = window.Buffer.from(redirectUrl).toString('base64')
+		const base64Param = btoa(redirectUrl)
 		history.pushState(null, null, `${redirectPath}?redirect_url=${base64Param}`)
 		window.location.reload()
 	}

dist/core-unsupported-browser-redirect.js

@@ -1,2 +1,2 @@
-(()=>{"use strict";var e,r,t,o={47210(e,r,t){var o=t(21777);t.nc=(0,o.aV)(),window.TESTING||OC?.config?.no_unsupported_browser_warning||window.addEventListener("DOMContentLoaded",async function(){const{testSupportedBrowser:e}=await Promise.all([t.e(4208),t.e(7883)]).then(t.bind(t,77883));e()})}},a={};function n(e){var r=a[e];if(void 0!==r)return r.exports;var t=a[e]={id:e,loaded:!1,exports:{}};return o[e].call(t.exports,t,t.exports,n),t.loaded=!0,t.exports}n.m=o,e=[],n.O=(r,t,o,a)=>{if(!t){var i=1/0;for(s=0;s<e.length;s++){for(var[t,o,a]=e[s],l=!0,d=0;d<t.length;d++)(!1&a||i>=a)&&Object.keys(n.O).every(e=>n.O[e](t[d]))?t.splice(d--,1):(l=!1,a<i&&(i=a));if(l){e.splice(s--,1);var c=o();void 0!==c&&(r=c)}}return r}a=a||0;for(var s=e.length;s>0&&e[s-1][2]>a;s--)e[s]=e[s-1];e[s]=[t,o,a]},n.n=e=>{var r=e&&e.__esModule?()=>e.default:()=>e;return n.d(r,{a:r}),r},n.d=(e,r)=>{for(var t in r)n.o(r,t)&&!n.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:r[t]})},n.f={},n.e=e=>Promise.all(Object.keys(n.f).reduce((r,t)=>(n.f[t](e,r),r),[])),n.u=e=>e+"-"+e+".js?v=ed54b8b4a6ed69e7c57e",n.o=(e,r)=>Object.prototype.hasOwnProperty.call(e,r),r={},t="nextcloud-ui-legacy:",n.l=(e,o,a,i)=>{if(r[e])r[e].push(o);else{var l,d;if(void 0!==a)for(var c=document.getElementsByTagName("script"),s=0;s<c.length;s++){var u=c[s];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==t+a){l=u;break}}l||(d=!0,(l=document.createElement("script")).charset="utf-8",n.nc&&l.setAttribute("nonce",n.nc),l.setAttribute("data-webpack",t+a),l.src=e),r[e]=[o];var p=(t,o)=>{l.onerror=l.onload=null,clearTimeout(f);var a=r[e];if(delete r[e],l.parentNode&&l.parentNode.removeChild(l),a&&a.forEach(e=>e(o)),t)return t(o)},f=setTimeout(p.bind(null,void 0,{type:"timeout",target:l}),12e4);l.onerror=p.bind(null,l.onerror),l.onload=p.bind(null,l.onload),d&&document.head.appendChild(l)}},n.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.nmd=e=>(e.paths=[],e.children||(e.children=[]),e),n.j=3604,(()=>{var e;globalThis.importScripts&&(e=globalThis.location+"");var r=globalThis.document;if(!e&&r&&(r.currentScript&&"SCRIPT"===r.currentScript.tagName.toUpperCase()&&(e=r.currentScript.src),!e)){var t=r.getElementsByTagName("script");if(t.length)for(var o=t.length-1;o>-1&&(!e||!/^http(s?):/.test(e));)e=t[o--].src}if(!e)throw new Error("Automatic publicPath is not supported in this browser");e=e.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/"),n.p=e})(),(()=>{n.b="undefined"!=typeof document&&document.baseURI||self.location.href;var e={3604:0};n.f.j=(r,t)=>{var o=n.o(e,r)?e[r]:void 0;if(0!==o)if(o)t.push(o[2]);else{var a=new Promise((t,a)=>o=e[r]=[t,a]);t.push(o[2]=a);var i=n.p+n.u(r),l=new Error;n.l(i,t=>{if(n.o(e,r)&&(0!==(o=e[r])&&(e[r]=void 0),o)){var a=t&&("load"===t.type?"missing":t.type),i=t&&t.target&&t.target.src;l.message="Loading chunk "+r+" failed.\n("+a+": "+i+")",l.name="ChunkLoadError",l.type=a,l.request=i,o[1](l)}},"chunk-"+r,r)}},n.O.j=r=>0===e[r];var r=(r,t)=>{var o,a,[i,l,d]=t,c=0;if(i.some(r=>0!==e[r])){for(o in l)n.o(l,o)&&(n.m[o]=l[o]);if(d)var s=d(n)}for(r&&r(t);c<i.length;c++)a=i[c],n.o(e,a)&&e[a]&&e[a][0](),e[a]=0;return n.O(s)},t=globalThis.webpackChunknextcloud_ui_legacy=globalThis.webpackChunknextcloud_ui_legacy||[];t.forEach(r.bind(null,0)),t.push=r.bind(null,t.push.bind(t))})(),n.nc=void 0;var i=n.O(void 0,[4208],()=>n(47210));i=n.O(i)})();
-//# sourceMappingURL=core-unsupported-browser-redirect.js.map?v=57a01ff7cfae5840416a
+(()=>{"use strict";var e,r,t,o={47210(e,r,t){var o=t(21777);t.nc=(0,o.aV)(),window.TESTING||OC?.config?.no_unsupported_browser_warning||window.addEventListener("DOMContentLoaded",async function(){const{testSupportedBrowser:e}=await Promise.all([t.e(4208),t.e(7883)]).then(t.bind(t,77883));e()})}},n={};function a(e){var r=n[e];if(void 0!==r)return r.exports;var t=n[e]={id:e,loaded:!1,exports:{}};return o[e].call(t.exports,t,t.exports,a),t.loaded=!0,t.exports}a.m=o,e=[],a.O=(r,t,o,n)=>{if(!t){var i=1/0;for(s=0;s<e.length;s++){for(var[t,o,n]=e[s],l=!0,c=0;c<t.length;c++)(!1&n||i>=n)&&Object.keys(a.O).every(e=>a.O[e](t[c]))?t.splice(c--,1):(l=!1,n<i&&(i=n));if(l){e.splice(s--,1);var d=o();void 0!==d&&(r=d)}}return r}n=n||0;for(var s=e.length;s>0&&e[s-1][2]>n;s--)e[s]=e[s-1];e[s]=[t,o,n]},a.n=e=>{var r=e&&e.__esModule?()=>e.default:()=>e;return a.d(r,{a:r}),r},a.d=(e,r)=>{for(var t in r)a.o(r,t)&&!a.o(e,t)&&Object.defineProperty(e,t,{enumerable:!0,get:r[t]})},a.f={},a.e=e=>Promise.all(Object.keys(a.f).reduce((r,t)=>(a.f[t](e,r),r),[])),a.u=e=>e+"-"+e+".js?v=cf3316b206102f5d8754",a.o=(e,r)=>Object.prototype.hasOwnProperty.call(e,r),r={},t="nextcloud-ui-legacy:",a.l=(e,o,n,i)=>{if(r[e])r[e].push(o);else{var l,c;if(void 0!==n)for(var d=document.getElementsByTagName("script"),s=0;s<d.length;s++){var u=d[s];if(u.getAttribute("src")==e||u.getAttribute("data-webpack")==t+n){l=u;break}}l||(c=!0,(l=document.createElement("script")).charset="utf-8",a.nc&&l.setAttribute("nonce",a.nc),l.setAttribute("data-webpack",t+n),l.src=e),r[e]=[o];var p=(t,o)=>{l.onerror=l.onload=null,clearTimeout(f);var n=r[e];if(delete r[e],l.parentNode&&l.parentNode.removeChild(l),n&&n.forEach(e=>e(o)),t)return t(o)},f=setTimeout(p.bind(null,void 0,{type:"timeout",target:l}),12e4);l.onerror=p.bind(null,l.onerror),l.onload=p.bind(null,l.onload),c&&document.head.appendChild(l)}},a.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},a.nmd=e=>(e.paths=[],e.children||(e.children=[]),e),a.j=3604,(()=>{var e;globalThis.importScripts&&(e=globalThis.location+"");var r=globalThis.document;if(!e&&r&&(r.currentScript&&"SCRIPT"===r.currentScript.tagName.toUpperCase()&&(e=r.currentScript.src),!e)){var t=r.getElementsByTagName("script");if(t.length)for(var o=t.length-1;o>-1&&(!e||!/^http(s?):/.test(e));)e=t[o--].src}if(!e)throw new Error("Automatic publicPath is not supported in this browser");e=e.replace(/^blob:/,"").replace(/#.*$/,"").replace(/\?.*$/,"").replace(/\/[^\/]+$/,"/"),a.p=e})(),(()=>{a.b="undefined"!=typeof document&&document.baseURI||self.location.href;var e={3604:0};a.f.j=(r,t)=>{var o=a.o(e,r)?e[r]:void 0;if(0!==o)if(o)t.push(o[2]);else{var n=new Promise((t,n)=>o=e[r]=[t,n]);t.push(o[2]=n);var i=a.p+a.u(r),l=new Error;a.l(i,t=>{if(a.o(e,r)&&(0!==(o=e[r])&&(e[r]=void 0),o)){var n=t&&("load"===t.type?"missing":t.type),i=t&&t.target&&t.target.src;l.message="Loading chunk "+r+" failed.\n("+n+": "+i+")",l.name="ChunkLoadError",l.type=n,l.request=i,o[1](l)}},"chunk-"+r,r)}},a.O.j=r=>0===e[r];var r=(r,t)=>{var o,n,[i,l,c]=t,d=0;if(i.some(r=>0!==e[r])){for(o in l)a.o(l,o)&&(a.m[o]=l[o]);if(c)var s=c(a)}for(r&&r(t);d<i.length;d++)n=i[d],a.o(e,n)&&e[n]&&e[n][0](),e[n]=0;return a.O(s)},t=globalThis.webpackChunknextcloud_ui_legacy=globalThis.webpackChunknextcloud_ui_legacy||[];t.forEach(r.bind(null,0)),t.push=r.bind(null,t.push.bind(t))})(),a.nc=void 0;var i=a.O(void 0,[4208],()=>a(47210));i=a.O(i)})();
+//# sourceMappingURL=core-unsupported-browser-redirect.js.map?v=2d73a1a0d7ca54aac767