nextcloud

mirror of https://github.com/nextcloud/server.git synced 2026-02-03 20:41:22 -05:00

Author	SHA1	Message	Date
Ferdinand Thiessen	4d2556d4cf	refactor(IMenuAction): Make public menu actions use the new Vue UI This removes custom rendering code an replaces it with the declarative menu actions. Also adjust the template to allow the Vue UI to mount. Custom entries still are possible. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-09-03 16:07:49 +02:00
Ferdinand Thiessen	92f3f7e2d2	chore: Remove unused `CsrfTokenManager` from `CSPMiddleware` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-31 00:34:41 +02:00
Daniel Kesselberg	af6de04e9e	style: update codestyle for coding-standard 1.2.3 Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2024-08-25 19:34:58 +02:00
Robin Appelman	8b60df1600	perf: delay getting (sub)admin status for user in the security middleware untill we need it Signed-off-by: Robin Appelman <robin@icewind.nl>	2024-08-23 15:26:40 +02:00
Ferdinand Thiessen	2916e5df7e	feat: Provide CSP nonce as `<meta>` element This way we use the CSP nonce for dynamically loaded scripts. Important to notice: The CSP nonce must NOT be injected in `content` as this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors). Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-13 10:32:44 +02:00
Ferdinand Thiessen	009761be58	test: Adjust tests for CSP nonce Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2024-08-13 10:06:32 +02:00
skjnldsv	db28aa8cd1	fix(files_sharing): show proper share not found error message Signed-off-by: skjnldsv <skjnldsv@protonmail.com>	2024-08-06 16:25:10 +02:00
provokateurin	9d1705259c	fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checks Signed-off-by: provokateurin <kate@provokateurin.de>	2024-07-25 17:31:49 +02:00
Joas Schilling	047479ccf9	feat(security): Add public API to allow validating IP Ranges and checking for "in range" Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-07-19 16:28:03 +02:00
Benjamin Gaussorgues	202e5b1e95	feat(security): restrict admin actions to IP ranges Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2024-07-19 16:28:03 +02:00
provokateurin	e5dcdfb9e0	feat(Security): Warn about using annotations instead of attributes Signed-off-by: provokateurin <kate@provokateurin.de>	2024-07-18 11:25:32 +02:00
provokateurin	5aefdc399e	feat(AppFramework): Add ExAppRequired attribute Signed-off-by: provokateurin <kate@provokateurin.de>	2024-07-01 14:41:20 +02:00
Arthur Schiwon	f6d6efef3a	refactor(Token): introduce scope constants Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-05 19:01:14 +02:00
Arthur Schiwon	340939e688	fix(Session): avoid password confirmation on SSO SSO backends like SAML and OIDC tried a trick to suppress password confirmations as they are not possible by design. At least for SAML it was not reliable when existing user backends where used as user repositories. Now we are setting a special scope with the token, and also make sure that the scope is taken over when tokens are regenerated. Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-06-05 19:01:13 +02:00
Andy Scherzinger	1f7e2ba599	chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>	2024-05-13 17:41:36 +02:00
Côme Chilliet	a0be3ffdf2	fix: Fix tests following OC_App migrations to IAppManager Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2024-04-22 12:21:55 +02:00
Florian Klinger	f3a4abd98c	fix: add check for app_api_system session flag to bypass rate limit Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com> Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>	2024-03-18 20:09:15 +02:00
Klaus	747aeded9d	fix xml ocs response for serializable objects Signed-off-by: sualko <klaus@jsxc.org> Signed-off-by: skjnldsv <skjnldsv@protonmail.com>	2024-02-23 14:49:22 +01:00
Joas Schilling	9ed3ab7d87	test(request): Add tests to strip the port when forwarding requests Signed-off-by: Joas Schilling <coding@schilljs.com>	2024-02-13 16:51:13 +01:00
Anna Larch	6434ce96c9	Add timezone getter to ITimeFactory Signed-off-by: Anna Larch <anna@nextcloud.com>	2024-02-13 13:29:06 +01:00
Maxence Lange	31c1bc1c62	better tests Signed-off-by: Maxence Lange <maxence@artificial-owl.com>	2024-02-01 13:40:27 -01:00
Maxence Lange	1956be4118	fix lint Signed-off-by: Maxence Lange <maxence@artificial-owl.com>	2024-01-31 21:13:32 -01:00
Maxence Lange	e1d7328bb2	adding test Signed-off-by: Maxence Lange <maxence@artificial-owl.com>	2024-01-31 21:13:32 -01:00
Arthur Schiwon	216b95f8b1	test(unit): fix RequestTest Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2024-01-27 15:11:26 +01:00
Joas Schilling	f6b6776c93	fix(API): Use a distinct exception so apps can react to it and customize the return Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-28 06:11:57 +01:00
Arthur Schiwon	3fa43a529b	enh(dispatcher): enforce psalm ranges in the http dispatcher - allows devs to provide int ranges for API arguments Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2023-11-24 12:46:38 +01:00
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-23 10:36:13 +01:00
Ferdinand Thiessen	ecf9f0a872	fix(CSP): Only add `strict-dynamic` when using nonces Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 22:01:02 +01:00
Ferdinand Thiessen	e231abd9bf	fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 14:42:36 +01:00
Ferdinand Thiessen	7df9eb3351	feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 11:12:57 +01:00
Joas Schilling	2fa78f6245	Reverse X-Forwarded-For list to read the correct proxy remote address Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-16 07:45:19 +01:00
Christoph Wurst	78842348b2	feat(dependencyinjection): Allow optional (nullable) services Allows working with classes that might or might not be available. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-11-03 11:53:43 +01:00
Ferdinand Thiessen	154a9989a7	Merge pull request #39852 from nextcloud/pragmaHeader Stop sending deprecated Pragma header	2023-10-18 03:30:21 +02:00
Joas Schilling	25309bcb45	techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-28 15:50:45 +02:00
Git'Fellow	066f6ef16c	Stop sending deprecated Pragma header Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>	2023-08-28 15:11:22 +02:00
Daniel Calviño Sánchez	41f2d912d2	Allow "wasm-unsafe-eval" in CSP If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2023-08-10 02:38:41 +02:00
Joas Schilling	1b387bb341	fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-27 09:57:52 +02:00
Joas Schilling	2c6f32cb28	feat(request): Allow to match the client version with the IRequest::USER_AGENT_* regex Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-11 07:35:50 +02:00
jld3103	b0001c6010	Add template types to responses Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-06-30 09:33:29 +02:00
jld3103	7f4651637a	Allow stdClass in XML responses Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-06-13 11:44:47 +02:00
Christoph Wurst	08a3f37695	chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-06-12 10:03:59 +02:00
Joas Schilling	3a6bc7aba2	fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-05-15 16:20:19 +02:00
Joas Schilling	ecb8b55c5c	feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-25 14:50:32 +02:00
Joas Schilling	89c3c31402	feat(ratelimit): Add Attributes support to rate limit middleware Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-24 12:24:48 +02:00
Côme Chilliet	b294edad80	Merge branch 'master' into enh/type-iconfig-getter-calls Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>	2023-04-20 16:52:38 +02:00
Christoph Wurst	2c0cfd3772	feat(app-framework): Add native argument types for middleware Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-04-18 17:15:05 +02:00
Côme Chilliet	8d5165e8dc	Adapt tests to config value typing Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-04-05 17:42:14 +02:00
Joas Schilling	2b49861679	Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-08 12:09:22 +01:00
Joas Schilling	e839eb9b5c	feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-08 12:09:22 +01:00
Joas Schilling	c297f8ee96	feat(appframework): ⌚ Make ITimeFactory extend \PSR\Clock\ClockInterface Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-03 15:37:13 +01:00

1 2 3 4 5 ...

270 commits