sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
77,659 Commits
616 Branches
1167 Tags
8.9 GiB
Commit Graph

237 Commits (b0197c5dfcb0dac94de43bfbfa89a2889fc1e30b)

Author SHA1 Message Date
dependabot[bot] bb598c8451
chore(deps): Bump nextcloud/coding-standard in /vendor-bin/cs-fixer 
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v1.3.1...v1.3.2)

---
updated-dependencies:
- dependency-name: nextcloud/coding-standard
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-10-19 07:57:35 +07:00
Ferdinand Thiessen 2ef74b9860
Merge pull request #47329 from nextcloud/feat/add-datetime-qbmapper-support 
feat(AppFramework): Add full support for date / time / datetime columns
 2024-10-18 19:05:08 +07:00
Git'Fellow a1681b0756 chore(db): Apply query prepared statements 
Fix: psalm

fix: bad file

fix: bug

chore: add batch

chore: add batch

chore: add batch

fix: psalm
 2024-10-17 20:30:47 +07:00
Ferdinand Thiessen db94e10af0
fix: Prevent breaking change in IQueryBuilder 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-17 18:31:44 +07:00
Ferdinand Thiessen e314d52118
fix: Adjust parameter type usage and add SQLite support 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-17 18:31:44 +07:00
Git'Fellow c254855222 chore(db): Correctly apply query types 
fix: psalm

fix: error

fix: add batch

fix: fatal error

fix: add batch

chore: add batch

chore: add batch

fix: psalm

fix: typo

fix: psalm

fix: return bool

fix: revert Manager
 2024-10-17 09:21:07 +07:00
provokateurin 54ec472d9a
fix(BackgroundJobs): Adjust intervals and time sensitivities 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-10-08 11:26:53 +07:00
Richard Steinmetz 19ad13571c
fix: gracefully parse non-standard trusted certificates 
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
 2024-09-24 12:36:09 +07:00
provokateurin 9836e9b164
chore(deps): Update nextcloud/coding-standard to v1.3.1 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-09-19 14:21:20 +07:00
Christoph Wurst 1ee833efab
refactor: Replace __CLASS__ with ::class references 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2024-09-15 21:40:55 +07:00
Anna Larch 8af7ecb257 chore: adjust code to adhere to coding standard 
Signed-off-by: Anna Larch <anna@nextcloud.com>
 2024-09-05 21:23:38 +07:00
Daniel Kesselberg af6de04e9e
style: update codestyle for coding-standard 1.2.3 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2024-08-25 19:34:58 +07:00
Ferdinand Thiessen 2916e5df7e
feat: Provide CSP nonce as `<meta>` element 
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-13 10:32:44 +07:00
Ferdinand Thiessen 86f01a3358
fix: Make sure CSP nonce is not double base64 encoded 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-13 09:52:33 +07:00
Stephan Orbaugh 9ed2d3e495
Merge pull request #46571 from nextcloud/chore/migrate-to-filenamevalidator 
refactor: Migrate some legacy and core functions to `IFilenameValidator`
 2024-07-22 10:40:50 +07:00
Ferdinand Thiessen 9716b0d735 refactor: Migrate some legacy and core functions to `IFilenameValidator` 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-07-19 19:41:46 +07:00
Benjamin Gaussorgues f1d97a3188
feat(Security): add Factory for IP addresses and ranges 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +07:00
Joas Schilling 047479ccf9
feat(security): Add public API to allow validating IP Ranges and checking for "in range" 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +07:00
Benjamin Gaussorgues 202e5b1e95
feat(security): restrict admin actions to IP ranges 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +07:00
Christopher Ng 415edcac9b chore: More explicit splitHash typing 
Signed-off-by: Christopher Ng <chrng8@gmail.com>
 2024-07-04 17:05:45 +07:00
Christopher Ng d9bf6c432e feat: Add method to validate an IHasher hash 
Signed-off-by: Christopher Ng <chrng8@gmail.com>
 2024-07-04 17:05:45 +07:00
Robin Appelman e140907123 fix: don't use custom certificate bundle if no customer certificates are configured 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2024-06-14 16:27:41 +07:00
John Molakvoæ 258bb03cf5
Merge branch 'master' into refactor/OC-Server-getSecureRandom 
Signed-off-by: John Molakvoæ <skjnldsv@users.noreply.github.com>
 2024-05-30 14:24:22 +07:00
Andy Scherzinger dae7c159f7
chore: Add SPDX header 
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
 2024-05-24 13:11:22 +07:00
Joas Schilling b627e6efe4 fix: Correctly check result of function 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2024-05-15 12:24:25 +07:00
Ferdinand Thiessen 5a513c924f
fix(CSP): Add CSP nonce by default and convert `browserSupportsCspV3` to blocklist 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-03-26 17:08:22 +07:00
Andrew Summers f9ce6bfdff Refactor `OC\Server::getHasher` 
Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>
 2024-03-15 13:04:27 +07:00
Julius Härtl 02d6d3f5b1
fix: Add edge as supported user agent for CSPv3 nonces 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2024-03-08 12:11:46 +07:00
Joas Schilling 33e1c8b236
fix(security): Handle idn_to_utf8 returning false 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-12-04 10:38:46 +07:00
Joas Schilling aa5f037af7
chore: apply changes from Nextcloud coding standards 1.1.1 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-23 10:36:13 +07:00
Ferdinand Thiessen 7df9eb3351 feat(ContentSecurityPolicy): Allow to set `strict-dynamic` on `script-src-elem` only 
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2023-11-17 11:12:57 +07:00
Benjamin Gaussorgues f04035caa0
Simplify IP address normalizer with IP masks 
Remove dead code

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-08 11:55:07 +07:00
Faraz Samapoor f313ca92e7 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-27 09:03:15 +07:00
Robin Appelman 6b767e060a
Merge pull request #39013 from fsamapoor/refactor_lib_private_security_part3 
[3/3] Refactors lib/private/Security
 2023-09-22 11:13:44 +07:00
Faraz Samapoor 1c023e6666 Update lib/private/Security/Certificate.php 
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
 2023-09-21 11:20:12 +07:00
Faraz Samapoor f9596edb00 Updates the typed properties. 
Based on: https://github.com/nextcloud/server/pull/39013#discussion_r1242340826

Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +07:00
Faraz Samapoor 4f46656d39 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +07:00
Christoph Wurst e477bb7eaf
feat(appframework): Expose programmatic rate limiter 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-09-20 20:25:27 +07:00
Andrew Summers 1395a53602
Refactor `OC\Server::getSecureRandom` 
Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>
 2023-08-29 21:32:40 +07:00
Joas Schilling 124588d4a6
fix: Make bypass function public API 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:40:24 +07:00
Joas Schilling fd9b2d488e
feat: Expose if the own IP is allowed to bypass bruteforce protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:04 +07:00
Joas Schilling abc98d343c
feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +07:00
Joas Schilling a95800c647
feat(security): Add a bruteforce protection backend base on memcache 
Similar to the ratelimit backend

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +07:00
Daniel Calviño Sánchez 41f2d912d2 Allow "wasm-unsafe-eval" in CSP 
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).

Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.

To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
 2023-08-10 02:38:41 +07:00
Faraz Samapoor e73757b4a5 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-06-26 15:03:13 +07:00
Robin Appelman 9f1d497a0b
Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private 
Refactors "strpos" calls in  lib/private to improve code readability.
 2023-06-01 23:10:00 +07:00
Robin Appelman 223612b15a
log failures to read certificates during listing 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2023-05-31 14:40:45 +07:00
Faraz Samapoor e7cc7653b8 Refactors "strpos" calls in lib/private to improve code readability. 
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
 2023-05-15 15:17:19 +07:00
John Molakvoæ 46459ae93f
Merge pull request #35092 from Messj1/bugfix/type-error-cert-manager-cache-path 2023-05-04 21:53:49 +07:00
Jan Messer 647c65a640 [BUGFIX] throw exception instead of error if unable to create file handler (only exceptions are catch) 
Signed-off-by: Jan Messer <jan@mtec-studios.ch>
 2023-04-06 23:03:49 +07:00