nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Joas Schilling	f6b6776c93	fix(API): Use a distinct exception so apps can react to it and customize the return Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-28 06:11:57 +07:00
Arthur Schiwon	3fa43a529b	enh(dispatcher): enforce psalm ranges in the http dispatcher - allows devs to provide int ranges for API arguments Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2023-11-24 12:46:38 +07:00
Joas Schilling	aa5f037af7	chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>	2023-11-23 10:36:13 +07:00
Ferdinand Thiessen	ecf9f0a872	fix(CSP): Only add `strict-dynamic` when using nonces Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 22:01:02 +07:00
Ferdinand Thiessen	e231abd9bf	fix!(ContentSecurityPolicy): Make `strict-dynamic` enabled by default on `script-src-elem` Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 14:42:36 +07:00
Ferdinand Thiessen	7df9eb3351	feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`. The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>	2023-11-17 11:12:57 +07:00
Joas Schilling	2fa78f6245	Reverse X-Forwarded-For list to read the correct proxy remote address Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-11-16 07:45:19 +07:00
Christoph Wurst	78842348b2	feat(dependencyinjection): Allow optional (nullable) services Allows working with classes that might or might not be available. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-11-03 11:53:43 +07:00
Ferdinand Thiessen	154a9989a7	Merge pull request #39852 from nextcloud/pragmaHeader Stop sending deprecated Pragma header	2023-10-18 03:30:21 +07:00
Joas Schilling	25309bcb45	techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-08-28 15:50:45 +07:00
Git'Fellow	066f6ef16c	Stop sending deprecated Pragma header Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>	2023-08-28 15:11:22 +07:00
Daniel Calviño Sánchez	41f2d912d2	Allow "wasm-unsafe-eval" in CSP If a page has a Content Security Policy header and the `script-src` (or `default-src`) directive does not contain neither `wasm-unsafe-eval` nor `unsafe-eval` loading and executing WebAssembly is blocked in the page (although it is still possible to load and execute WebAssembly in a worker thread). Although the Nextcloud classes to manage the CSP already supported allowing `unsafe-eval` this affects not only WebAssembly, but also the `eval` operation in JavaScript. To make possible to allow WebAssembly execution without allowing JavaScript `eval` this commit adds support for allowing `wasm-unsafe-eval`. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>	2023-08-10 02:38:41 +07:00
Joas Schilling	1b387bb341	fix!: Remove legacy event dispatching Symfony's GenericEvent from AdditionalScripts Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-27 09:57:52 +07:00
Joas Schilling	2c6f32cb28	feat(request): Allow to match the client version with the IRequest::USER_AGENT_* regex Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-07-11 07:35:50 +07:00
jld3103	b0001c6010	Add template types to responses Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-06-30 09:33:29 +07:00
jld3103	7f4651637a	Allow stdClass in XML responses Signed-off-by: jld3103 <jld3103yt@gmail.com>	2023-06-13 11:44:47 +07:00
Christoph Wurst	08a3f37695	chore(appframework)!: Drop \OCP\AppFramework\Http\EmptyContentSecurityPolicy::allowInlineScript Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-06-12 10:03:59 +07:00
Joas Schilling	3a6bc7aba2	fix(middleware): Also abort the request when reaching max delay in afterController Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-05-15 16:20:19 +07:00
Joas Schilling	ecb8b55c5c	feat(security): Add PHP \Attribute for remaining security annotations Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-25 14:50:32 +07:00
Joas Schilling	89c3c31402	feat(ratelimit): Add Attributes support to rate limit middleware Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-04-24 12:24:48 +07:00
Côme Chilliet	b294edad80	Merge branch 'master' into enh/type-iconfig-getter-calls Signed-off-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>	2023-04-20 16:52:38 +07:00
Christoph Wurst	2c0cfd3772	feat(app-framework): Add native argument types for middleware Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-04-18 17:15:05 +07:00
Côme Chilliet	8d5165e8dc	Adapt tests to config value typing Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-04-05 17:42:14 +07:00
Joas Schilling	2b49861679	Add a debug message when throttling without defining Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-08 12:09:22 +07:00
Joas Schilling	e839eb9b5c	feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-08 12:09:22 +07:00
Joas Schilling	c297f8ee96	feat(appframework): ⌚ Make ITimeFactory extend \PSR\Clock\ClockInterface Signed-off-by: Joas Schilling <coding@schilljs.com>	2023-03-03 15:37:13 +07:00
Julius Härtl	90d2cb09b1	Merge pull request #36396 from nextcloud/fix/cors	2023-02-17 09:42:08 +07:00
Ferdinand Thiessen	f655f83c84	fix(CORS): CORS should only be bypassed on `PublicPage` if not logged in to prevent CSRF attack vectors Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>	2023-02-16 22:55:18 +07:00
MichaIng	5f90b8eb11	Change X-Robots-Tag header from "none" to "noindex, nofollow" While "none" is indeed equivalent to "noindex, nofollow" for Google, but seems to be not supported by Bing and probably other search engines. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name#other_metadata_names https://developers.google.com/search/docs/crawling-indexing/robots-meta-tag?hl=de#comma-separated-list https://www.bing.com/webmasters/help/which-robots-metatags-does-bing-support-5198d240 Signed-off-by: MichaIng <micha@dietpi.com>	2023-02-15 20:16:51 +07:00
Robin Appelman	b911da3e1e	DI for Router Signed-off-by: Robin Appelman <robin@icewind.nl>	2023-02-13 22:51:14 +07:00
Ferdinand Thiessen	ba8a50c059	fix: Throw `NotFoundExceptionInterface` to fulfill PSR container interface if class not found Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>	2023-02-06 14:16:35 +07:00
Christoph Wurst	20e00cdf17	feat(app-framework): Add UseSession attribute to replace annotation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-27 09:40:35 +07:00
Christoph Wurst	8d9af3e262	feat(app-framework): Add support for global middlewares This allows apps to register middlewares that always register, not just for the app's own requests Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-26 11:54:28 +07:00
Christoph Wurst	907ff68bfc	perf(app-framework): Make the app middleware registration lazy Before this patch, app middlewares were registered on the dispatcher for every app loaded in a Nextcloud process. With the patch, only middlewares belonging to the same app of a dispatcher instance are loaded. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-25 09:27:24 +07:00
Côme Chilliet	f5c361cf44	composer run cs:fix Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2023-01-20 11:45:08 +07:00
Christoph Wurst	20fcfb5739	feat(app framework)!: Inject services into controller methods Usually Nextcloud DI goes through constructor injection. This has the implication that each instance of a class builds the full DI tree. That is the injected services, their services, etc. Occasionally there is a service that is only needed for one controller method. Then the DI tree is build regardless if used or not. If services are injected into the method, we only build the DI tree if that method gets executed. This is also how Laravel allows injection. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2023-01-18 14:00:38 +07:00
Stanimir Bozhilov	7dcd6eb561	Merge branch 'master' into add-scim-json-support Signed-off-by: Stanimir Bozhilov <stanimir.bozhilov.1998@gmail.com>	2022-12-19 09:07:38 +07:00
Vincent Petry	ae6fe874ed	Merge pull request #35780 from nextcloud/fix/http-dispatcher-double-parameter-cast Fix missing cast of double controller parameters	2022-12-16 16:18:35 +07:00
Christoph Wurst	b6dd1a1d7b	fix(app framework): Fix missing cast of double controller parameters ``settype`` allows 'double' as alias of 'float'. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2022-12-15 09:33:52 +07:00
Artur Neumann	81f2857f34	check if params given to API are really an array Signed-off-by: Artur Neumann <artur@jankaritech.com>	2022-12-15 13:45:22 +07:00
Julien Veyssier	4a3f3beb0b	use bruteforce protection on all methods wrapped by PublicShareMiddleware if an invalid token is provided or when share password is wrong Signed-off-by: Julien Veyssier <julien-nc@posteo.net>	2022-12-07 13:24:50 +07:00
Côme Chilliet	68363f6944	Fix some more problems with tests under PHP 8.2 Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-11-15 16:02:24 +07:00
Roeland Jago Douma	60ee874485	Remove long depreated AppFramework/Db/Mapper Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2022-10-10 08:18:32 +07:00
Stanimir Bozhilov	46c10c77e1	Fix the JSON content type regex to match all MIME types Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-26 11:51:44 +07:00
Stanimir Bozhilov	f7d51a39cf	Add unit tests for application/scim+json content type Signed-off-by: Stanimir Bozhilov <stanimir@audriga.com>	2022-09-20 16:19:05 +07:00
Julius Härtl	64a7489958	Fix SessionMiddlewareTest and cover new case with reopening Signed-off-by: Julius Härtl <jus@bitgrid.net>	2022-08-24 10:36:57 +07:00
Simon Leiner	09362eaeaa	Support specifying IPv6 proxies in CIDR notation Previously, it was not possible to use CIDR notation for IPv6 proxies in the trusted_proxies parameter of config.php [1]. This patch adds support for that. [1]: https://docs.nextcloud.com/server/24/admin_manual/configuration_server/reverse_proxy_configuration.html#defining-trusted-proxies Signed-off-by: Simon Leiner <simon@leiner.me>	2022-08-02 17:36:47 +07:00
Thomas Citharel	1d30fb7852	Fix reading blob data as resource PostgreSQL returns data as resource when using IQueryBuilder::PARAM_LOB (which is used for QBMapper). Previously we just converted this resource using settype, which produced things like "Resource id #14" instead of the actual resource data. Now we read the stream correctly if the returned data is a resource See context at #22472 Fixes #22439 Signed-off-by: Thomas Citharel <tcit@tcit.fr>	2022-07-25 09:45:47 +07:00
Côme Chilliet	1bd5222224	Fix PHP 8.2 warnings about undeclared properties Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-06-21 16:17:52 +07:00
Côme Chilliet	c7e1c36362	Remove at matcher uses in tests/lib Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>	2022-06-16 17:43:17 +07:00

1 2 3 4 5

246 Commits (7620d230df8756a9c439c4acbd756fbeae9345f7)