upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-15 01:49:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
nextcloud/lib/private
History
Christoph Wurst 55c7aa674c
Fix failing csp/nonce check due to timed out session 
The CSP nonce is based on the CSRF token. This token does not change,
unless you log in (or out). In case of the session data being lost,
e.g. because php gets rid of old sessions, a new CSRF token is gen-
erated. While this is fine in theory, it actually caused some annoying
problems where the browser restored a tab and Nextcloud js was blocked
due to an outdated nonce.
The main problem here is that, while processing the request, we write
out security headers relatively early. At that point the CSRF token
is known/generated and transformed into a CSP nonce. During this request,
however, we also log the user in because the session information was
lost. At that point we also refresh the CSRF token, which eventually
causes the browser to block any scripts as the nonce in the header
does not match the one which is used to include scripts.
This patch adds a flag to indicate whether the CSRF token should be
refreshed or not. It is assumed that refreshing is only necessary
if we want to re-generate the session id too. To my knowledge, this
case only happens on fresh logins, not when we recover from a deleted
session file.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-09-11 10:08:06 +02:00
..
Accounts Remove account data on user deletion 2017-05-15 13:31:31 +02:00
Activity Add a flag to allow checking if SVGs are okay 2017-07-07 11:16:37 +02:00
App Add new bundle 2017-07-26 11:47:15 +02:00
AppFramework extend the identity proof manager to allow system wide key pairs 2017-08-30 20:36:10 +02:00
Archive replace close:// streamwrapper with CallBackWrapper 2017-01-06 15:33:32 +01:00
Authentication Fix login with basic auth 2017-09-06 17:07:11 +02:00
BackgroundJob Add duration of last job execution to the table 2017-04-25 17:39:58 +02:00
Cache support pushing to CappedMemoryCache 2017-03-30 11:21:32 +02:00
Command Update with robin 2016-07-21 18:13:58 +02:00
Comments Can not insert auto increment on oracle 2017-08-03 16:40:00 +02:00
Console Remove unused use statements 2017-04-22 19:23:31 -05:00
Contacts/ContactsMenu Do not show an email action for contacts with emtpy email addresses 2017-05-02 14:12:04 +02:00
DB Add a method to compare empty strings with an expression 2017-08-03 16:41:03 +02:00
Diagnostics Fix missing conflict resolutions 2017-04-26 17:05:59 +02:00
Encryption don't try to encrypt/decrypt the certificate bundle 2017-06-13 10:07:55 +02:00
Federation Fix DI of the cloud id manager into apps 2017-02-14 12:47:46 +01:00
Files Fix copy from jailed storage 2017-08-10 08:07:00 +02:00
GlobalScale add new config switched for the global scale architecture 2017-06-02 11:00:08 +02:00
Group filter missing groups in share provider 2017-06-13 10:54:02 +02:00
Hooks Update with robin 2016-07-21 18:13:58 +02:00
Http/Client Rebrand to "Nextcloud" and add 100% coverage 2017-01-02 14:51:16 +01:00
IntegrityCheck Remove ownCloud Root Authority as per todo 2017-03-22 08:54:40 +01:00
L10N Allow to force a language and set it via the ocs api 2017-06-22 09:54:39 +02:00
legacy Inject \OCP\IURLGenerator to make tests work 2017-08-30 14:42:50 +02:00
Lock Update with robin 2016-07-21 18:13:58 +02:00
Lockdown Remove unused use statements 2017-04-22 19:23:31 -05:00
Log Ensure log message is UTF-8 encoded 2017-08-21 10:21:54 +02:00
Mail Merge setMetaData into constructor 2017-09-05 16:04:09 +02:00
Memcache Do not scan for keys just get all the keys (with prefix) 2017-05-16 09:52:05 +02:00
Migration Adding tests for 4 byte unicode characters 2017-03-21 16:42:12 -06:00
Notification @since 9.2.0 to @since 11.0.0 2016-11-15 18:51:52 +01:00
OCS add tests for discovery service 2017-04-11 15:04:01 +02:00
Preview Empty search no longer works 2017-08-01 13:29:17 +02:00
Repair move repair step to stable12 2017-08-30 20:36:47 +02:00
RichObjectStrings @since 9.2.0 to @since 11.0.0 2016-11-15 18:51:52 +01:00
Route Check whether the $_SERVER['REQUEST_*'] vars exist before using them 2017-05-15 14:33:27 +02:00
Search Fix others 2016-07-21 18:13:57 +02:00
Security add prefix to user and system keys to avoid name collisions 2017-08-30 20:36:10 +02:00
Session Forward port of #5190 to stable12 2017-06-15 11:18:22 +02:00
Settings Rename “Server settings” to “Basic settings” 2017-04-29 17:13:21 +02:00
Setup fix install on mb4 enabled mariadb/mysql 2017-06-01 13:12:30 +02:00
Share Fix last failures with oracle 2017-08-03 16:40:46 +02:00
Share20 Merge pull request #6368 from nextcloud/backport-5436-fix-group-check 2017-09-06 17:19:15 +02:00
SystemTag Remove unused use statements 2017-04-22 19:23:31 -05:00
Tagging Fix others 2016-07-21 18:13:57 +02:00
Template Fix theming app to also use the prefix 2017-07-02 14:03:35 +02:00
Updater Remove unused use statements 2017-04-22 19:23:31 -05:00
User Fix failing csp/nonce check due to timed out session 2017-09-11 10:08:06 +02:00
AllConfig.php Merge pull request #3023 from nextcloud/issue-2915-filter-out-sensitive-appconfigs 2017-01-17 11:01:42 +01:00
AppConfig.php Make sure the spreed TURN server secret stays a secret 2017-01-17 11:29:10 +01:00
AppHelper.php Fix others 2016-07-21 18:13:57 +02:00
Avatar.php Add message to NotSquareException thrown from Avatar 2016-10-24 11:27:27 +02:00
AvatarManager.php avatar to appdata 2016-10-05 11:00:16 +02:00
CapabilitiesManager.php Make the capabilities manager more error proof 2016-08-15 20:37:19 +02:00
Config.php Fix escaped HTML on error pages 2017-05-08 21:16:08 -05:00
ContactsManager.php Fix others 2016-07-21 18:13:57 +02:00
DatabaseException.php Fix others 2016-07-21 18:13:57 +02:00
DatabaseSetupException.php Fix others 2016-07-21 18:13:57 +02:00
DateTimeFormatter.php Fix others 2016-07-21 18:13:57 +02:00
DateTimeZone.php Fix others 2016-07-21 18:13:57 +02:00
ForbiddenException.php Fix others 2016-07-21 18:13:57 +02:00
HintException.php add missing phpdoc to HintException 2016-11-28 11:34:23 +01:00
HTTPHelper.php Fix others 2016-07-21 18:13:57 +02:00
Installer.php Remove OC_App:installApp 2017-05-15 00:03:35 -05:00
LargeFileHelper.php Merge pull request #1890 from nextcloud/downstream-25428 2016-10-25 14:44:27 +02:00
Log.php Don't log LDAP password when server is not available 2017-09-07 09:26:40 +02:00
NaturalSort.php Fix others 2016-07-21 18:13:57 +02:00
NaturalSort_DefaultCollator.php Fix others 2016-07-21 18:13:57 +02:00
NavigationManager.php Inject \OCP\IURLGenerator to make tests work 2017-08-30 14:42:50 +02:00
NeedsUpdateException.php Update with robin 2016-07-21 18:13:58 +02:00
NotSquareException.php Fix others 2016-07-21 18:13:57 +02:00
PreviewManager.php Add PHPDoc 2017-05-02 13:43:47 +02:00
PreviewNotAvailableException.php Opening the trashbin causes errors in log for files without preview 2016-09-09 13:53:06 +02:00
RedisFactory.php no ternary 2017-03-25 21:25:38 -06:00
Repair.php move repair step to stable12 2017-08-30 20:36:47 +02:00
RepairException.php Fix others 2016-07-21 18:13:57 +02:00
Search.php Update with robin 2016-07-21 18:13:58 +02:00
Server.php Improve 2FA 2017-08-31 10:54:10 +02:00
ServerContainer.php Fix missing argument 2 for Settings classes 2017-05-19 22:30:55 +02:00
ServerNotAvailableException.php Fix others 2016-07-21 18:13:57 +02:00
ServiceUnavailableException.php Update with robin 2016-07-21 18:13:58 +02:00
Setup.php Don't redirect requests to /core/img/manifest.json 2017-05-09 00:02:37 +02:00
Streamer.php Add doc block for $time 2016-11-28 14:26:30 +01:00
SubAdmin.php Fix CamelCasing 2017-01-18 11:45:26 +01:00
SystemConfig.php Fix tests 2017-01-12 10:49:22 +01:00
TagManager.php Fix others 2016-07-21 18:13:57 +02:00
Tags.php Update with robin 2016-07-21 18:13:58 +02:00
TemplateLayout.php Responsive app menu 2017-04-25 17:31:24 +02:00
TempManager.php Update with robin 2016-07-21 18:13:58 +02:00
Updater.php Use the existing array of OC versions 2017-07-27 12:30:24 +02:00
URLGenerator.php Add tests and inject IRequest 2017-07-02 14:03:35 +02:00