This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.
Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.
We also add a redirect to be helpful to the user.
**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.
Fix#52482
Signed-off-by: Louis Chemineau <louis@chmn.me>
A recent change had broken authentication with an older
FastCGI Apache2 module, because the IRequest object got
initialised before the fix from self::handleAuthHeaders()
copied the authentication headers into the correct $_SERVER
variables.
Since this part is completely independent from any Nextcloud
code it is now done as a first thing within the init() call.
Additionally similar issues could happen when another class
would boot too early and read other global PHP settings like
ini values and default timezone, so those are now also moved
to the beginning.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php.
This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
We basically mock the way `URLGenerator::getAbsoluteURL` works,
so we must make sure that the URL might already contain the webroot.
Because `baseURL` and `cliURL` also contain the webroot we need to remove
the webroot from the URL first.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Daniel <mail@danielkesselberg.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Fixes#2180
And prevents #31473, #23970, #18610, #15708
Avoids a 500 error and also gives a useful error message on the web interface if this module isn't installed, gets overlooked during a PHP upgrade, etc.
While we check for it later, it's too late for session.
Inspired by #17163
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
Changing gc_maxlifetime cannot have any effect because this configuration option does not exist. There is a configuration option named session.gc_maxlifetime.
I removed the ini_set call because autoconfiguring is error-prone, and the current code could never have worked as intended.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
If an incompatible app is enabled manually, it is added to the "app_install_overwrite" array in config.php. Nextcloud upgrades won't disable any app in this array, but they were still shown on the upgrade page and logs as being disabled.
This commit assures that only apps which are really disabled, i.e. which are not in the "app_install_overwrite" array, are shown and logged as disabled during upgrades.
Signed-off-by: MichaIng <micha@dietpi.com>
apcu lead to side effects especially with app management and (soft)
inter-dependencies, and lead also to 500 server errors. While we could
add management to clear apcu cache in many cases (may stil leave edge
cases) the performance benefit is marginally as also class maps are
already cached in opcache. Hence, the simple and effective way to go is
to not use apcu for autoloading.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
- in most cases it would read again in \OC_Util::loadVersion anyway
- remove some unused use statements
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
fixes collissions when more than one instance is running on the same
system
For the memcaches we use a more complex prefix, where version and
instance ID are incorporated. We do not have this data at hand at this
point of time. But we can get the mtime of the version.php file
relatively cheap.
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Temporary disabled the short cut again to solve issues with CalDAV/CardDAV
clients like DAVx5 that use cookies and need a session. See
https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147
and the other comments for further information.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Louis Chemineau
Julius Knorr
Joas Schilling
provokateurin
DaleBCooper
Côme Chilliet
Git'Fellow
Ferdinand Thiessen
Maxence Lange
Daniel Kesselberg
Josh Richards
Christoph Wurst
Andy Scherzinger
MichaIng
John Molakvoæ
Arthur Schiwon
Alexander Piskun
Andrey Borysenko
Simon L
Côme Chilliet
Joas Schilling