upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-23 07:30:41 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
83872 commits 1014 branches 1226 tags 6.8 GiB
Commit graph

38 commits

Author SHA1 Message Date
provokateurin
5fa4c3d8fd
fix(publicremote): Always grant read and delete permission for chunked uploads to a share 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-10-15 23:37:58 +02:00
Louis Chemineau
009d0c550c
fix: Move CSRF check from base to PublicAuth for public.php 
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.

Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF.  So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.

We also add a redirect to be helpful to the user.

**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.

Fix #52482

Signed-off-by: Louis Chemineau <louis@chmn.me>
 2025-05-21 16:01:36 +02:00
Ferdinand Thiessen
3d113ab6cc
refactor(dav): use Node API instead of private files view for filedrop plugin 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2025-05-16 14:37:30 +02:00
provokateurin
46f5b07322
feat(dav): Enable chunked upload for public shares 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-05-05 13:23:11 +02:00
provokateurin
7f0953d520
refactor(dav): Replace baseuri manipulation with RootCollection for public shares 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-05-05 13:23:11 +02:00
Git'Fellow
5dcec08e98
fix(shares): Allow underscores on custom links 
Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
 2025-03-26 08:14:52 +01:00
provokateurin
81acb210ce
fix(dav): Fix share token pattern for base uri extraction 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2025-03-10 10:10:46 +01:00
Côme Chilliet
64863c9d46
chore: Apply new rector configuration to apps folder 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2025-02-13 11:46:42 +01:00
Côme Chilliet
1580c8612b
chore(apps): Apply new rector configuration to autouse classes 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2024-10-15 10:40:25 +02:00
John Molakvoæ (skjnldsv)
abd0cddd38 feat: make systemtags public visible 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2024-10-11 16:06:44 +02:00
Ferdinand Thiessen
bbc5d32c8e
fix(dav): Public WebDAV endpoint should allow GET requests 
`GET` should be allowed even without Ajax header to allow downloading files,
or show files in the viewer. All other requests could be guarded, but this should not.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-09 17:10:52 +02:00
Ferdinand Thiessen
cb1b366baf
fix(dav): Ensure share properties are also set on public remote endpoint 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-12 11:28:03 +02:00
skjnldsv
f28d933acc feat(files_sharing): add public name prompt for files requests 
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
 2024-07-18 20:15:39 +02:00
Robin Appelman
7a9efcf4cc perf: remove full filesystem setup for accessing public link share dav endpoints 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2024-06-20 12:15:43 +02:00
Andy Scherzinger
9d4b944098
chore: Add SPDX header 
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
 2024-05-27 20:11:22 +02:00
Côme Chilliet
ec5133b739 fix: Apply new coding standard to all files 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2024-04-02 14:16:21 +02:00
John Molakvoæ
20a0b9cbaf fix(dav): ajax request check on public remote endpoints 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-17 09:05:11 +01:00
John Molakvoæ
9e4c9b97dd
fix(psalm): update baseline and suppress unnecessary issues 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 11:08:46 +01:00
John Molakvoæ
18399fc1cf
fix: improve typing and use \OCP\Server::get 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:34 +01:00
John Molakvoæ
82b5a19a35
fix: public dav and files_sharing testing fixes 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:14 +01:00
John Molakvoæ
7b6a650b6e
feat: public dav endpoint v2 
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
 2024-01-09 10:56:06 +01:00
Faraz Samapoor
0bae21b1d1 Refactors "strpos" calls in /apps/dav to improve code readability. 
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
 2023-06-12 09:46:07 +02:00
John Molakvoæ (skjnldsv)
215aef3cbd
Update php licenses 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2021-06-04 22:02:41 +02:00
Robin Appelman
f824f273b6
add event for when a direct download is triggered 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2021-02-12 17:33:12 +01:00
Christoph Wurst
d89a75be0b
Update all license headers for Nextcloud 21 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-12-16 18:48:22 +01:00
Christoph Wurst
2a054e6c04
Update the license headers for Nextcloud 20 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-08-24 14:54:25 +02:00
Morris Jobke
ecbc009e2f
Translate the maintenance mode message in webdav 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-05-06 18:11:54 +02:00
Christoph Wurst
5bf3d1bb38
Update license headers 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2019-12-05 15:38:45 +01:00
Roeland Jago Douma
392337fa13
Throttle requests to unknown tokens 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-26 10:35:37 +02:00
Roeland Jago Douma
b3e7865d9b
Dav endpoint returns proper data 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-26 10:35:37 +02:00
Roeland Jago Douma
f984664bee
First step of DAV endpoint 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2018-04-26 10:35:37 +02:00
Morris Jobke
0eebff152a
Update license headers 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2017-11-06 16:56:19 +01:00
Vincent Petry
a829ac787a
Let apps register Sabre plugins or collections 
upstream #26761

Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2017-10-14 20:50:53 +02:00
Ko-
0024b67aaf Check that set_time_limit is not disabled before calling it 
Signed-off-by: Ko- <k.stoffelen@cs.ru.nl>
 2017-03-11 17:04:21 +01:00
Vincent Petry
0aaf209c66
Prevent PHP request to get killed when using fclose callback (#26775) 
* Prevent PHP request to get killed when using fclose callback

* Add ignore_user_abort everywhere where the time limit is set to 0

Signed-off-by: Robin Appelman <robin@icewind.nl>
 2017-01-23 12:33:20 +01:00
Joas Schilling
813f0a0f40
Fix apps/ 2016-07-21 18:13:57 +02:00
Thomas Müller
682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Thomas Müller
c79496b5a3 Introduced the new webdav endpoint remote.php/dav holding the principals and the files collection 2015-10-26 13:00:00 +01:00