The documentation says apps should use PSR-4 to get their classes
loaded. The legacy PSR-0 is still in place and has a negative impact on
performance.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
In NC 25 login page was changed, and alternative login css class get from `class` prop but not `style`.
It is correct change in my opinion, so just add backend fix.
Signed-off-by: zorn-v <zorn7@yandex.ru>
Both deprecated since NC 23
IAppManager is the replacement for OCP\App unfortunately it can't be
dependency injected in classes used by the installed otherwise the
database connection is initialised too early
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
- requireAppFile() only appends /appinfo/app.php
- without the absolute path, require_once looks into include_path
- the first match in inlcude_path however migth be different from appPath
- fixed by providing the tested(!), full path to the app
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Previously there was no (platform) dependency check for an app that was
installed before. So Nextcloud happily upgraded an app that now requires
a php version newer than the current one. Which means in the lucky case
you see a failing upgrade due to the language incompatibility, or in the
unlucky case you see unexpected errors later in production.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* It was documented as deprecated.
* The app code checker warned about it
* It's been three years
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/
It also adds a plugin for adding input into AppFramework.
The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning
**Q&A:**
Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.
Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/
Q: We should run this on apps!
A: Yes.
Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.
Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
The getAppPath will always return the same data for the same appId. It
is actually already cached. However we do some cleanup of the appId
(again). Same for the autoloading it is actually already checked.
This just removes the unneeded calls. Which can add up if you have a lot
of incomming shares.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Otherwise you might end up calling a lot of functions unneeded.
And while the individual calls are cheap if you multiply them by 20k
they still get somewhat expensive.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Some apps require the composer autoloader from app.php. If we run boot
before including that file, classes and functions from dependencies
won't be found.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
As an admin, it's always a surprise to see that an app got disabled. On
a busy server with many log entries, it's hard to locate the entry that
explains why Nextcloud disabled an app. Adding a message will make it
more obvious, allowing admins and developers to grep for the string.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
