sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
69,930 Commits
636 Branches
1167 Tags
8.6 GiB
Commit Graph

204 Commits (feat/database/query-result-fetch-associative-fetch-num)

Author SHA1 Message Date
Faraz Samapoor f313ca92e7 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-27 09:03:15 +07:00
Robin Appelman 6b767e060a
Merge pull request #39013 from fsamapoor/refactor_lib_private_security_part3 
[3/3] Refactors lib/private/Security
 2023-09-22 11:13:44 +07:00
Faraz Samapoor 1c023e6666 Update lib/private/Security/Certificate.php 
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
 2023-09-21 11:20:12 +07:00
Faraz Samapoor f9596edb00 Updates the typed properties. 
Based on: https://github.com/nextcloud/server/pull/39013#discussion_r1242340826

Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +07:00
Faraz Samapoor 4f46656d39 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +07:00
Christoph Wurst e477bb7eaf
feat(appframework): Expose programmatic rate limiter 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-09-20 20:25:27 +07:00
Joas Schilling 124588d4a6
fix: Make bypass function public API 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:40:24 +07:00
Joas Schilling fd9b2d488e
feat: Expose if the own IP is allowed to bypass bruteforce protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:04 +07:00
Joas Schilling abc98d343c
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +07:00
Joas Schilling a95800c647
feat(security): Add a bruteforce protection backend base on memcache 
Similar to the ratelimit backend

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +07:00
Daniel Calviño Sánchez 41f2d912d2 Allow "wasm-unsafe-eval" in CSP 
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).

Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.

To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
 2023-08-10 02:38:41 +07:00
Faraz Samapoor e73757b4a5 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-06-26 15:03:13 +07:00
Robin Appelman 9f1d497a0b
Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private 
Refactors "strpos" calls in  lib/private to improve code readability.
 2023-06-01 23:10:00 +07:00
Robin Appelman 223612b15a
log failures to read certificates during listing 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2023-05-31 14:40:45 +07:00
Faraz Samapoor e7cc7653b8 Refactors "strpos" calls in lib/private to improve code readability. 
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
 2023-05-15 15:17:19 +07:00
John Molakvoæ 46459ae93f
Merge pull request #35092 from Messj1/bugfix/type-error-cert-manager-cache-path 2023-05-04 21:53:49 +07:00
Jan Messer 647c65a640 [BUGFIX] throw exception instead of error if unable to create file handler (only exceptions are catch) 
Signed-off-by: Jan Messer <jan@mtec-studios.ch>
 2023-04-06 23:03:49 +07:00
Jan Messer 7a443863fe [BUGFIX] check return value and improve error handling 
With S3 primary storage there was a problem with getting the CA bundle from the storage without having the CA bundle for the connection which causes that the CertificateManager was throwing an Error.
This commit improves the handling in CertificateManager and log unexpected behaviors.

Signed-off-by: Jan Messer <jan@mtec-studios.ch>
 2023-04-06 23:03:33 +07:00
Côme Chilliet 426c0341ff
Use typed version of IConfig::getSystemValue as much as possible 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-04-05 12:50:08 +07:00
Côme Chilliet 8f550398c4
Merge pull request #36836 from nextcloud/fix/view-type-cleanup 
Tidy up typing in OC\Files\View
 2023-04-05 10:14:55 +07:00
Côme Chilliet ea05544213
Fix return type of methods returning false on error 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-04-03 10:52:34 +07:00
Joas Schilling 454281af03
feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-04-03 09:06:45 +07:00
Côme Chilliet f5c361cf44
composer run cs:fix 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-01-20 11:45:08 +07:00
Christoph Wurst 8aea25b5b9
Add remote host validation API 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2022-10-31 16:13:28 +07:00
Côme Chilliet 71ee292650 Add rate limiting on lost password emails 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-10-18 14:49:02 +07:00
Carl Schwan 9919116716
Merge pull request #31499 from nextcloud/bugfix/empty-secret 
Add fallback routines for empty secret cases
 2022-10-17 16:02:58 +07:00
Carl Schwan ef31396727
Mark method as deprecated 
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-09-13 13:06:54 +07:00
Carl Schwan 48d9c4d2b0
Port existing server code to new interface 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-08-08 17:03:19 +07:00
Joas Schilling c0f47af2d0
Add a public interface for the bruteforce throttler and register for injection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-07-28 10:57:10 +07:00
luz paz 368f83095d Fix typos in lib/private subdirectory 
Found via `codespell -q 3 -S l10n -L jus ./lib/private`

Signed-off-by: luz paz <luzpaz@github.com>
 2022-07-27 08:52:17 +07:00
Joas Schilling 8274c05e19
Only ignore attempts of the same action 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-07-07 09:35:14 +07:00
Carl Schwan ca3cd5a625 Fix detection of firefox in ContentSecurityPolicyNonceManager 
Reuse Request::USER_AGENT_FIREFOX, and also update the safari detection
since safari < 12 is not supported anymore and we can remove a bit of
code duplication

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-06-29 17:05:48 +07:00
Vincent Petry 01dbd22c9c
Validate requested length is random string generator 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2022-05-12 13:58:18 +07:00
Vincent Petry 7718c9776c
Merge pull request #32113 from nextcloud/bugfix/noid/fix-csp-merging-bools 
Add CSP policy merge priority for booleans
 2022-05-05 17:26:48 +07:00
Carl Schwan 69b36fc2c5 Don't inject Bruteforce capability info in the webui 
This capability do DB access and as far I know is not used by the webui.
This remove one DB query for each page load.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-04-07 17:33:29 +07:00
Vincent Petry 18c013d8fc
Add CSP policy merge priority for booleans 
When two booleans conflict when merging CSP policies, true will win.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2022-04-01 13:56:34 +07:00
Côme Chilliet 6be7aa112f
Migrate from ILogger to LoggerInterface in lib/private 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-03-24 16:21:25 +07:00
Robin Appelman 4f594dbf53
cache the path of the certificate bundle 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2022-03-17 14:58:56 +07:00
Robin Appelman a887553ddb
return default bundle when there is an error getting the bundle 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2022-03-14 18:34:09 +07:00
Julius Härtl a6796b4247
Fix decryption fallback after adding a secret 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-03-10 14:01:21 +07:00
Julius Härtl 81f8719cc0
Add fallback routines for empty secret cases 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-03-10 14:01:21 +07:00
Julius Härtl bd03dd37be
Allow to set a strict-dynamic CSP through the API 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-03-09 15:10:27 +07:00
Joas Schilling b8e0a3dbdd
Use the new option to signaling insensitivity 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-02-07 13:54:54 +07:00
Joas Schilling b59df35426
Make the DB query simpler (as we just deleted all other entries) 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-01-28 16:55:17 +07:00
Joas Schilling c6d000f87f
Log bruteforce throttle and blocking 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-01-18 10:10:19 +07:00
Carl Schwan 6312c0df69
Check style update 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-01-13 00:19:07 +07:00
Joas Schilling 1d550ab95e
Don't query the bruteforce attempts when we just deleted them 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-12-01 18:01:22 +07:00
Vincent Petry 19f41a60a0
Type hint in IpAddress 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>

Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
 2021-11-22 17:36:26 +07:00
Vincent Petry f01ad7b8d8
Improve normalizer detecting IPv4 inside of IPv6 
The subnet for an IPv4 address inside of IPv6 is now returned in its
IPv4 form.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2021-11-22 16:46:25 +07:00
Vincent Petry 7e08a4ab15
Fix getting subnet of ipv4 mapped ipv6 addresses 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2021-11-22 14:10:11 +07:00