nextcloud-server

Commit Graph

Author	SHA1	Message	Date
Joas Schilling	1d550ab95e	Don't query the bruteforce attempts when we just deleted them Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-12-01 18:01:22 +07:00
Vincent Petry	19f41a60a0	Type hint in IpAddress Signed-off-by: Vincent Petry <vincent@nextcloud.com> Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>	2021-11-22 17:36:26 +07:00
Vincent Petry	f01ad7b8d8	Improve normalizer detecting IPv4 inside of IPv6 The subnet for an IPv4 address inside of IPv6 is now returned in its IPv4 form. Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2021-11-22 16:46:25 +07:00
Vincent Petry	7e08a4ab15	Fix getting subnet of ipv4 mapped ipv6 addresses Signed-off-by: Vincent Petry <vincent@nextcloud.com>	2021-11-22 14:10:11 +07:00
Joas Schilling	c42f5bc5f6	Add an OCP for trusted domain helper Signed-off-by: Joas Schilling <coding@schilljs.com>	2021-10-28 10:24:16 +07:00
Daniel Kesselberg	240eb02585	Set associative = true for cleanup job Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2021-10-07 20:20:09 +07:00
Lukas Reschke	0dcc5c0e9f	Merge pull request #28728 from nextcloud/add-database-backend-limiter Add database ratelimiting backend	2021-09-13 13:07:37 +07:00
Lukas Reschke	474a5b55d3	Implement review feedback Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-09-13 11:01:35 +07:00
Lukas Reschke	358eaba7dd	Apply suggestions from code review Signed-off-by: Lukas Reschke <lukas@statuscode.ch> Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>	2021-09-13 10:43:01 +07:00
Arthur Schiwon	0dee717c94	Confirm mails only per POST - this is to avoid automatic confirmation by certain softwares that open links Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2021-09-09 19:23:04 +07:00
Arthur Schiwon	a20de15b43	add a job to clean up expired verification tokens Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2021-09-09 14:03:35 +07:00
Arthur Schiwon	19cc757531	move verification token logic out of lost password controller - to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2021-09-09 14:03:29 +07:00
Lukas Reschke	471167019c	Implement PR review feedback Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-09-07 18:03:34 +07:00
Lukas Reschke	a915372c56	phpcs Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-09-06 17:50:23 +07:00
Lukas Reschke	378cc922c4	Adjust logic to store period instead of current timestamp Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-09-06 17:31:36 +07:00
Lukas Reschke	d4f97affc1	Add database ratelimiting backend In case no distributed memory cache is specified this adds a database backend for ratelimit purposes. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-09-06 16:31:01 +07:00
Daniel Kesselberg	0a15043f69	Throw exception if encrypting the data failed. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>	2021-07-05 10:23:16 +07:00
John Molakvoæ (skjnldsv)	215aef3cbd	Update php licenses Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>	2021-06-04 22:02:41 +07:00
Roeland Jago Douma	ee3dc57cbd	Merge pull request #26626 from J0WI/strict-security Make Security module strict	2021-05-18 08:43:13 +07:00
Morris Jobke	393309b98f	Merge pull request #25714 from nextcloud/fix/23197/explicitly_check_hex2bin_input Explicitly check hex2bin input	2021-04-22 13:23:39 +07:00
J0WI	ca7b37ce5a	Make Security module strict Signed-off-by: J0WI <J0WI@users.noreply.github.com>	2021-04-19 17:31:12 +07:00
Lukas Reschke	e5a4236e68	Increase subnet matcher Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2021-04-07 12:28:59 +07:00
Roeland Jago Douma	16652ac6c6	Explicitly check hex2bin input For #23197 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2021-02-18 20:12:20 +07:00
dependabot-preview[bot]	eb502c02ff	Bump nextcloud/coding-standard from 0.3.0 to 0.5.0 Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/nextcloud/coding-standard/releases) - [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md) - [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-02-18 13:31:24 +07:00
Morris Jobke	24d436cb60	Remove unneeded casts that were found by Psalm In preparation of the update of Psalm from 4.2.1 to 4.3.1+ (see https://github.com/nextcloud/server/pull/24521) Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2021-01-11 13:14:41 +07:00
Christoph Wurst	d89a75be0b	Update all license headers for Nextcloud 21 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-12-16 18:48:22 +07:00
Julius Härtl	f5501ca276	Avoid checking for brute force protection capabilities when upgrading This might happen a releases that doesn't have this table yet Signed-off-by: Julius Härtl <jus@bitgrid.net>	2020-12-09 12:13:33 +07:00
Joas Schilling	5b5aebbf66	Replace the credentials table with one that can have empty user Primary key columns on Oracle can not have empty strings Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-11-10 15:36:27 +07:00
Joas Schilling	1aa9c9164d	Fix comparing the empty string for global credentials Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-11-10 15:36:26 +07:00
Joas Schilling	8027dcbc6f	Don't leave cursors open when tests fail Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-11-09 12:28:17 +07:00
Roeland Jago Douma	54b9f639a6	Always return the default path if we can Just check in the certifcate manager. So every part of the system that request the certificatebundle gets the defaullt one (the 99% case) if we can. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-11-03 00:13:01 +07:00
Morris Jobke	dc479aae2d	Improve CertificateManager to not be user context dependent * removes the ability for users to import their own certificates (for external storage) * reliably returns the same certificate bundles system wide (and not depending on the user context and available sessions) The user specific certificates were broken in some cases anyways, as they are only loaded if the specific user is logged in and thus causing unexpected behavior for background jobs and other non-user triggered code paths. Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-11-03 00:13:01 +07:00
lynn-stephenson	648b60fa0e	Derive encryption key & MAC key from a single key. Signed-off-by: lynn-stephenson <lynn.stephenson@protonmail.com>	2020-10-15 21:23:24 +07:00
Roeland Jago Douma	8fae2beece	Limit throttler to 48 hours Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-10-08 19:51:13 +07:00
Roeland Jago Douma	6c1b542def	Add cleanup job for old brutefoce attempts Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-10-08 19:51:13 +07:00
Christoph Wurst	d9015a8c94	Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-10-05 20:25:24 +07:00
Morris Jobke	99c9423766	Remove @suppress SqlInjectionChecker Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-09-16 15:53:56 +07:00
Joas Schilling	c25063dc07	Don't break when the IP is empty Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-09-10 14:20:27 +07:00
Christoph Wurst	2a054e6c04	Update the license headers for Nextcloud 20 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-08-24 14:54:25 +07:00
Joas Schilling	35a8519591	Fix CS Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	770381c0c6	Correctly return ms delay when at max Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	931aca2fee	Add missing default Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	d9c4c9eb99	Simplify array filter Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	dfeee3b850	Fix wrong doc + type hint Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	8376c4891f	Only throw when also the last 30 mins were attacking Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	6f751d01db	Make the throttling O(2^n) instead of O(n^n) Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	64539a6ee1	Make Throttler strict Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:36 +07:00
Joas Schilling	c8fea66d65	Split delay calculation from getting the attempts Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +07:00
Joas Schilling	cdb36c8ead	Let the database count the entries Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +07:00
Joas Schilling	e66bc4a8a7	Send "429 Too Many Requests" in case of brute force protection Signed-off-by: Joas Schilling <coding@schilljs.com>	2020-08-19 11:20:35 +07:00
Morris Jobke	c0be7e329f	Prefer typed event over string based ones Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-08-10 15:22:55 +07:00
Morris Jobke	e57bca31ad	Merge pull request #20005 from joeried/occ-remove-bruteforce-attempts-by-ip Implement occ command to reset bruteforce attemps from a given IP address	2020-05-25 14:04:18 +07:00
Morris Jobke	bd997a105c	Fix code style Signed-off-by: Morris Jobke <hey@morrisjobke.de>	2020-05-25 14:03:21 +07:00
Roeland Jago Douma	35ff4aa1c6	Use random_bytes Since we don't care if it is human readbale. The code is backwards compatible with the old format. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-05-11 12:46:59 +07:00
MichaIng	229570badf	Apply Argon2 options for Argon2id hashing as well Signed-off-by: MichaIng <micha@dietpi.com>	2020-05-01 11:42:13 +07:00
MichaIng	ad60619655	Fix Argon2 options checks The minimum for memory cost is 8 KiB per thread. Threads must be checked and set first to allow checking against the correct memory cost mimimum. Options are now applied the following way: - If config.php contains the setting with an integer higher or equal to the minimum, it is applied. - If config.php contains the setting with an integer lower than the minimum, the minimum is applied. - If config.php does not contain the setting or with no integer value, the PHP default is applied. Signed-off-by: MichaIng <micha@dietpi.com> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-04-30 10:18:46 +07:00
Christoph Wurst	cb057829f7	Update license headers for 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-29 11:57:22 +07:00
Arthur Schiwon	5437844b7e	fix credentialsManager documentation and ensure userId to be used as string Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-04-15 19:34:23 +07:00
Christoph Wurst	28f8eb5dba	Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 16:54:27 +07:00
Christoph Wurst	caff1023ea	Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 14:19:56 +07:00
Christoph Wurst	14c996d982	Use elseif instead of else if Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-10 10:35:09 +07:00
Christoph Wurst	afbd9c4e6e	Unify function spacing to PSR2 recommendation Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 13:54:22 +07:00
Christoph Wurst	41b5e5923a	Use exactly one empty line after the namespace declaration For PSR2 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 11:48:10 +07:00
Christoph Wurst	2fbad1ed72	Fix (array) indent style to always use one tab Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-04-09 10:16:08 +07:00
Christoph Wurst	1a9330cd69	Update the license headers for Nextcloud 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-31 14:52:54 +07:00
Christoph Wurst	b80ebc9674	Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-26 16:34:56 +07:00
Johannes Riedel	0c38569c83	Implement occ command security:bruteforceattemps:reset-for-ip Signed-off-by: Johannes Riedel <joeried@users.noreply.github.com>	2020-03-19 16:20:22 +07:00
Pavel Krasikov	f11dee9bc4	fix safari useragent for versions with 3 digits Signed-off-by: Pavel Krasikov <klonishe@gmail.com>	2020-03-14 16:47:28 +07:00
Roeland Jago Douma	12e1c469cf	Add Argon2id support When available we should use argon2id for hashing. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-02-07 07:52:33 +07:00
Roeland Jago Douma	0d651f106c	Allow selecting the hashing algorithm Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2020-02-03 21:41:17 +07:00
Arthur Schiwon	f92ba2cebe	ignore values that undershoot the minimum, go with default Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-01-22 16:04:57 +07:00
blizzz	56c3ba6ac7	use getSystemValueInt Co-Authored-By: kesselb <mail@danielkesselberg.de> Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-01-21 09:04:53 +07:00
Arthur Schiwon	171bb98229	expose Argon2 options (as we did for bcrypt) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>	2020-01-20 18:21:50 +07:00
Christoph Wurst	1b46621cd3	Update license headers for 18 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-20 09:23:25 +07:00
Konrad Bucheli	f2d3e34c96	handle IPv6 addresses with an explict incoming interface at the end (e.g fe80::ae2d:d1e7:fe1e:9a8d%enp2s0) Signed-off-by: Konrad Bucheli <konrad.bucheli@gmx.ch> Signed-off-by: Konrad Bucheli <kb@open.ch>	2019-12-10 22:47:20 +07:00
Julius Härtl	d05f131929	Move overwritehost check to isTrustedDomain Signed-off-by: Julius Härtl <jus@bitgrid.net>	2019-12-07 09:53:06 +07:00
Christoph Wurst	5bf3d1bb38	Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2019-12-05 15:38:45 +07:00
Roeland Jago Douma	68748d4f85	Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-11-22 20:52:10 +07:00
Johannes Koenig	2df8d646c1	make TrustedDomainHelper case insensitive Signed-off-by: Johannes Koenig <mail@jokoenig.de>	2019-10-06 20:43:55 +07:00
Roeland Jago Douma	2b98eea129	Harden identifyproof openssl code Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-09-14 13:52:10 +07:00
Roeland Jago Douma	7927aebdeb	Fix report of phpstan in Limiter * unneeded arguments to constructor * added return types * let automatic DI do its work Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-19 19:38:43 +07:00
Roeland Jago Douma	b8c5008acf	Add feature policy header This adds the events and the classes to modify the feature policy. It also adds a default restricted feature policy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-08-10 14:26:22 +07:00
Roeland Jago Douma	f94ee72507	Add form-action CSP element Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-31 15:16:10 +07:00
Roeland Jago Douma	417fbb5d60	setting unsafe-eval is deprecated This will be removed in a future version of Nextcloud. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-30 16:27:38 +07:00
Sam Bull	ea935f65fd	Add support for CSP_NONCE server variable Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-18 12:16:29 +07:00
Roeland Jago Douma	5ac857bcdc	Add an event to edit the CSP This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-07-08 20:35:15 +07:00
Morris Jobke	d004164fcc	Merge pull request #13327 from nextcloud/allow-bracket-notation-for-remove-ipv6-address Allow bracket IPv6 address format inside IPAdress Normalizer	2019-03-06 10:34:02 +07:00
Roeland Jago Douma	f1ea56b502	Fix the thorrtler whitelist bitmask Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2019-02-11 23:22:20 +07:00
Thomas Citharel	c9b588774b	Allow bracket IPv6 address format inside IPAdress Normalizer When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any. Signed-off-by: Thomas Citharel <tcit@tcit.fr>	2019-01-03 10:03:46 +07:00
Roeland Jago Douma	372f3d2a60	Remove deprecated functions from SecureRandom Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-12-07 19:33:32 +07:00
Roeland Jago Douma	be5c050acc	Throw exception if decryption fails For #11868 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-11-14 12:47:35 +07:00
Morris Jobke	39338aaa67	Merge pull request #11914 from nextcloud/csp/report-uri Add report-uri to CSP	2018-10-23 16:42:24 +07:00
Roeland Jago Douma	0fdc65a15c	Add nonce for Safari 12+ As far as I can tell this should work now. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-21 20:48:12 +07:00
Roeland Jago Douma	579822b6a5	Add report-uri to CSP Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-10-21 13:38:32 +07:00
Roeland Jago Douma	8354c50911	Deprecate the childSrc functions Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-09-04 07:35:44 +07:00
Roeland Jago Douma	c8fe4b4fc8	Add workerSrc to CSP Fixes #11035 Since the child-src directive is deprecated (we should kill it at some point) we need to have the proper worker-src available Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-09-04 07:35:44 +07:00
Mark Berezovsky	ad66c6bf08	Fix #9864 : Decrease $maxDelay in Throttler.php Signed-off-by: Mark Berezovsky <xpnf@yandex.ru>	2018-06-15 04:58:08 +07:00
Roeland Jago Douma	84316aec66	Add ARGON2I support to the hasher When on php7.2 we can use the new and improved ARGON2I hashing. This adds support for that to the hasher. When verifying an old hash we'll update rehash to move all hashes eventually to the new hash function. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-04-04 15:43:50 +07:00
Roeland Jago Douma	d8332d43f8	Make \OC\Security\IdentityProof strict Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>	2018-03-05 19:33:16 +07:00
Roeland Jago Douma	5457373407	Merge pull request #8659 from nextcloud/csrf_token_strict Make \OC\Security\CSRF strict	2018-03-05 19:28:10 +07:00

1 2 3 4 5

208 Commits (8904bf645b30fbdfdcb00a2ea607d752ee69d865)