Merge pull request #55387 from nextcloud/fix/remove-legacy-oc-response

fix: Delete legacy OC_Response
2026-03-03 05:51:07 -05:00 · 2025-09-29 10:40:28 +02:00 · 2025-09-29 10:40:28 +02:00 · f4e8116a72
commit f4e8116a72
parent 10e3192c2f eb54143c2d
4 changed files with 36 additions and 86 deletions
--- a/lib/base.php
+++ b/lib/base.php
@ -579,6 +579,41 @@ class OC {
 		}
 	}

+	/**
+	 * This function adds some security related headers to all requests served via base.php
+	 * The implementation of this function has to happen here to ensure that all third-party
+	 * components (e.g. SabreDAV) also benefit from this headers.
+	 */
+	private static function addSecurityHeaders(): void {
+		/**
+		 * FIXME: Content Security Policy for legacy components. This
+		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
+		 * is used everywhere.
+		 * @see \OCP\AppFramework\Http\Response::getHeaders
+		 */
+		$policy = 'default-src \'self\'; '
+			. 'script-src \'self\' \'nonce-' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '\'; '
+			. 'style-src \'self\' \'unsafe-inline\'; '
+			. 'frame-src *; '
+			. 'img-src * data: blob:; '
+			. 'font-src \'self\' data:; '
+			. 'media-src *; '
+			. 'connect-src *; '
+			. 'object-src \'none\'; '
+			. 'base-uri \'self\'; ';
+		header('Content-Security-Policy:' . $policy);
+
+		// Send fallback headers for installations that don't have the possibility to send
+		// custom headers on the webserver side
+		if (getenv('modHeadersAvailable') !== 'true') {
+			header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
+			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
+			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+			header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+		}
+	}
+
 	public static function init(): void {
 		// First handle PHP configuration and copy auth headers to the expected
 		// $_SERVER variable before doing anything Server object related
@ -702,7 +737,7 @@ class OC {
 		self::checkConfig();
 		self::checkInstalled($systemConfig);

-		OC_Response::addSecurityHeaders();
+		self::addSecurityHeaders();

 		self::performSameSiteCookieProtection($config);

--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@ -2179,7 +2179,6 @@ return array(
    'OC_Helper' => $baseDir . '/lib/private/legacy/OC_Helper.php',
    'OC_Hook' => $baseDir . '/lib/private/legacy/OC_Hook.php',
    'OC_JSON' => $baseDir . '/lib/private/legacy/OC_JSON.php',
-    'OC_Response' => $baseDir . '/lib/private/legacy/OC_Response.php',
    'OC_Template' => $baseDir . '/lib/private/legacy/OC_Template.php',
    'OC_User' => $baseDir . '/lib/private/legacy/OC_User.php',
    'OC_Util' => $baseDir . '/lib/private/legacy/OC_Util.php',
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@ -2220,7 +2220,6 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
        'OC_Helper' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Helper.php',
        'OC_Hook' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Hook.php',
        'OC_JSON' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_JSON.php',
-        'OC_Response' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Response.php',
        'OC_Template' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Template.php',
        'OC_User' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_User.php',
        'OC_Util' => __DIR__ . '/../../..' . '/lib/private/legacy/OC_Util.php',
--- a/lib/private/legacy/OC_Response.php
+++ b/lib/private/legacy/OC_Response.php
@ -1,83 +0,0 @@
-<?php
-
-/**
- * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-class OC_Response {
-	/**
-	 * Sets the content disposition header (with possible workarounds)
-	 * @param string $filename file name
-	 * @param string $type disposition type, either 'attachment' or 'inline'
-	 */
-	public static function setContentDispositionHeader($filename, $type = 'attachment') {
-		if (\OC::$server->getRequest()->isUserAgent(
-			[
-				\OC\AppFramework\Http\Request::USER_AGENT_IE,
-				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
-				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
-			])) {
-			header('Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode($filename) . '"');
-		} else {
-			header('Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode($filename)
-												 . '; filename="' . rawurlencode($filename) . '"');
-		}
-	}
-
-	/**
-	 * Sets the content length header (with possible workarounds)
-	 * @param string|int|float $length Length to be sent
-	 */
-	public static function setContentLengthHeader($length) {
-		if (PHP_INT_SIZE === 4) {
-			if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
-				// Apache PHP SAPI casts Content-Length headers to PHP integers.
-				// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
-				// platforms). So, if the length is greater than PHP_INT_MAX,
-				// we just do not send a Content-Length header to prevent
-				// bodies from being received incompletely.
-				return;
-			}
-			// Convert signed integer or float to unsigned base-10 string.
-			$lfh = new \OC\LargeFileHelper;
-			$length = $lfh->formatUnsignedInteger($length);
-		}
-		header('Content-Length: ' . $length);
-	}
-
-	/**
-	 * This function adds some security related headers to all requests served via base.php
-	 * The implementation of this function has to happen here to ensure that all third-party
-	 * components (e.g. SabreDAV) also benefit from this headers.
-	 */
-	public static function addSecurityHeaders() {
-		/**
-		 * FIXME: Content Security Policy for legacy ownCloud components. This
-		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
-		 * is used everywhere.
-		 * @see \OCP\AppFramework\Http\Response::getHeaders
-		 */
-		$policy = 'default-src \'self\'; '
-			. 'script-src \'self\' \'nonce-' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '\'; '
-			. 'style-src \'self\' \'unsafe-inline\'; '
-			. 'frame-src *; '
-			. 'img-src * data: blob:; '
-			. 'font-src \'self\' data:; '
-			. 'media-src *; '
-			. 'connect-src *; '
-			. 'object-src \'none\'; '
-			. 'base-uri \'self\'; ';
-		header('Content-Security-Policy:' . $policy);
-
-		// Send fallback headers for installations that don't have the possibility to send
-		// custom headers on the webserver side
-		if (getenv('modHeadersAvailable') !== 'true') {
-			header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
-			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-			header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
-			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
-			header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-		}
-	}
-}