sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
62,717 Commits
618 Branches
1167 Tags
9.0 GiB
Commit Graph

170 Commits (0b184f613586eb32cd5f30d255cd4f730aa33bbe)

Author SHA1 Message Date
Vincent Petry 01dbd22c9c
Validate requested length is random string generator 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2022-05-12 13:58:18 +07:00
Vincent Petry 7718c9776c
Merge pull request #32113 from nextcloud/bugfix/noid/fix-csp-merging-bools 
Add CSP policy merge priority for booleans
 2022-05-05 17:26:48 +07:00
Carl Schwan 69b36fc2c5 Don't inject Bruteforce capability info in the webui 
This capability do DB access and as far I know is not used by the webui.
This remove one DB query for each page load.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-04-07 17:33:29 +07:00
Vincent Petry 18c013d8fc
Add CSP policy merge priority for booleans 
When two booleans conflict when merging CSP policies, true will win.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2022-04-01 13:56:34 +07:00
Côme Chilliet 6be7aa112f
Migrate from ILogger to LoggerInterface in lib/private 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2022-03-24 16:21:25 +07:00
Robin Appelman 4f594dbf53
cache the path of the certificate bundle 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2022-03-17 14:58:56 +07:00
Robin Appelman a887553ddb
return default bundle when there is an error getting the bundle 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2022-03-14 18:34:09 +07:00
Julius Härtl bd03dd37be
Allow to set a strict-dynamic CSP through the API 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2022-03-09 15:10:27 +07:00
Joas Schilling b8e0a3dbdd
Use the new option to signaling insensitivity 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-02-07 13:54:54 +07:00
Joas Schilling b59df35426
Make the DB query simpler (as we just deleted all other entries) 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-01-28 16:55:17 +07:00
Joas Schilling c6d000f87f
Log bruteforce throttle and blocking 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2022-01-18 10:10:19 +07:00
Carl Schwan 6312c0df69
Check style update 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-01-13 00:19:07 +07:00
Joas Schilling 1d550ab95e
Don't query the bruteforce attempts when we just deleted them 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-12-01 18:01:22 +07:00
Vincent Petry 19f41a60a0
Type hint in IpAddress 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>

Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
 2021-11-22 17:36:26 +07:00
Vincent Petry f01ad7b8d8
Improve normalizer detecting IPv4 inside of IPv6 
The subnet for an IPv4 address inside of IPv6 is now returned in its
IPv4 form.

Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2021-11-22 16:46:25 +07:00
Vincent Petry 7e08a4ab15
Fix getting subnet of ipv4 mapped ipv6 addresses 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
 2021-11-22 14:10:11 +07:00
Joas Schilling c42f5bc5f6
Add an OCP for trusted domain helper 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-10-28 10:24:16 +07:00
Daniel Kesselberg 240eb02585
Set associative = true for cleanup job 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2021-10-07 20:20:09 +07:00
Lukas Reschke 0dcc5c0e9f
Merge pull request #28728 from nextcloud/add-database-backend-limiter 
Add database ratelimiting backend
 2021-09-13 13:07:37 +07:00
Lukas Reschke 474a5b55d3 Implement review feedback 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-09-13 11:01:35 +07:00
Lukas Reschke 358eaba7dd
Apply suggestions from code review 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
 2021-09-13 10:43:01 +07:00
Arthur Schiwon 0dee717c94
Confirm mails only per POST 
- this is to avoid automatic confirmation by certain softwares that open
  links

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2021-09-09 19:23:04 +07:00
Arthur Schiwon a20de15b43
add a job to clean up expired verification tokens 
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2021-09-09 14:03:35 +07:00
Arthur Schiwon 19cc757531
move verification token logic out of lost password controller 
- to make it reusable
- needed for local email verification

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2021-09-09 14:03:29 +07:00
Lukas Reschke 471167019c Implement PR review feedback 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-09-07 18:03:34 +07:00
Lukas Reschke a915372c56 phpcs 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-09-06 17:50:23 +07:00
Lukas Reschke 378cc922c4 Adjust logic to store period instead of current timestamp 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-09-06 17:31:36 +07:00
Lukas Reschke d4f97affc1 Add database ratelimiting backend 
In case no distributed memory cache is specified this adds
a database backend for ratelimit purposes.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-09-06 16:31:01 +07:00
Daniel Kesselberg 0a15043f69
Throw exception if encrypting the data failed. 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2021-07-05 10:23:16 +07:00
John Molakvoæ (skjnldsv) 215aef3cbd
Update php licenses 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2021-06-04 22:02:41 +07:00
Roeland Jago Douma ee3dc57cbd
Merge pull request #26626 from J0WI/strict-security 
Make Security module strict
 2021-05-18 08:43:13 +07:00
Morris Jobke 393309b98f
Merge pull request #25714 from nextcloud/fix/23197/explicitly_check_hex2bin_input 
Explicitly check hex2bin input
 2021-04-22 13:23:39 +07:00
J0WI ca7b37ce5a Make Security module strict 
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
 2021-04-19 17:31:12 +07:00
Lukas Reschke e5a4236e68 Increase subnet matcher 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
 2021-04-07 12:28:59 +07:00
Roeland Jago Douma 16652ac6c6 Explicitly check hex2bin input 
For #23197

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2021-02-18 20:12:20 +07:00
dependabot-preview[bot] eb502c02ff
Bump nextcloud/coding-standard from 0.3.0 to 0.5.0 
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2021-02-18 13:31:24 +07:00
Morris Jobke 24d436cb60
Remove unneeded casts that were found by Psalm 
In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521)

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2021-01-11 13:14:41 +07:00
Christoph Wurst d89a75be0b
Update all license headers for Nextcloud 21 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-12-16 18:48:22 +07:00
Julius Härtl f5501ca276
Avoid checking for brute force protection capabilities when upgrading 
This might happen a releases that doesn't have this table yet

Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2020-12-09 12:13:33 +07:00
Joas Schilling 5b5aebbf66
Replace the credentials table with one that can have empty user 
Primary key columns on Oracle can not have empty strings

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-11-10 15:36:27 +07:00
Joas Schilling 1aa9c9164d
Fix comparing the empty string for global credentials 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-11-10 15:36:26 +07:00
Joas Schilling 8027dcbc6f
Don't leave cursors open when tests fail 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-11-09 12:28:17 +07:00
Roeland Jago Douma 54b9f639a6
Always return the default path if we can 
Just check in the certifcate manager. So every part of the system that
request the certificatebundle gets the defaullt one (the 99% case) if we
can.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-11-03 00:13:01 +07:00
Morris Jobke dc479aae2d
Improve CertificateManager to not be user context dependent 
* removes the ability for users to import their own certificates (for external storage)
* reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions)

The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-11-03 00:13:01 +07:00
lynn-stephenson 648b60fa0e
Derive encryption key & MAC key from a single key. 
Signed-off-by: lynn-stephenson <lynn.stephenson@protonmail.com>
 2020-10-15 21:23:24 +07:00
Roeland Jago Douma 8fae2beece
Limit throttler to 48 hours 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-10-08 19:51:13 +07:00
Roeland Jago Douma 6c1b542def
Add cleanup job for old brutefoce attempts 
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2020-10-08 19:51:13 +07:00
Christoph Wurst d9015a8c94
Format code to a single space around binary operators 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-10-05 20:25:24 +07:00
Morris Jobke 99c9423766
Remove @suppress SqlInjectionChecker 
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
 2020-09-16 15:53:56 +07:00
Joas Schilling c25063dc07
Don't break when the IP is empty 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-09-10 14:20:27 +07:00