nextcloud/public.php

<?php

/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
require_once __DIR__ . '/lib/versioncheck.php';

use Psr\Log\LoggerInterface;

/**
 * @param $service
 * @return string
 */
function resolveService(string $service): string {
	$services = [
		'webdav' => 'dav/appinfo/v1/publicwebdav.php',
		'dav' => 'dav/appinfo/v2/publicremote.php',
	];
	if (isset($services[$service])) {
		return $services[$service];
	}

	return \OC::$server->getConfig()->getAppValue('core', 'remote_' . $service);
}

try {
	require_once __DIR__ . '/lib/base.php';

	// All resources served via the DAV endpoint should have the strictest possible
	// policy. Exempted from this is the SabreDAV browser plugin which overwrites
	// this policy with a softer one if debug mode is enabled.
	header("Content-Security-Policy: default-src 'none';");

	if (\OCP\Util::needUpgrade()) {
		// since the behavior of apps or remotes are unpredictable during
		// an upgrade, return a 503 directly
		throw new RemoteException('Service unavailable', 503);
	}

	$request = \OC::$server->getRequest();
	$pathInfo = $request->getPathInfo();
	if ($pathInfo === false || $pathInfo === '') {
		throw new RemoteException('Path not found', 404);
	}
	if (!$pos = strpos($pathInfo, '/', 1)) {
		$pos = strlen($pathInfo);
	}
	$service = substr($pathInfo, 1, $pos - 1);

	$file = resolveService($service);

	if (!$file) {
		throw new RemoteException('Path not found', 404);
	}

	$file = ltrim($file, '/');

	$parts = explode('/', $file, 2);
	$app = $parts[0];

	// Load all required applications
	\OC::$REQUESTEDAPP = $app;
	OC_App::loadApps(['authentication']);
	OC_App::loadApps(['extended_authentication']);
	OC_App::loadApps(['filesystem', 'logging']);

	if (!\OC::$server->getAppManager()->isInstalled($app)) {
		throw new RemoteException('App not installed: ' . $app);
	}
	OC_App::loadApp($app);
	OC_User::setIncognitoMode(true);

	$baseuri = OC::$WEBROOT . '/public.php/'.$service.'/';
	require_once $file;
} catch (Exception $ex) {
	$status = 500;
	if ($ex instanceof \OC\ServiceUnavailableException) {
		$status = 503;
	}
	//show the user a detailed error page
	\OCP\Server::get(LoggerInterface::class)->error($ex->getMessage(), ['app' => 'public', 'exception' => $ex]);
	OC_Template::printExceptionErrorPage($ex, $status);
} catch (Error $ex) {
	//show the user a detailed error page
	\OCP\Server::get(LoggerInterface::class)->error($ex->getMessage(), ['app' => 'public', 'exception' => $ex]);
	OC_Template::printExceptionErrorPage($ex, 500);
}
improve remote.php and create public.php 2012-05-07 09:39:17 -04:00			`<?php`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-24 13:43:47 -04:00
Update license headers 2015-03-26 06:44:34 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-24 13:43:47 -04:00			`* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Update license headers 2015-03-26 06:44:34 -04:00			`*/`
Nextcloud 13 is not compatible with newer than php 7.2 Just to avoid users from trying this with a to new (untested) php version * Moved the check logic to 1 place * All directly callable scripts just require this on top * exit hard (-1) so we know scripts won't continue * Return status 500 so no sync clients will try fancy stuff Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-10-13 15:30:29 -04:00			`require_once __DIR__ . '/lib/versioncheck.php';`

chore: Migrate away from OC::$server->getLogger Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-02-08 09:47:39 -05:00			`use Psr\Log\LoggerInterface;`

feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`/**`
			`* @param $service`
			`* @return string`
			`*/`
fix(psalm): update baseline and suppress unnecessary issues Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2023-12-29 04:16:08 -05:00			`function resolveService(string $service): string {`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`$services = [`
			`'webdav' => 'dav/appinfo/v1/publicwebdav.php',`
			`'dav' => 'dav/appinfo/v2/publicremote.php',`
			`];`
			`if (isset($services[$service])) {`
			`return $services[$service];`
			`}`

			`return \OC::$server->getConfig()->getAppValue('core', 'remote_' . $service);`
			`}`

clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00			`try {`
Allow to call the files even when you are in another instance atm Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-10-06 06:13:02 -04:00			`require_once __DIR__ . '/lib/base.php';`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00
			`// All resources served via the DAV endpoint should have the strictest possible`
			`// policy. Exempted from this is the SabreDAV browser plugin which overwrites`
			`// this policy with a softer one if debug mode is enabled.`
			`header("Content-Security-Policy: default-src 'none';");`

Return 503 in public.php and OCS API when upgrade is due To prevent unexpected behavior, public.php and the OCS API calls will return 503 Service Unavailable when an upgrade is due. 2014-06-30 08:48:03 -04:00			`if (\OCP\Util::needUpgrade()) {`
			`// since the behavior of apps or remotes are unpredictable during`
			`// an upgrade, return a 503 directly`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`throw new RemoteException('Service unavailable', 503);`
Return 503 in public.php and OCS API when upgrade is due To prevent unexpected behavior, public.php and the OCS API calls will return 503 Service Unavailable when an upgrade is due. 2014-06-30 08:48:03 -04:00			`}`

Revert "occ web executor (#24957)" This reverts commit 854352d9a064a1e469ede207493bce44fd41d96c. 2016-07-07 06:14:45 -04:00			`$request = \OC::$server->getRequest();`
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969 2015-02-10 07:02:48 -05:00			`$pathInfo = $request->getPathInfo();`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`if ($pathInfo === false \|\| $pathInfo === '') {`
			`throw new RemoteException('Path not found', 404);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00			`}`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`if (!$pos = strpos($pathInfo, '/', 1)) {`
			`$pos = strlen($pathInfo);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00			`}`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`$service = substr($pathInfo, 1, $pos - 1);`

			`$file = resolveService($service);`

fix(psalm): update baseline and suppress unnecessary issues Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2023-12-29 04:16:08 -05:00			`if (!$file) {`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`throw new RemoteException('Path not found', 404);`
			`}`

			`$file = ltrim($file, '/');`
selective app loading for remote/public 2012-05-13 18:28:22 -04:00
Allow using pathinfo based public.php paths 2014-03-06 10:01:13 -05:00			`$parts = explode('/', $file, 2);`
			`$app = $parts[0];`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00
Remove legacy routing code The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application. This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app. Testplan: [x] Installation works [x] Login with DB works [x] Logout works [x] Login with alternate backend works (tested with user_webdavauth) [x] Other apps are accessible [x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled) [x] Personal settings are accessible [x] Admin settings are accessible [x] Sharing files works [x] DAV works [x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications 2014-05-10 08:00:22 -04:00			`// Load all required applications`
			`\OC::$REQUESTEDAPP = $app;`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`OC_App::loadApps(['authentication']);`
app type extended_authentication Signed-off-by: Maxence Lange <maxence@artificial-owl.com> 2023-04-12 06:34:38 -04:00			`OC_App::loadApps(['extended_authentication']);`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`OC_App::loadApps(['filesystem', 'logging']);`
Remove legacy routing code The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application. This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app. Testplan: [x] Installation works [x] Login with DB works [x] Logout works [x] Login with alternate backend works (tested with user_webdavauth) [x] Other apps are accessible [x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled) [x] Personal settings are accessible [x] Admin settings are accessible [x] Sharing files works [x] DAV works [x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications 2014-05-10 08:00:22 -04:00
Add sabredav plugin to check if a user has access to an app 2014-09-04 09:23:55 -04:00			`if (!\OC::$server->getAppManager()->isInstalled($app)) {`
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`throw new RemoteException('App not installed: ' . $app);`
Add sabredav plugin to check if a user has access to an app 2014-09-04 09:23:55 -04:00			`}`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00			`OC_App::loadApp($app);`
set incognito mode for public.php calls. Because in this case ownCloud should always work the same way as if no user is logged in 2013-11-22 08:00:08 -05:00			`OC_User::setIncognitoMode(true);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00
feat: public dav endpoint v2 Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com> 2022-05-15 04:38:55 -04:00			`$baseuri = OC::$WEBROOT . '/public.php/'.$service.'/';`
			`require_once $file;`
Catch class Error on all root entrypoints 2016-04-20 12:01:47 -04:00			`} catch (Exception $ex) {`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 06:15:09 -04:00			`$status = 500;`
Catch class Error on all root entrypoints 2016-04-20 12:01:47 -04:00			`if ($ex instanceof \OC\ServiceUnavailableException) {`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 06:15:09 -04:00			`$status = 503;`
Catch class Error on all root entrypoints 2016-04-20 12:01:47 -04:00			`}`
handle service not available exceptions in index, remote and public.php 2014-07-24 11:18:10 -04:00			`//show the user a detailed error page`
chore: Migrate away from OC::$server->getLogger Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-02-08 09:47:39 -05:00			`\OCP\Server::get(LoggerInterface::class)->error($ex->getMessage(), ['app' => 'public', 'exception' => $ex]);`
Server exception error pages by default with a 500 status code Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 04:27:43 -04:00			`OC_Template::printExceptionErrorPage($ex, $status);`
Catch class Error on all root entrypoints 2016-04-20 12:01:47 -04:00			`} catch (Error $ex) {`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 07:45:19 -04:00			`//show the user a detailed error page`
chore: Migrate away from OC::$server->getLogger Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-02-08 09:47:39 -05:00			`\OCP\Server::get(LoggerInterface::class)->error($ex->getMessage(), ['app' => 'public', 'exception' => $ex]);`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 06:15:09 -04:00			`OC_Template::printExceptionErrorPage($ex, 500);`
Add _many_ newlines at the end of files 2013-08-18 05:02:08 -04:00			`}`