upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-13 21:17:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10
77659 commits 891 branches 1195 tags 7.1 GiB
Commit graph

280 commits

Author SHA1 Message Date
Christoph Wurst
08a3f37695
chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-06-12 10:03:59 +02:00
Joas Schilling
3a6bc7aba2
fix(middleware): Also abort the request when reaching max delay in afterController 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-05-15 16:20:19 +02:00
Joas Schilling
ecb8b55c5c
feat(security): Add PHP \Attribute for remaining security annotations 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-04-25 14:50:32 +02:00
Joas Schilling
89c3c31402
feat(ratelimit): Add Attributes support to rate limit middleware 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-04-24 12:24:48 +02:00
Côme Chilliet
b294edad80
Merge branch 'master' into enh/type-iconfig-getter-calls 
Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
 2023-04-20 16:52:38 +02:00
Christoph Wurst
2c0cfd3772
feat(app-framework): Add native argument types for middleware 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-04-18 17:15:05 +02:00
Côme Chilliet
8d5165e8dc
Adapt tests to config value typing 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-04-05 17:42:14 +02:00
Joas Schilling
2b49861679
Add a debug message when throttling without defining 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-03-08 12:09:22 +01:00
Joas Schilling
e839eb9b5c
feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-03-08 12:09:22 +01:00
Joas Schilling
c297f8ee96
feat(appframework): Make ITimeFactory extend \PSR\Clock\ClockInterface 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-03-03 15:37:13 +01:00
Julius Härtl
90d2cb09b1
Merge pull request #36396 from nextcloud/fix/cors 2023-02-17 09:42:08 +01:00
Ferdinand Thiessen
f655f83c84 fix(CORS): CORS should only be bypassed on PublicPage if not logged in to prevent CSRF attack vectors 
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
 2023-02-16 22:55:18 +01:00
MichaIng
5f90b8eb11
Change X-Robots-Tag header from "none" to "noindex, nofollow" 
While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names
https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list
https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240

Signed-off-by: MichaIng <micha@dietpi.com>
 2023-02-15 20:16:51 +01:00
Robin Appelman
b911da3e1e
DI for Router 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2023-02-13 22:51:14 +01:00
Ferdinand Thiessen
ba8a50c059 fix: Throw NotFoundExceptionInterface to fulfill PSR container interface if class not found 
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
 2023-02-06 14:16:35 +01:00
Christoph Wurst
20e00cdf17
feat(app-framework): Add UseSession attribute to replace annotation 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-01-27 09:40:35 +01:00
Christoph Wurst
8d9af3e262
feat(app-framework): Add support for global middlewares 
This allows apps to register middlewares that always register, not just
for the app's own requests

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-01-26 11:54:28 +01:00
Christoph Wurst
907ff68bfc
perf(app-framework): Make the app middleware registration lazy 
Before this patch, app middlewares were registered on the dispatcher for
every app loaded in a Nextcloud process. With the patch, only
middlewares belonging to the same app of a dispatcher instance are
loaded.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-01-25 09:27:24 +01:00
Côme Chilliet
f5c361cf44
composer run cs:fix 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-01-20 11:45:08 +01:00
Christoph Wurst
20fcfb5739
feat(app framework)!: Inject services into controller methods 
Usually Nextcloud DI goes through constructor injection. This has the
implication that each instance of a class builds the full DI tree. That
is the injected services, their services, etc. Occasionally there is a
service that is only needed for one controller method. Then the DI tree
is build regardless if used or not.

If services are injected into the method, we only build the DI tree if
that method gets executed.

This is also how Laravel allows injection.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-01-18 14:00:38 +01:00
Stanimir Bozhilov
7dcd6eb561
Merge branch 'master' into add-scim-json-support 
Signed-off-by: Stanimir Bozhilov <stanimir.bozhilov.1998@gmail.com>
 2022-12-19 09:07:38 +01:00
Vincent Petry
ae6fe874ed
Merge pull request #35780 from nextcloud/fix/http-dispatcher-double-parameter-cast 
Fix missing cast of double controller parameters
 2022-12-16 16:18:35 +01:00
Christoph Wurst
b6dd1a1d7b
fix(app framework): Fix missing cast of double controller parameters 
``settype`` allows 'double' as alias of 'float'.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2022-12-15 09:33:52 +01:00
Artur Neumann
81f2857f34
check if params given to API are really an array 
Signed-off-by: Artur Neumann <artur@jankaritech.com>
 2022-12-15 13:45:22 +05:45
Julien Veyssier
4a3f3beb0b
use bruteforce protection on all methods wrapped by PublicShareMiddleware 
if an invalid token is provided or when share password is wrong

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
 2022-12-07 13:24:50 +01:00
Côme Chilliet
68363f6944
Fix some more problems with tests under PHP 8.2 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-11-15 16:02:24 +01:00
Roeland Jago Douma
60ee874485
Remove long depreated AppFramework/Db/Mapper 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2022-10-10 08:18:32 +02:00
Stanimir Bozhilov
46c10c77e1 Fix the JSON content type regex to match all MIME types 
Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>
 2022-09-26 11:51:44 +02:00
Stanimir Bozhilov
f7d51a39cf Add unit tests for application/scim+json content type 
Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>
 2022-09-20 16:19:05 +02:00
Julius Härtl
64a7489958
Fix SessionMiddlewareTest and cover new case with reopening 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-08-24 10:36:57 +02:00
Simon Leiner
09362eaeaa
Support specifying IPv6 proxies in CIDR notation 
Previously, it was not possible to use CIDR notation for IPv6 proxies
in the trusted_proxies parameter of config.php [1]. This patch adds
support for that.

[1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies

Signed-off-by: Simon Leiner <simon@leiner.me>
 2022-08-02 17:36:47 +02:00
Thomas Citharel
1d30fb7852
Fix reading blob data as resource 
PostgreSQL returns data as resource when using IQueryBuilder::PARAM_LOB
(which is used for QBMapper).

Previously we just converted this resource using settype, which produced
things like "Resource id #14" instead of the actual resource data.

Now we read the stream correctly if the returned data is a resource

See context at #22472

Fixes #22439

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
 2022-07-25 09:45:47 +02:00
Côme Chilliet
1bd5222224
Fix PHP 8.2 warnings about undeclared properties 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-06-21 16:17:52 +02:00
Côme Chilliet
c7e1c36362
Remove at matcher uses in tests/lib 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-06-16 17:43:17 +02:00
Joas Schilling
279e06a80f
Merge pull request #32587 from nextcloud/bugfix/noid/improve-jsconfighelper 
Improve JSConfigHelper code quality a bit
 2022-05-31 10:29:30 +02:00
Julius Härtl
3901a93c72
Use JSON_THROW_ON_ERROR instead of custom error handling 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-05-30 19:17:49 +02:00
Joas Schilling
f9efc410fa
Restore old behaviour of sending flase for not found apps 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-05-30 12:41:35 +02:00
Carl Schwan
b70c6a128f Update core to PHP 7.4 standard 
- Typed properties
- Port to LoggerInterface

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-05-20 22:18:06 +02:00
Carl Schwan
7817845538 Add a metadata service to store file metadata 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-04-13 14:06:29 +02:00
Cyrille Bollu
c6a5c07041 Adds a "Request password" button to the public share authentication page for shares 
of type TYPE_EMAIL, when the "video verification" checkbox isn't checked. Users accessing
non-anonymous public shares (TYPE_EMAIL shares) can now request a temporary password themselves.

- Creates a migration step for the files_sharing app to add the 'password_expiration_time'
  attribute to the oc_shares table.
- Makes share temporary passwords' expiration time configurable via a system value.
- Adds a system config value to allow permanent share passwords

-Fixes a typo in a comment in apps/files_sharing/src/components/SharingEntryLink.vue

See https://github.com/nextcloud/server/issues/31005

Signed-off-by: Cyrille Bollu <cyrpub@bollu.be>
 2022-04-11 21:58:24 +02:00
Carl Schwan
7d272c54d0 Add a built-in profiler inside Nextcloud 
The webui is provided by a seperate application named profiler

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-04-04 10:28:26 +02:00
Côme Chilliet
61f7f13bd8
Migrate from ILogger to LoggerInterface where needed in the tests 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-03-24 16:21:26 +01:00
Joas Schilling
0acd4b5f82
Merge pull request #31235 from nextcloud/techdebt/noid/extract-request-id 
Extract request id handling to dedicated class so it can be injected without DB dependency
 2022-03-22 12:08:45 +01:00
Julius Härtl
bd03dd37be
Allow to set a strict-dynamic CSP through the API 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-03-09 15:10:27 +01:00
Julius Härtl
2dd96fe8da
Fix tests 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-02-28 11:24:41 +01:00
Julius Härtl
eede608c0e
Add event logging to app loading 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-02-28 11:24:41 +01:00
Joas Schilling
d078d53683
Fix tests 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-02-23 11:01:58 +01:00
Joas Schilling
cc6653e45c
Adjust and add unit tests 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-02-23 11:01:58 +01:00
Christoph Wurst
cb252c5591
Add Transactional trait for atomic DB operations 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2022-02-17 09:58:41 +01:00
Christopher Ng
e485451eed Add test 
Signed-off-by: Christopher Ng <chrng8@gmail.com>
 2022-02-11 23:34:25 +00:00
Robin Appelman
c712987878
send request id in response header 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2022-02-01 14:24:01 +01:00
Carl Schwan
6312c0df69
Check style update 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-01-13 00:19:07 +01:00
Côme Chilliet
3a1b3745eb
Fix DateTime constructor calls with null 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2021-11-23 09:28:58 +01:00
Carl Schwan
6958d8005a
Add admin privilege delegation for admin settings 
This makes it possible for selected groups to access some settings
pages.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2021-09-29 21:43:31 +02:00
Christoph Wurst
6d5cfe0c66
Move DateTime::RFC2822 to DateTimeInterface::2822 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2021-06-23 15:30:43 +02:00
Christoph Wurst
770881d5d6
Move DateTime::ATOM to DateTimeInterface::ATOM 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2021-06-23 15:28:07 +02:00
Joas Schilling
181aab416a
Fix warnings about logException 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-06-04 10:57:09 +02:00
Lukas Reschke
377514aad1 Escape filename in Content-Disposition 
We should escape all occurences of ' and \ in here.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-06-02 19:22:17 +02:00
Joas Schilling
b6c6527705
Fix unauthorized OCS status in provisioning 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-05-12 08:16:07 +02:00
Christoph Wurst
99f0b10421
Merge pull request #26591 from nextcloud/techdebt/noid/less-ilogger 
Less ILogger
 2021-04-27 15:38:12 +02:00
Joas Schilling
df47445c01
Fix unit tests 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-04-27 14:34:32 +02:00
Joas Schilling
174f4dd043
Fix ratelimit template 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-04-27 13:55:34 +02:00
Roeland Jago Douma
30e096f3f5 Allow overwriting isAuthenticated 
* Some implementations might check for different things
* IT will not change how the current ones work

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2021-03-09 09:17:30 +01:00
Roeland Jago Douma
cc744740b7 Remove deprecated \OCP\API 
Time to remove this forgood now.
Remaining constant moved over
The world is a tiny bit better

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2021-03-03 20:54:32 +01:00
Christoph Wurst
8b64e92b92
Bump doctrine/dbal from 2.12.0 to 3.0.0 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2021-01-08 11:45:19 +01:00
Roeland Jago Douma
48679ae39f
Make sure we just check for the keys 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-12-07 15:44:03 +01:00
Roeland Jago Douma
9163790b7c
Set frame-ancestors to none if none are filled 
frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-11-18 10:13:36 +01:00
Morris Jobke
f03bb4716b
Remove OCSResponse type hint - see #23827 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-11-03 10:43:32 +01:00
Roeland Jago Douma
fa6a790859
Remove deprecated OCSResponse 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-11-01 14:12:27 +01:00
Morris Jobke
91d445909a
Fix code style 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-10-12 14:54:51 +02:00
Robin Windey
6a1f8fb3be
Fix typo 'shared' 2020-10-12 14:19:41 +02:00
Christoph Wurst
d9015a8c94
Format code to a single space around binary operators 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-10-05 20:25:24 +02:00
Joas Schilling
95a301ea57
Fix tests 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-10-02 10:37:18 +02:00
Joas Schilling
a9f22ac7b1
More test fixing 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 12:40:25 +02:00
Morris Jobke
234b510652
Change PHPDoc type hint from PHPUnit_Framework_MockObject_MockObject to \PHPUnit\Framework\MockObject\MockObject 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-08-12 13:55:19 +02:00
Morris Jobke
0123cd0ae3
Use assertStringContainsString instead of assertContains on strings 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-07-23 17:11:29 +02:00
Christoph Wurst
91e7f12088
Adjust apps' code to use the ContainerInterface 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-07-21 20:43:18 +02:00
Roeland Jago Douma
7d7ba61625
Add real events to load additionalscripts 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-07-15 14:07:18 +02:00
Julius Härtl
81e5593133
Move to lazy panel registration during registration context 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2020-07-15 09:27:57 +02:00
Christoph Wurst
f03f88b437
Delegate bootstrap registration lazily 
* Keep the registration context
* Expose the context object for other components
* Ensure registration is only run once

Search providers are migrated for demonstration.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-07-14 15:33:32 +02:00
Roeland Jago Douma
3f447b9c8c
Fix supporting defaults for routes 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-07-08 19:52:45 +02:00
Roeland Jago Douma
edc1c77dd9
Do not create a RouteActionHandler object for each route 
This is not required and doesn't allow us to be properly lazy. On top of
it this doesnt allow us to cache the routes (since closures/objects
can't be cached).

This is the first small step into cleaning up the routing we have

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-07-07 12:33:22 +02:00
Holger Hees
e70249e089
Update SecurityMiddleware.php 
OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header.

in other areas OC::$WEBROOT is always used together with an /
 2020-07-06 21:34:46 +02:00
Christoph Wurst
4a3ea04baa
Callable parameter injection 
This is like what we have to DI and classes, but for callables.

The motivating factor is to get rid of *service locators* in the `boot`
method of apps as a new pattern is about to emerge where we have lots of
`query` calls on the app or server container in order to fetch some
services.

With this little helper it's possible to call another (public) method
and magically have everything injected.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-07-03 14:37:46 +02:00
Joas Schilling
74a9cadc50
Fix IPv6 remote addresses from X_FORWARDED_FOR headers before validating 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-07-02 11:13:13 +02:00
Joas Schilling
b7060be18d
Fix robots "noindex, nofollow" signals 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-06-25 08:29:43 +02:00
Christoph Wurst
4488e846a5
Add unified search API 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-06-24 14:20:25 +02:00
blizzz
859941db32
Merge pull request #21479 from nextcloud/fix/21474/allow_specifying_cookie_type 
Allow to specify the cookie type for appframework responses
 2020-06-22 13:00:12 +02:00
Roeland Jago Douma
fbf9772a3e
Allow to specify the cookie type for appframework responses 
In general it is good to set them to Lax. But also to give devs more
control over them is not a bad thing.

Helps with #21474

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-06-22 08:38:44 +02:00
Roeland Jago Douma
c006b5ff2a
Fix unit test of the ResponseTest 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-06-21 09:44:56 +02:00
Christoph Wurst
2b7b7144d4
Allow crash reporters registration during app bootstrap 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-06-19 10:38:26 +02:00
Christoph Wurst
69571fb536
Add dedicated API for apps' bootstrapping process 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-06-17 09:22:21 +02:00
Roeland Jago Douma
7c15c63b05
Merge pull request #20939 from nextcloud/enh/middleware/not_modified 
Move not modified check to the middleware
 2020-05-13 09:04:56 +02:00
Roeland Jago Douma
4fbea316a7
Merge pull request #20897 from nextcloud/bugfix/httpcache 
Proxy server could cache http response when it is not private
 2020-05-13 08:27:05 +02:00
Roeland Jago Douma
12fa748c49
Move the notmodified check to middleware where it belongs 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-05-13 08:11:24 +02:00
Clement Wong
979dd1b6f5 Fix http cache test 
Signed-off-by: Clement Wong <git@clement.hk>
 2020-05-12 11:50:48 +02:00
Roeland Jago Douma
203d7eb1d3
Add AppFramework GZip middleware to gzip responses 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-05-12 09:09:48 +02:00
Roeland Jago Douma
c870b6ab2e
Fix new routing in settings etc 
Also prefix resources
Unify the prefix handling
Handle urls with and without slash

Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-04-22 13:09:25 +02:00
Joas Schilling
250467e842
Extend tests for root url 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-04-18 11:21:28 +02:00
Christoph Wurst
1584c9ae9c
Add visibility to all methods and position of static keyword 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-04-10 16:51:06 +02:00