The threads option for the password_hash function does not define the maximum allowed number of CPU threads to be used by the hashing algorithm but the exact number of threads that is used.
Similarly the memory_cost option for the password_hash function does not define the maximum allowed memory to be used by the hashing algorithm, but the exact amount of memory that is used by the hashing table. The minimum value is 8 KiB per thread.
The time_cost option for the password_hash function does not define the allowed time in seconds, but the number of iterations for the hash function.
If the minimum values are understood, the minimum values are used instead.
Signed-off-by: MichaIng <micha@dietpi.com>
On some systems with a lot of users this creates a lot of extra DB
writes.
Being able to increase this interval helps there.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The custom config allows to setup a proxy URI that is passed to
GuzzleHTTP client as request options. Guzzle has the option to receive
an array of proxies for each URI scheme as well as 'no' key value pair
to provide a list of host names that should not be proxied to.
Guzzle would automatically populate these options with HTTPS_PROXY
and NO_PROXY environment variables. However, when providing a 'proxy'
request option, default values will be overriden and it is required to
explicitly provide the 'no' value if needed.
More info:
http://docs.guzzlephp.org/en/stable/request-options.html#proxy
This commit will add support for a new config 'proxyexclude', which
takes a list of host names to be excluded.
It will also provide 'proxy' request option as an array instead of a
string to Guzzle, and populate 'http' and 'https' URI schemes with
proxy URI, and 'no' with 'proxyexclude' list.
Also, if no 'proxy' is configured, it will leave out 'proxy' request
option, so it won't override Guzzle default values.
Sample config file includes a hint on how to explicitly sync
'proxyexclude' with NO_PROXY, and a note about default values.
Signed-off-by: Mohammed Abdellatif <m.latief@gmail.com>
If the remember_login_cookie_lifetime is set to 0 this means we do not
want to use remember me at all. In that case we should also not creatae
a remember me cookie and should create a proper temp token.
Further this specifies that is not 0 the remember me time should always
be larger than the session timeout. Because else the behavior is not
really defined.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
The file logger currently resets the mode of the logfile to 0640.
When the webserver is running as a different user than the cron job
(but both are in the same group) the files mode has to be 0660. The
current implementation breaks logging for the user that is not the
owner of the logfile.
This patch introduces a new config option 'logfilemode' that expects
an octal value (defaults to 0640). Unless the value is lower or equal
than 0 the logfiles mode will be resetted to this value.
Signed-off-by: Roland Tapken <roland@bitarbeiter.net>
@MorrisJobke asked me to open this pull request in the server repo instead of the documentation repo:
https://github.com/nextcloud/documentation/pull/690
Text from the documentation pull request:
On a fresh Nextcloud 13 Installation the default value for dbtype in config.php is 'sqlite3' (and not 'sqlite'). I also noticed that on previous versions.
Despite the fact that Nextcloud 13 also works though, if that value is manually changed to 'sqlite', I would suggest to change that in the documentation to the actually used value created when installing Nextcloud - and that is 'sqlite3'.
With HiDPI screens. And even normal HD screens you want more detail from
your pictures. Or the ability to somewhat zoom on you previews. For this
we need somewhat larger previews.
Moving the default to 4096x4096 is a step up. Users that want the old
behavior can still set the values in config.php
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
There was a setting to disable the last execution of cron. There is no known
problem with this write access and it was also questioned when this feature
was build in https://github.com/owncloud/core/pull/7689#issuecomment-38264707
Recently there was also a bug report about a non-visible last cron execution
(#6088) - let's better remove this.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
Single user mode basically disables WebDAV, OCS and cron execution. Since
we heavily rely on WebDAV and OCS also in the web UI it's basically useless.
An admin only sees a broken interface and can't even change any settings nor
sees any files. Also sharing is not possible.
As this is at least the case since Nextcloud 9 and we haven't received any
reports for this it seems that this feature is not used at all so I removed it.
The encryption commands now rely on the well tested maintenance mode.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* we introduced this setting in the begining because our
avatar support caused some performance issues, but we
fixed them and should only provide one way how Nextcloud
looks
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
based on a source code analysis (looking for getSystemValue() function) I added the default values of the prameters
Update config.sample.php
replaced three backticks by two.
applied various fixes
- removed default value for 'objectstore' because it has not default value.
- removed default value for 'tempdirectory' because it is unset.
- changed default value for 'theme' to "Defaults to the theming app which is shipped since Nextcloud 9"
- fixed typo in default value of 'minimum.supported.desktop.version', after double-checking the version
number in /apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php:71.
Signed-off-by: Juergen Edner <juergen@eisfair.org>
Added the system config which sets all conditions to true that query the
FrontControllerActive mod_env variable.
Signed-off-by: Felix A. Epp <work@felixepp.de>
- Updated the config sample to point to log_type='file'
- Renamed the Class for logfile logging to File in namespace 'OC\Log\'.
Changed the occurrences of 'OC\Log\Owncloud' to 'OC\Log\File'.
- Renamed the Class for log:file command to File in namespace 'OC\Core\Command\Log\File'.
Changed registration of the command to use 'OC\Core\Command\Log\File'.
- Changed default Syslog tag to Nextcloud
- Retained backwards compatibility for configs with 'logtype' => 'owncloud'
- Adjusted tests for the new file log.
Closes#490.
Class Throttler implements the bruteforce protection for security actions in
Nextcloud.
It is working by logging invalid login attempts to the database and slowing
down all login attempts from the same subnet. The max delay is 30 seconds and
the starting delay are 200 milliseconds. (after the first failed login)
Fixes#215
The asset pipeline has shown to do more harm than good. Some apps fail
hard with it. Also it makes sure that you download a huge file on each
unvisited page.
The current logic for mod_rewrite relies on the fact that people have properly configured ownCloud, basically it reads from the `overwrite.cli.ur
l` entry and then derives the `RewriteBase` from it.
This usually works. However, since the ownCloud packages seem to install themselves at `/owncloud` (because subfolders are cool or so…) _a lot_ of people have just created a new Virtual Host for it or have simply symlinked the path etc.
This means that `overwrite.cli.url` is wrong, which fails hard if it is used as RewriteBase since Apache does not know where it should serve files from. In the end the ownCloud instance will not be accessible anymore and users will be frustrated. Also some shared hosters like 1&1 (because using shared hosters is so awesome… ;-)) have somewhat dubious Apache configurations or use versions of mod_rewrite from the mediveal age. (because updating is money or so…)
Anyhow. This makes this explicitly an opt-in configuration flag. If `htaccess.RewriteBase` is set then it will configure index.php-less URLs, if
admins set that after installation and don't want to wait until the next ownCloud version they can run `occ maintenance:update:htaccess`.
For ownCloud 9.0 we also have to add a repair step to make sure that instances that already have a RewriteBase configured continue to use it by copying it into the config file. That way all existing URLs stay valid. That one is not in this PR since this is unneccessary in master.
Effectively this reduces another risk of breakage when updating from ownCloud 8 to ownCloud 9.
Fixes https://github.com/owncloud/core/issues/24525, https://github.com/owncloud/core/issues/24426 and probably some more.
* allow configuration of memcache options
Use production values for memcached as explained in http://apprize.info/php/scaling/15.html
The current implementiation uses ascii based serialization. This PR should reduce traffic to the memcached server.
cc @MorrisJobke @FelixBoehm
* add config sample
* merge config options, throw hint on config error
* fix typo
* fix config sample
Currently testing the updates is a big problem and not really super easy possible. Since we now have a new updater server we should also make this configurable so that people can properly test updates.
* if you install owncloud via package it is not
possible to skip migration tests
* this also allows to disable migration tests for
an instance by default
Added config.php option to replace the default implementation of system
tag manager and system tag object mapper.
Also adjusted the comments manager factory to inject the server container
register CommentsManager service, allow override, document in config.sample.php
don't insert autoincrement ids in tests, because of dislikes from oracle and pgsql
specify timezone in null date
only accepts strings for ID parameter that can be converted to int
replace forgotten hardcoded IDs in tests
react on deleted users
react on file deletion
Postgresql compatibility
lastInsertId needs *PREFIX* with the table name
do not listen for file deletion, because it is not reliable (trashbin, external storages)
add runtime cache for comments
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.
Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.
Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjPhttp://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/
Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
* if you install owncloud via package it is not
possible to skip migration tests
* this also allows to disable migration tests for
an instance by default
This will prevent detecting remote changes done in the data folder /
root storage by default. In the rare cases where the data folder is
shared with other apps/users outside ownCloud and change detection is
needed, the admin will have to set the option explicitly from now on.
Note that this doesn't affect external storages which have their own
setting in the mount options.
* Log condition for log level increase based on conditions. Once one of these
conditions is met, the required log level is set to debug. This allows to
debug specific requests, users or apps
* Supported conditions (setting `log_condition` in `config.php`):
- `shared_secret`: if a request parameter with the name `log_secret` is set to
this value the condition is met
- `users`: if the current request is done by one of the specified users,
this condition is met
- `apps`: if the log message is invoked by one of the specified apps,
this condition is met
* fix unit test and add app log condition test
This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance.
This has multiple reasons:
1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse
2. Old ownCloud client versions tend to be horrible buggy
In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
The first time we're asked to generate a preview we'll generate one of the maximum dimension indicated in the configuration and all future resizing requests will be done on that preview in order to not waste time converting the same file over and over.
One of the fixes required for #12465
Caches divided up into two groups: distributed and local. 'Low latency' is an
alias for local caches, while the standard `create()` call tries to get
distributed caches first, then local caches.
Memcache backend is set in `config.php`, with the keys `memcache.local` and
`memcache.distributed`. If not set, `memcache.distributed` defaults to the value
of `memcache.local`.
Doing this in the PHP code is not the right approach for multiple reasons:
1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.
This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components.
Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers:
```php
$response = new TemplateResponse('activity', 'list', []);
$cspHelper = new ContentSecurityPolicyHelper();
$cspHelper->addAllowedScriptDomain('www.owncloud.org');
$response->addHeader('Content-Security-Policy', $cspHelper->getPolicy());
return $response;
```
Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
This allows the directory where CSS/JS asset collections are
written to be changed, in case SERVERROOT is not writeable. Note
it does *not* allow the expected URL to be changed: whatever
directory is used, the server must be configured to serve it
at WEBROOT/assets. It may be possible to add another config
parameter to allow the admin to specify a custom asset URL,
but I thought I'd keep the first implementation simple.
