8f550398c4
Merge pull request #36836 from nextcloud/fix/view-type-cleanup
...
Tidy up typing in OC\Files\View
2023-04-05 10:14:55 +07:00
ea05544213
Fix return type of methods returning false on error
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-04-03 10:52:34 +07:00
454281af03
feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2023-04-03 09:06:45 +07:00
f5c361cf44
composer run cs:fix
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2023-01-20 11:45:08 +07:00
8aea25b5b9
Add remote host validation API
...
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2022-10-31 16:13:28 +07:00
71ee292650
Add rate limiting on lost password emails
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-10-18 14:49:02 +07:00
9919116716
Merge pull request #31499 from nextcloud/bugfix/empty-secret
...
Add fallback routines for empty secret cases
2022-10-17 16:02:58 +07:00
ef31396727
Mark method as deprecated
...
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-09-13 13:06:54 +07:00
48d9c4d2b0
Port existing server code to new interface
...
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-08-08 17:03:19 +07:00
c0f47af2d0
Add a public interface for the bruteforce throttler and register for injection
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-07-28 10:57:10 +07:00
368f83095d
Fix typos in lib/private subdirectory
...
Found via `codespell -q 3 -S l10n -L jus ./lib/private`
Signed-off-by: luz paz <luzpaz@github.com>
2022-07-27 08:52:17 +07:00
8274c05e19
Only ignore attempts of the same action
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-07-07 09:35:14 +07:00
ca3cd5a625
Fix detection of firefox in ContentSecurityPolicyNonceManager
...
Reuse Request::USER_AGENT_FIREFOX, and also update the safari detection
since safari < 12 is not supported anymore and we can remove a bit of
code duplication
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-06-29 17:05:48 +07:00
01dbd22c9c
Validate requested length is random string generator
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-05-12 13:58:18 +07:00
7718c9776c
Merge pull request #32113 from nextcloud/bugfix/noid/fix-csp-merging-bools
...
Add CSP policy merge priority for booleans
2022-05-05 17:26:48 +07:00
69b36fc2c5
Don't inject Bruteforce capability info in the webui
...
This capability do DB access and as far I know is not used by the webui.
This remove one DB query for each page load.
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-04-07 17:33:29 +07:00
18c013d8fc
Add CSP policy merge priority for booleans
...
When two booleans conflict when merging CSP policies, true will win.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2022-04-01 13:56:34 +07:00
6be7aa112f
Migrate from ILogger to LoggerInterface in lib/private
...
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
2022-03-24 16:21:25 +07:00
4f594dbf53
cache the path of the certificate bundle
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2022-03-17 14:58:56 +07:00
a887553ddb
return default bundle when there is an error getting the bundle
...
Signed-off-by: Robin Appelman <robin@icewind.nl>
2022-03-14 18:34:09 +07:00
a6796b4247
Fix decryption fallback after adding a secret
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-10 14:01:21 +07:00
81f8719cc0
Add fallback routines for empty secret cases
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-10 14:01:21 +07:00
bd03dd37be
Allow to set a strict-dynamic CSP through the API
...
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-03-09 15:10:27 +07:00
b8e0a3dbdd
Use the new option to signaling insensitivity
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-02-07 13:54:54 +07:00
b59df35426
Make the DB query simpler (as we just deleted all other entries)
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-01-28 16:55:17 +07:00
c6d000f87f
Log bruteforce throttle and blocking
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2022-01-18 10:10:19 +07:00
6312c0df69
Check style update
...
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-01-13 00:19:07 +07:00
1d550ab95e
Don't query the bruteforce attempts when we just deleted them
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-12-01 18:01:22 +07:00
19f41a60a0
Type hint in IpAddress
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
2021-11-22 17:36:26 +07:00
f01ad7b8d8
Improve normalizer detecting IPv4 inside of IPv6
...
The subnet for an IPv4 address inside of IPv6 is now returned in its
IPv4 form.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2021-11-22 16:46:25 +07:00
7e08a4ab15
Fix getting subnet of ipv4 mapped ipv6 addresses
...
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
2021-11-22 14:10:11 +07:00
c42f5bc5f6
Add an OCP for trusted domain helper
...
Signed-off-by: Joas Schilling <coding@schilljs.com>
2021-10-28 10:24:16 +07:00
240eb02585
Set associative = true for cleanup job
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2021-10-07 20:20:09 +07:00
0dcc5c0e9f
Merge pull request #28728 from nextcloud/add-database-backend-limiter
...
Add database ratelimiting backend
2021-09-13 13:07:37 +07:00
474a5b55d3
Implement review feedback
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-13 11:01:35 +07:00
358eaba7dd
Apply suggestions from code review
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com>
2021-09-13 10:43:01 +07:00
0dee717c94
Confirm mails only per POST
...
- this is to avoid automatic confirmation by certain softwares that open
links
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 19:23:04 +07:00
a20de15b43
add a job to clean up expired verification tokens
...
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:35 +07:00
19cc757531
move verification token logic out of lost password controller
...
- to make it reusable
- needed for local email verification
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-09 14:03:29 +07:00
471167019c
Implement PR review feedback
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-07 18:03:34 +07:00
a915372c56
phpcs
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-06 17:50:23 +07:00
378cc922c4
Adjust logic to store period instead of current timestamp
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-06 17:31:36 +07:00
d4f97affc1
Add database ratelimiting backend
...
In case no distributed memory cache is specified this adds
a database backend for ratelimit purposes.
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-09-06 16:31:01 +07:00
0a15043f69
Throw exception if encrypting the data failed.
...
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2021-07-05 10:23:16 +07:00
215aef3cbd
Update php licenses
...
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2021-06-04 22:02:41 +07:00
ee3dc57cbd
Merge pull request #26626 from J0WI/strict-security
...
Make Security module strict
2021-05-18 08:43:13 +07:00
393309b98f
Merge pull request #25714 from nextcloud/fix/23197/explicitly_check_hex2bin_input
...
Explicitly check hex2bin input
2021-04-22 13:23:39 +07:00
ca7b37ce5a
Make Security module strict
...
Signed-off-by: J0WI <J0WI@users.noreply.github.com>
2021-04-19 17:31:12 +07:00
e5a4236e68
Increase subnet matcher
...
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-04-07 12:28:59 +07:00
16652ac6c6
Explicitly check hex2bin input
...
For #23197
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-02-18 20:12:20 +07:00
Côme Chilliet
Côme Chilliet
Joas Schilling
Christoph Wurst
Carl Schwan
luz paz
Vincent Petry
Robin Appelman
Julius Härtl
Daniel Kesselberg
Lukas Reschke
Arthur Schiwon
John Molakvoæ (skjnldsv)
Roeland Jago Douma
Morris Jobke
J0WI
Roeland Jago Douma