This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.
Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.
We also add a redirect to be helpful to the user.
**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.
Fix#52482
Signed-off-by: Louis Chemineau <louis@chmn.me>
A recent change had broken authentication with an older
FastCGI Apache2 module, because the IRequest object got
initialised before the fix from self::handleAuthHeaders()
copied the authentication headers into the correct $_SERVER
variables.
Since this part is completely independent from any Nextcloud
code it is now done as a first thing within the init() call.
Additionally similar issues could happen when another class
would boot too early and read other global PHP settings like
ini values and default timezone, so those are now also moved
to the beginning.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php.
This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
We basically mock the way `URLGenerator::getAbsoluteURL` works,
so we must make sure that the URL might already contain the webroot.
Because `baseURL` and `cliURL` also contain the webroot we need to remove
the webroot from the URL first.
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: Daniel <mail@danielkesselberg.de>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Fixes#2180
And prevents #31473, #23970, #18610, #15708
Avoids a 500 error and also gives a useful error message on the web interface if this module isn't installed, gets overlooked during a PHP upgrade, etc.
While we check for it later, it's too late for session.
Inspired by #17163
Signed-off-by: Josh Richards <josh.t.richards@gmail.com>
Changing gc_maxlifetime cannot have any effect because this configuration option does not exist. There is a configuration option named session.gc_maxlifetime.
I removed the ini_set call because autoconfiguring is error-prone, and the current code could never have worked as intended.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
If an incompatible app is enabled manually, it is added to the "app_install_overwrite" array in config.php. Nextcloud upgrades won't disable any app in this array, but they were still shown on the upgrade page and logs as being disabled.
This commit assures that only apps which are really disabled, i.e. which are not in the "app_install_overwrite" array, are shown and logged as disabled during upgrades.
Signed-off-by: MichaIng <micha@dietpi.com>
Côme Chilliet
Samuel Bizien Filippi
Ferdinand Thiessen
Louis
Côme Chilliet
Julius Knorr
Joas Schilling
Stephan Orbaugh
provokateurin
DaleBCooper
Git'Fellow
Maxence Lange
Daniel Kesselberg
Josh Richards
Christoph Wurst
Andy Scherzinger
MichaIng
John Molakvoæ