$nameSearchPattern was passed in and directly appended to the SQL query. Luckily the code path isn't reached anywhere in Nextcloud or the included apps.
In a SAML scenario we don't get any strict or lax cookie send for
the ACS endpoint. Since we have some legacy code in Nextcloud
(direct PHP files) the enforcement of lax cookies is performed here
instead of the middleware.
This means we cannot exclude some routes from the cookie validation,
which normally is not a problem but is a little bit cumbersome for
this use-case.
Once the old legacy PHP endpoints have been removed we can move
the verification into a middleware and also adds some exemptions.
Not super awesome code to have but the best that I could come up
with that doesn't add another ton of technical debt.
The Nextcloud and ownCloud updaters allow someone to configure a custom release channel, this can then be used to publish different versions. (e.g. one channel stays on 9.x while another one already gets 10.x)
There is however one big problem with it: The value is effectively stored in the app config, which is stored in the database. So to be able to read the update channel a connection to the database is necessary. This is quite error prone and also causes some of the issues in the original ownCloud updater.
This moves the channel registration to the config.php and also includes a repair step.
When no cookies are sent it is not required to perform any check for the strict or lax cookie, it does not provide any significant security advantage.
It does however interfer with the Android client which requests thumbnails from the unofficial API at `/index.php/apps/files/api/v1/thumbnail/256/256/{filename}`. This endpoint expects the strict cookie to be existent to not leak the existence of files. The Android client authenticates against this endpoint using Basic Auth and without cookies in some cases at least. This will make these endpoints work again with such cases.
To test this issue the following cURL command once without the patch and once with:
> curl http://localhost/index.php/apps/files/api/v1/thumbnail/256/256/welcome.txt -u admin -v
Without the patch the request is redirected (which the client does not obey) and with the patch the preview is returned.
As the apps from the appstore are at the moment signed by the ownCloud Root CA we have to add it as fallback as well. We can remove that once Nextcloud 10 with new appstore has been released.
At the moment we want to hide the help link from the personal sidebar as it contains the original ownCloud documentation.
Once we have our own documentation with our proper branding and so on we can reenable this.
