nextcloud

mirror of https://github.com/nextcloud/server.git synced 2026-02-10 14:25:20 -05:00

Author	SHA1	Message	Date
Julius Härtl	3103a85c18	fix: Add edge as supported user agent for CSPv3 nonces Signed-off-by: Julius Härtl <jus@bitgrid.net>	2024-03-11 10:08:56 +01:00
Joas Schilling	704751f868	fix(security): Handle idn_to_utf8 returning false Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-12-04 11:18:51 +00:00
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-23 10:36:13 +01:00
Ferdinand Thiessen	7df9eb3351	feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 11:12:57 +01:00
Benjamin Gaussorgues	f04035caa0	Simplify IP address normalizer with IP masks Remove dead code Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-08 11:55:07 +01:00
Faraz Samapoor	f313ca92e7	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2023-09-27 09:03:15 +03:30
Robin Appelman	6b767e060a	Merge pull request #39013 from fsamapoor/refactor_lib_private_security_part3 [3/3] Refactors lib/private/Security	2023-09-22 11:13:44 +02:00
Faraz Samapoor	1c023e6666	Update lib/private/Security/Certificate.php Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>	2023-09-21 11:20:12 +03:30
Faraz Samapoor	f9596edb00	Updates the typed properties. Based on: https://github.com/nextcloud/server/pull/39013#discussion_r1242340826 Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com> Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2023-09-21 11:20:12 +03:30
Faraz Samapoor	4f46656d39	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2023-09-21 11:20:12 +03:30
Christoph Wurst	e477bb7eaf	feat(appframework): Expose programmatic rate limiter Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-09-20 20:25:27 +02:00
Joas Schilling	124588d4a6	fix: Make bypass function public API Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-21 16:40:24 +02:00
Joas Schilling	fd9b2d488e	feat: Expose if the own IP is allowed to bypass bruteforce protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-21 16:36:04 +02:00
Joas Schilling	abc98d343c	feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-21 16:36:03 +02:00
Joas Schilling	a95800c647	feat(security): Add a bruteforce protection backend base on memcache Similar to the ratelimit backend Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-21 16:36:03 +02:00
Daniel Calviño Sánchez	41f2d912d2	Allow "wasm-unsafe-eval" in CSP If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2023-08-10 02:38:41 +02:00
Faraz Samapoor	e73757b4a5	Refactors lib/private/Security. Mainly using PHP8's constructor property promotion. Signed-off-by: Faraz Samapoor <fsa@adlas.at>	2023-06-26 15:03:13 +03:30
Robin Appelman	9f1d497a0b	Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private Refactors "strpos" calls in lib/private to improve code readability.	2023-06-01 23:10:00 +02:00
Robin Appelman	223612b15a	log failures to read certificates during listing Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-05-31 14:40:45 +02:00
Faraz Samapoor	e7cc7653b8	Refactors "strpos" calls in lib/private to improve code readability. Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>	2023-05-15 15:17:19 +03:30
John Molakvoæ	46459ae93f	Merge pull request #35092 from Messj1/bugfix/type-error-cert-manager-cache-path	2023-05-04 21:53:49 +02:00
Jan Messer	647c65a640	[BUGFIX] throw exception instead of error if unable to create file handler (only exceptions are catch) Signed-off-by: Jan Messer <jan@mtec-studios.ch>	2023-04-06 23:03:49 +02:00
Jan Messer	7a443863fe	[BUGFIX] check return value and improve error handling With S3 primary storage there was a problem with getting the CA bundle from the storage without having the CA bundle for the connection which causes that the CertificateManager was throwing an Error. This commit improves the handling in CertificateManager and log unexpected behaviors. Signed-off-by: Jan Messer <jan@mtec-studios.ch>	2023-04-06 23:03:33 +02:00
Côme Chilliet	426c0341ff	Use typed version of IConfig::getSystemValue as much as possible Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-04-05 12:50:08 +02:00
Côme Chilliet	8f550398c4	Merge pull request #36836 from nextcloud/fix/view-type-cleanup Tidy up typing in OC\Files\View	2023-04-05 10:14:55 +02:00
Côme Chilliet	ea05544213	Fix return type of methods returning false on error Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-04-03 10:52:34 +02:00
Joas Schilling	454281af03	feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-03 09:06:45 +02:00
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +01:00
Christoph Wurst	8aea25b5b9	Add remote host validation API Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2022-10-31 16:13:28 +01:00
Côme Chilliet	71ee292650	Add rate limiting on lost password emails Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-10-18 14:49:02 +00:00
Carl Schwan	9919116716	Merge pull request #31499 from nextcloud/bugfix/empty-secret Add fallback routines for empty secret cases	2022-10-17 16:02:58 +02:00
Carl Schwan	ef31396727	Mark method as deprecated Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-09-13 13:06:54 +02:00
Carl Schwan	48d9c4d2b0	Port existing server code to new interface Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-08-08 17:03:19 +02:00
Joas Schilling	c0f47af2d0	Add a public interface for the bruteforce throttler and register for injection Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-07-28 10:57:10 +02:00
luz paz	368f83095d	Fix typos in lib/private subdirectory Found via `codespell -q 3 -S l10n -L jus ./lib/private` Signed-off-by: luz paz <luzpaz@github.com>	2022-07-27 08:52:17 -04:00
Joas Schilling	8274c05e19	Only ignore attempts of the same action Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-07-07 09:35:14 +02:00
Carl Schwan	ca3cd5a625	Fix detection of firefox in ContentSecurityPolicyNonceManager Reuse Request::USER_AGENT_FIREFOX, and also update the safari detection since safari < 12 is not supported anymore and we can remove a bit of code duplication Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-06-29 17:05:48 +02:00
Vincent Petry	01dbd22c9c	Validate requested length is random string generator Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2022-05-12 13:58:18 +02:00
Vincent Petry	7718c9776c	Merge pull request #32113 from nextcloud/bugfix/noid/fix-csp-merging-bools Add CSP policy merge priority for booleans	2022-05-05 17:26:48 +02:00
Carl Schwan	69b36fc2c5	Don't inject Bruteforce capability info in the webui This capability do DB access and as far I know is not used by the webui. This remove one DB query for each page load. Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-04-07 17:33:29 +02:00
Vincent Petry	18c013d8fc	Add CSP policy merge priority for booleans When two booleans conflict when merging CSP policies, true will win. Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2022-04-01 13:56:34 +02:00
Côme Chilliet	6be7aa112f	Migrate from ILogger to LoggerInterface in lib/private Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-03-24 16:21:25 +01:00
Robin Appelman	4f594dbf53	cache the path of the certificate bundle Signed-off-by: Robin Appelman <robin@icewind.nl>	2022-03-17 14:58:56 +01:00
Robin Appelman	a887553ddb	return default bundle when there is an error getting the bundle Signed-off-by: Robin Appelman <robin@icewind.nl>	2022-03-14 18:34:09 +01:00
Julius Härtl	a6796b4247	Fix decryption fallback after adding a secret Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-03-10 14:01:21 +01:00
Julius Härtl	81f8719cc0	Add fallback routines for empty secret cases Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-03-10 14:01:21 +01:00
Julius Härtl	bd03dd37be	Allow to set a strict-dynamic CSP through the API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-03-09 15:10:27 +01:00
Joas Schilling	b8e0a3dbdd	Use the new option to signaling insensitivity Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-02-07 13:54:54 +01:00
Joas Schilling	b59df35426	Make the DB query simpler (as we just deleted all other entries) Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-01-28 16:55:17 +01:00
Joas Schilling	c6d000f87f	Log bruteforce throttle and blocking Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-01-18 10:10:19 +01:00

1 2 3 4 5

209 commits