nextcloud

mirror of https://github.com/nextcloud/server.git synced 2026-04-15 22:11:17 -04:00

Author	SHA1	Message	Date
Julius Härtl	bd03dd37be	Allow to set a strict-dynamic CSP through the API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-03-09 15:10:27 +01:00
Carl Schwan	7dddbd0c35	Improve caching policy * Cache css with version in url. This makes most js and css requests to be cached by the browser * Force caching previews, the etag is in the url so that if the propfind gives a new etag, we will refresh it otherwise it's no use to try to fetch the new etag and do tons of DB queries Tested with firefox and 'debug' => false (important so that the js/css urls are generated with ?v= parameter) Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-02-16 11:35:57 +01:00
Robin Appelman	c712987878	send request id in response header Signed-off-by: Robin Appelman <robin@icewind.nl>	2022-02-01 14:24:01 +01:00
Daniel Rudolf	aa455e71d9	Merge branch 'master' into enhancement/noid/IURLGenerator-linkToDefaultPageUrl	2021-08-04 18:52:55 +02:00
Carl Schwan	28970563a2	Remove some mentions of ownCloud from our api documentation Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2021-07-29 15:56:30 +02:00
Daniel Rudolf	a43de10d1e	Add RedirectToDefaultAppResponse::__construct() annotations Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:35:09 +02:00
Daniel Rudolf	e478db9161	Deprecate RedirectToDefaultAppResponse Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:13:08 +02:00
Daniel Rudolf	2c7186a15f	Remove \OC::$server->getURLGenerator() usage Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:12:15 +02:00
Daniel Rudolf	12059eb65b	Add IUrlGenerator::linkToDefaultPageUrl() Replaces the deprecated \OC_Util::getDefaultPageUrl() and makes this API public. Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-06-30 16:20:57 +02:00
Pytal	9ed379da22	Merge pull request #27635 from nextcloud/fix/datetime-constants Fix usage of DateTime constants	2021-06-23 09:56:28 -07:00
Christoph Wurst	6d5cfe0c66	Move DateTime::RFC2822 to DateTimeInterface::2822 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-06-23 15:30:43 +02:00
Lukas Reschke	25ab4059c6	Add security.txt Ref https://securitytxt.org Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-06-23 13:58:47 +02:00
Morris Jobke	2ae60b42ab	Merge pull request #26494 from rigrig/fix-php8-deprecations Fix some php 8 warnings	2021-06-07 23:30:59 +02:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +02:00
Lukas Reschke	377514aad1	Escape filename in Content-Disposition We should escape all occurences of ' and \ in here. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-06-02 19:22:17 +02:00
Richard de Boer	a0d265b0b1	Fix a usort comparison function returning a boolean instead of an integer PHP 8 shows deprecation warnings about this, see #25806 Signed-off-by: Richard de Boer <git@tubul.net>	2021-05-29 14:14:52 +02:00
Joas Schilling	02c011c4f7	Make debugging easier which header is being set Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-03-24 13:22:44 +01:00
Christoph Wurst	08d4458542	Initialize \OCP\AppFramework\Http\ZipResponse::$resources Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-02-17 19:59:27 +01:00
Christoph Wurst	9ce3ea3368	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-30 14:07:05 +01:00
Christoph Wurst	d89a75be0b	Update all license headers for Nextcloud 21 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-16 18:48:22 +01:00
Joas Schilling	329ffa257e	Log an error when setting a custom header on "Not Modified" responses Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-12-15 11:24:15 +01:00
Thomas Citharel	71cf92697c	Update comment to reflect current CSP policy JS unsafe-eval was removed a long time ago in https://github.com/nextcloud/server/pull/11028	2020-12-12 21:11:42 +01:00
Roeland Jago Douma	1e111b2ad2	Fix DataResponse typehints We use this already in several places where we just pass strings or numbers. This all works because we just convert it to a json response in the end. So better to have the typehints reflect this. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-19 20:34:42 +01:00
Roeland Jago Douma	9163790b7c	Set frame-ancestors to none if none are filled frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-18 10:13:36 +01:00
Roeland Jago Douma	fa6a790859	Remove deprecated OCSResponse Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-01 14:12:27 +01:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +02:00
Julius Härtl	8ab2422b6c	Add acutal response to BeforeTemplateRenderedEvent Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-09-24 20:00:23 +02:00
Roeland Jago Douma	b5e9f7e846	Merge pull request #22432 from nextcloud/enh/phpdoc Add php docs build script	2020-08-26 21:18:11 +02:00
Julius Härtl	45a474071e	Remove @package annotations from public namespace Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-08-26 16:59:40 +02:00
Christoph Wurst	2a054e6c04	Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-08-24 14:54:25 +02:00
Joas Schilling	35a8519591	Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +02:00
Joas Schilling	e66bc4a8a7	Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +02:00
Morris Jobke	0581356169	Merge pull request #22097 from nextcloud/enh/noid/empty-template Add empty renderAs template	2020-08-05 11:42:29 +02:00
Julius Härtl	b51746212e	Add base renderAs template Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-08-04 09:48:43 +02:00
Julius Härtl	e1b696929f	Move NotFoundResponse to a proper TemplateResponse Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-07-24 08:58:14 +02:00
Joas Schilling	49970639fa	Add constants for the magic strings of template rendering Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-07-16 15:47:28 +02:00
Morris Jobke	c4b53538af	Better event description for BeforeTemplateRenderedEvent in files and files_sharing Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-07-15 20:15:51 +02:00
Roeland Jago Douma	7d7ba61625	Add real events to load additionalscripts Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-07-15 14:07:18 +02:00
Joas Schilling	b7060be18d	Fix robots "noindex, nofollow" signals Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-06-25 08:29:43 +02:00
Roeland Jago Douma	fbf9772a3e	Allow to specify the cookie type for appframework responses In general it is good to set them to Lax. But also to give devs more control over them is not a bad thing. Helps with #21474 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-06-22 08:38:44 +02:00
Roeland Jago Douma	4fbea316a7	Merge pull request #20897 from nextcloud/bugfix/httpcache Proxy server could cache http response when it is not private	2020-05-13 08:27:05 +02:00
Clement Wong	e9be3a9090	Add public argument to Http cacheFor() Signed-off-by: Clement Wong <git@clement.hk>	2020-05-10 20:24:14 +02:00
Clement Wong	401210d259	Proxy server could cache http response when it is not private Signed-off-by: Clement Wong <git@clement.hk>	2020-05-10 11:24:08 +02:00
Christoph Wurst	cb057829f7	Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-29 11:57:22 +02:00
Christoph Wurst	28f8eb5dba	Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 16:54:27 +02:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +02:00
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 13:54:22 +02:00
Christoph Wurst	41b5e5923a	Use exactly one empty line after the namespace declaration For PSR2 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 11:48:10 +02:00
Christoph Wurst	2fbad1ed72	Fix (array) indent style to always use one tab Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 10:16:08 +02:00
Christoph Wurst	1a9330cd69	Update the license headers for Nextcloud 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-31 14:52:54 +02:00
Christoph Wurst	463b388589	Merge pull request #20170 from nextcloud/techdebt/remove-unused-imports Remove unused imports	2020-03-27 17:14:08 +01:00
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-26 16:34:56 +01:00
Christoph Wurst	74936c49ea	Remove unused imports Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-25 22:08:08 +01:00
Pavel Krasikov	4c01326913	add docs for useJsNonce Signed-off-by: Pavel Krasikov <klonishe@gmail.com>	2020-03-15 17:02:11 +03:00
Christoph Wurst	6127c288e8	Fix license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-01-13 14:23:49 +01:00
Daniel Calviño Sánchez	883a71ce8e	Split the menu entry for external shares in two The external shares entry showed a "button" that, when pressed, replaced the button with the input to set the remote share address. The "button" was actually a label for the input, so when the label was focused it transferred the focus to the input and thus pressing enter or space did not show the input. Moreover, inputs inside links are not valid HTML, and once shown there was no way to hide the input again. Due to all this, and for consistency with the direct link input, the external share input was moved to a different menu item that is shown and hidden when the button, which nows is also a real button, is clicked. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2019-12-30 10:29:36 +01:00
Daniel Calviño Sánchez	33b2f4e295	Format HTML elements Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2019-12-30 10:29:36 +01:00
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-05 15:38:45 +01:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +01:00
Roeland Jago Douma	a85f2f4165	set default CSP on NotFoundResponse Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-09-09 22:37:12 +02:00
Roeland Jago Douma	35db32f504	Add deprecation warning Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-29 14:52:50 +02:00
Roeland Jago Douma	c40fe8b819	Do not enforce the parent constructor of response to be called If there is no policy set we just take the default empty ones. That way no obscure errors get thrown if the constructor is not called. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-19 14:39:34 +02:00
Roeland Jago Douma	c4cafae884	frame-src doesn't respect the nonce attribute Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-16 21:29:57 +02:00
Roeland Jago Douma	b8c5008acf	Add feature policy header This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 14:26:22 +02:00
Roeland Jago Douma	f94ee72507	Add form-action CSP element Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-31 15:16:10 +02:00
Roeland Jago Douma	cd243b0876	No need to have these classes we tighten the default CSP from time to time Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-27 14:59:48 +02:00
Roeland Jago Douma	7276735eb4	Set empty CSP by default For #14179 By default responses should have the strictest (and simplest) CSP possible. Only template responses should require an actual CSP. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-04-16 14:09:39 +02:00
Roeland Jago Douma	4d8e1f6c67	CSP: set nonce for iframes This for now uses the jsNonce. That way we can easily backport it. For 17 I will fix it properly. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-03-16 20:20:03 +01:00
Joas Schilling	3203d3e806	Allow apps to redirect to the default app Signed-off-by: Joas Schilling <coding@schilljs.com>	2019-03-01 09:19:46 +01:00
Roeland Jago Douma	b68567e9ba	Add StandaloneTemplateResponse This can be used by pages that do not have the full Nextcloud UI. So notifications etc do not load there. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-06 11:26:18 +01:00
Roeland Jago Douma	d182037bce	Emit to load additionalscripts Fixes #13662 This will fire of an event after a Template Response has been returned. There is an event for the generic loading and one when logged in. So apps can chose to load only on loged in pages. This is a more generic approach than the files app event. As some things we might want to load on other pages as well besides the files app. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-31 12:11:40 +01:00
Roeland Jago Douma	ad676c0102	Set default frame-ancestors to 'self' For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-08 15:36:40 +01:00
Roeland Jago Douma	64244e1a4f	CSP: Allow fonts to be provided in data Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-01-07 15:07:06 +01:00
Roeland Jago Douma	58345e02d2	Basic CSP no longer deprecated Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-11-08 10:37:48 +01:00
Roeland Jago Douma	579822b6a5	Add report-uri to CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-21 13:38:32 +02:00
Roeland Jago Douma	5b61ef9213	Disallow unsafe-eval by default Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-14 20:45:34 +02:00
Morris Jobke	bcbffdb644	Add PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2018-10-02 22:35:31 +02:00
Roeland Jago Douma	7d9052d4b9	fixup! Add fix response Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-02 08:17:27 +02:00
Roeland Jago Douma	a891f42a5d	fixup! Add fix response Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-02 08:16:28 +02:00
Jakob Sack	a9fa220e68	Add fix response implements #7589	2018-10-02 08:13:39 +02:00
Roeland Jago Douma	8354c50911	Deprecate the childSrc functions Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-09-04 07:35:44 +02:00
Roeland Jago Douma	c8fe4b4fc8	Add workerSrc to CSP Fixes #11035 Since the child-src directive is deprecated (we should kill it at some point) we need to have the proper worker-src available Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-09-04 07:35:44 +02:00
Roeland Jago Douma	c21cee248c	Disallow eval on the StrictEvalCSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-07-11 21:12:36 +02:00
Roeland Jago Douma	b38fa573e1	Add stricter CSPs * Deprecate our default CSP * Add strict CSP that is always our strictest setting * Add strict eval CSP (disable unsafe-eval) * Add strict inline CSP (disables inline styles) This is just to move forward and have a incremental improvement of our CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-13 14:47:57 +02:00
Roeland Jago Douma	a34495933e	Move caching logic to response This avoids having to do it at all the places we want cached responses. We can't inject the ITimeFactor without breaking public API. However we can perfectly overwrite the service (resulting in the same testable effect). Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-06-04 08:48:54 +02:00
Julius Härtl	6ded1c46b7	Add since tags Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-04-05 13:18:17 +02:00
Julius Härtl	2e60f91ab1	Move external share saving to template Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-04-05 13:11:55 +02:00
Julius Härtl	30e76f9f14	Add footer to public page template Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-04-05 12:22:01 +02:00
Julius Härtl	eb19899f8e	Move common menu templates to public API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-04-05 11:09:19 +02:00
Julius Härtl	36563d4a4b	Remove setters Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Julius Härtl	9cf49873fa	Rework array handling to avoid phan error Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Julius Härtl	2b6c00fc0f	Add id to list element Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Julius Härtl	7cd0340366	Sort menu by priority Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Julius Härtl	038aad73c7	Add missing phpdoc for public API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:53 +01:00
Julius Härtl	4f83462f67	Add phpdoc, typehints and sanitize HTML Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:52 +01:00
Julius Härtl	4f78980fad	Add menu item abstraction Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:52 +01:00
Julius Härtl	0655df09d6	Pass template parameters to parent template Signed-off-by: Julius Härtl <jus@bitgrid.net>	2018-02-27 12:25:52 +01:00
Roeland Jago Douma	5825c27a12	Make sure that render always returns a string Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-02-21 13:28:40 +01:00
Morris Jobke	31c5c2a592	Change @georgehrke's email Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-11-06 20:38:59 +01:00
Morris Jobke	0eebff152a	Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2017-11-06 16:56:19 +01:00

1 2 3 4

176 commits