Moved the last used method in base.php where it’s called. Ideally we
would remove it but it’s not clear whether that would be possible any
time soon or even at all.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
This skips less calls for status.php so that ini vars are correctly set
and the code to set samesite cookies has the correct information when
Nextcloud is installed in a subpath.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
The Theming app injects the stylesheets for the different themes in the
"<header>" element of the page, and those stylesheets are then loaded by
the browser from a "Controller" (a plain "Controller", not an
"OCSController"). The stylesheets, in turn, may also get some images
(like the background) also from the "Controller".
When handling a request to "index.php" it is checked whether the user is
logged in and, if not, a login is tried. A disabled user is explicitly
seen as not logged in, so a login is always tried in that case, but
disabled users are also explicitly prevented to log in, so the login
also fails. Due to that trying to get any of the themed stylesheets or
images with a disabled account (to be able to show the "Account
disabled" error page) fails with an HTTP status 401.
To solve that, and to avoid touching this basic logic as much as
possible, the login exception is now ignored (if the user is disabled)
for some specific requests to the Theming app.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.
Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.
We also add a redirect to be helpful to the user.
**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.
Fix#52482
Signed-off-by: Louis Chemineau <louis@chmn.me>
A recent change had broken authentication with an older
FastCGI Apache2 module, because the IRequest object got
initialised before the fix from self::handleAuthHeaders()
copied the authentication headers into the correct $_SERVER
variables.
Since this part is completely independent from any Nextcloud
code it is now done as a first thing within the init() call.
Additionally similar issues could happen when another class
would boot too early and read other global PHP settings like
ini values and default timezone, so those are now also moved
to the beginning.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php.
This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
We basically mock the way `URLGenerator::getAbsoluteURL` works,
so we must make sure that the URL might already contain the webroot.
Because `baseURL` and `cliURL` also contain the webroot we need to remove
the webroot from the URL first.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Daniel <mail@danielkesselberg.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Côme Chilliet
Ferdinand Thiessen
Andy Scherzinger
Joas Schilling
provokateurin
Robin Appelman
John Molakvoæ
Daniel Calviño Sánchez
Josh
Samuel Bizien Filippi
Louis
Côme Chilliet
Julius Knorr
Joas Schilling
Stephan Orbaugh
DaleBCooper
Git'Fellow
Maxence Lange
Daniel Kesselberg