upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-10 06:15:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 57
31507 commits 673 branches 1182 tags 8.2 GiB
Commit graph

24 commits

Author SHA1 Message Date
Stefan Weil
b1a856d7b7 lib: Fix typos (found by codespell) 
Signed-off-by: Stefan Weil <sw@weilnetz.de>
 2016-04-07 19:51:27 +02:00
Lukas Reschke
c353d51810 Remove Scrutinizer Auto Fixer 2016-03-01 17:48:23 +01:00
Lukas Reschke
809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults 
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
 2016-01-28 18:36:46 +01:00
Thomas Müller
682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Scrutinizer Auto-Fixer
ffc49a24f0 Scrutinizer Auto-Fixes 
This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
 2015-12-10 16:43:37 +01:00
Lukas Reschke
f4eb15d340 Show error template 
Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
 2015-11-30 11:25:52 +01:00
Lukas Reschke
7dda86f371 Return proper status code in case of a CORS exception 
When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus.

Fixes https://github.com/owncloud/core/issues/17742
 2015-07-20 12:54:22 +02:00
Jenkins for ownCloud
b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Morris Jobke
06aef4e8b1 Revert "Updating license headers" 
This reverts commit 6a1a4880f0.
 2015-02-26 11:37:37 +01:00
Jenkins for ownCloud
6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke
07f0d76fc6 Move CSRF check 
Because we're closing the session now before controllers are executed there are cases where we cannot write the session.
 2014-11-17 15:10:53 +01:00
Lukas Reschke
cd5925036a Check if app is enabled for user 
Fixes https://github.com/owncloud/core/issues/12188 for AppFramework apps
 2014-11-15 11:13:55 +01:00
Morris Jobke
b6a4cc20f7 Redirect after session expiry to the previous loaded page 
* fixes #6945
 2014-07-01 16:54:52 +02:00
Bernhard Posselt
5e9ea2b365 fix 8757, get rid of service locator antipattern 2014-05-28 02:15:16 +02:00
Bernhard Posselt
1d45239c65 adjust license headers to new mail address 2014-05-11 17:54:08 +02:00
Bernhard Posselt
c590244fa1 add private property for reflector in security middleware 2014-05-11 17:54:08 +02:00
Bernhard Posselt
80648da431 implement most of the basic stuff that was suggested in #8290 2014-05-11 17:54:08 +02:00
Bernhard Posselt
7e447f4f42 make download and redirectresponse public 2014-04-20 16:12:46 +02:00
Scrutinizer Auto-Fixer
adaee6a5a1 Scrutinizer Auto-Fixes 
This patch was automatically generated as part of the following inspection:
https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720

Enabled analysis tools:
 - PHP Analyzer
 - JSHint
 - PHP Copy/Paste Detector
 - PHP PDepend
 2014-02-19 09:31:54 +01:00
Thomas Tanghus
ad017285e1 Fix namespace for OCP\Appframework\Http 
To avoid having to use OCP\Appframework\Http\Http in the public - and stable
- API OCP\Appframework\Http is now both a class and a namespace.
 2013-10-23 05:57:34 +02:00
Thomas Müller
54e77e0e66 fixing typo 2013-10-07 00:40:37 +02:00
Thomas Müller
e071bfc144 fixing SecurityMiddleware to use OC6 API 2013-10-07 00:33:54 +02:00
Thomas Tanghus
c85621a897 Make abstract Middleware class public 
It doesn't make sense for subclasses to have to implement
all methods.
 2013-10-05 16:59:06 +02:00
Thomas Müller
9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public 
Conflicts:
	lib/private/vcategories.php
 2013-09-30 16:36:59 +02:00
Renamed from lib/appframework/middleware/security/securitymiddleware.php (Browse further)