nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Robin Appelman	ccf57e0715	add separate event for rendering login page template Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-08-17 10:57:56 +07:00
Daniel Calviño Sánchez	41f2d912d2	Allow "wasm-unsafe-eval" in CSP If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2023-08-10 02:38:41 +07:00
Joas Schilling	1b387bb341	fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-27 09:57:52 +07:00
jld3103	2d6a62ccee	Add IgnoreOpenAPI attribute Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-07-10 14:25:22 +07:00
Christoph Wurst	14719110b9	chore: Replace \OC::$server->query with \OCP\Server::get in /lib Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-07-06 15:21:22 +07:00
jld3103	b0001c6010	Add template types to responses Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-06-30 09:33:29 +07:00
Christoph Wurst	08a3f37695	chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-06-12 10:03:59 +07:00
Git'Fellow	5b5895a130	Drop meta robots tag Revert mistake Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>	2023-06-09 18:06:37 +07:00
Joas Schilling	5b2d5767e1	fix(docs): Fix language and copy-paste class name in docs of CSP Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-05-30 13:39:33 +07:00
Joas Schilling	ecb8b55c5c	feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-25 14:50:32 +07:00
Joas Schilling	89c3c31402	feat(ratelimit): Add Attributes support to rate limit middleware Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-24 12:24:48 +07:00
Joas Schilling	e839eb9b5c	feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-08 12:09:22 +07:00
MichaIng	5f90b8eb11	Change X-Robots-Tag header from "none" to "noindex, nofollow" While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>	2023-02-15 20:16:51 +07:00
Christoph Wurst	20e00cdf17	feat(app-framework): Add UseSession attribute to replace annotation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-27 09:40:35 +07:00
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +07:00
Joas Schilling	82b98b4b9b	Fix typo in deprecated Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-10-04 11:42:24 +07:00
Daniel	c55ae98a3f	Add description for public and immutable Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Daniel <mail@danielkesselberg.de>	2022-09-03 15:58:18 +07:00
Daniel Kesselberg	855ef21883	Update docblock for cacheFor Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2022-09-03 15:28:23 +07:00
blizzz	df89e7fd39	Merge pull request #32485 from nextcloud/debt/noid/psalm-streamer-fh [Psalm] Fix docblock for addFileFromStream	2022-05-31 14:22:05 +07:00
Julius Härtl	3901a93c72	Use JSON_THROW_ON_ERROR instead of custom error handling Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-05-30 19:17:49 +07:00
Daniel Kesselberg	be99ea969e	Fix type for resource Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2022-05-24 22:05:59 +07:00
Joas Schilling	ad908cd87a	Make appName of TemplateResponse accessible in BeforeTemplateRenderedEvent Signed-off-by: Joas Schilling <coding@schilljs.com>	2022-05-20 15:03:40 +07:00
Daniel Kesselberg	7cd356ee7d	Fix psalm warning for zip response due wrong type Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2022-05-13 15:50:26 +07:00
Vincent Petry	18c013d8fc	Add CSP policy merge priority for booleans When two booleans conflict when merging CSP policies, true will win. Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2022-04-01 13:56:34 +07:00
Julius Härtl	bd03dd37be	Allow to set a strict-dynamic CSP through the API Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-03-09 15:10:27 +07:00
Carl Schwan	7dddbd0c35	Improve caching policy * Cache css with version in url. This makes most js and css requests to be cached by the browser * Force caching previews, the etag is in the url so that if the propfind gives a new etag, we will refresh it otherwise it's no use to try to fetch the new etag and do tons of DB queries Tested with firefox and 'debug' => false (important so that the js/css urls are generated with ?v= parameter) Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2022-02-16 11:35:57 +07:00
Robin Appelman	c712987878	send request id in response header Signed-off-by: Robin Appelman <robin@icewind.nl>	2022-02-01 14:24:01 +07:00
Daniel Rudolf	aa455e71d9	Merge branch 'master' into enhancement/noid/IURLGenerator-linkToDefaultPageUrl	2021-08-04 18:52:55 +07:00
Carl Schwan	28970563a2	Remove some mentions of ownCloud from our api documentation Signed-off-by: Carl Schwan <carl@carlschwan.eu>	2021-07-29 15:56:30 +07:00
Daniel Rudolf	a43de10d1e	Add RedirectToDefaultAppResponse::__construct() annotations Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:35:09 +07:00
Daniel Rudolf	e478db9161	Deprecate RedirectToDefaultAppResponse Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:13:08 +07:00
Daniel Rudolf	2c7186a15f	Remove \OC::$server->getURLGenerator() usage Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-07-01 15:12:15 +07:00
Daniel Rudolf	12059eb65b	Add IUrlGenerator::linkToDefaultPageUrl() Replaces the deprecated \OC_Util::getDefaultPageUrl() and makes this API public. Signed-off-by: Daniel Rudolf <github.com@daniel-rudolf.de>	2021-06-30 16:20:57 +07:00
Pytal	9ed379da22	Merge pull request #27635 from nextcloud/fix/datetime-constants Fix usage of DateTime constants	2021-06-23 09:56:28 +07:00
Christoph Wurst	6d5cfe0c66	Move DateTime::RFC2822 to DateTimeInterface::2822 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-06-23 15:30:43 +07:00
Lukas Reschke	25ab4059c6	Add security.txt Ref https://securitytxt.org Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-06-23 13:58:47 +07:00
Morris Jobke	2ae60b42ab	Merge pull request #26494 from rigrig/fix-php8-deprecations Fix some php 8 warnings	2021-06-07 23:30:59 +07:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +07:00
Lukas Reschke	377514aad1	Escape filename in Content-Disposition We should escape all occurences of ' and \ in here. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-06-02 19:22:17 +07:00
Richard de Boer	a0d265b0b1	Fix a usort comparison function returning a boolean instead of an integer PHP 8 shows deprecation warnings about this, see #25806 Signed-off-by: Richard de Boer <git@tubul.net>	2021-05-29 14:14:52 +07:00
Joas Schilling	02c011c4f7	Make debugging easier which header is being set Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-03-24 13:22:44 +07:00
Christoph Wurst	08d4458542	Initialize \OCP\AppFramework\Http\ZipResponse::$resources Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-02-17 19:59:27 +07:00
Christoph Wurst	9ce3ea3368	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-30 14:07:05 +07:00
Christoph Wurst	d89a75be0b	Update all license headers for Nextcloud 21 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-16 18:48:22 +07:00
Joas Schilling	329ffa257e	Log an error when setting a custom header on "Not Modified" responses Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-12-15 11:24:15 +07:00
Thomas Citharel	71cf92697c	Update comment to reflect current CSP policy JS unsafe-eval was removed a long time ago in https://github.com/nextcloud/server/pull/11028	2020-12-12 21:11:42 +07:00
Roeland Jago Douma	1e111b2ad2	Fix DataResponse typehints We use this already in several places where we just pass strings or numbers. This all works because we just convert it to a json response in the end. So better to have the typehints reflect this. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-19 20:34:42 +07:00
Roeland Jago Douma	9163790b7c	Set frame-ancestors to none if none are filled frame-ancestors doesn't fall back to default-src. So when we apply a very restricted CSP we should make sure to set it to 'none' and not leave it empty. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-18 10:13:36 +07:00
Roeland Jago Douma	fa6a790859	Remove deprecated OCSResponse Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-01 14:12:27 +07:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +07:00

1 2 3

150 Commits (feat/database/query-result-fetch-associative-fetch-num)