averello/nextcloud-server-mirror
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-08 18:28:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
72,532 Commits 732 Branches 1,186 Tags
2cf4f08353dfb6a162aaf3a0bfa39a35f94de4c6
Commit Graph

98 Commits

Author SHA1 Message Date
Florian Klinger
ca655ba100 fix: add check for app_api_system session flag to bypass rate limit 
Signed-off-by: Florian Klinger <florian.klinger@nextcloud.com>
Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
 2024-04-17 11:22:05 +02:00
Joas Schilling
aa5f037af7 chore: apply changes from Nextcloud coding standards 1.1.1 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-23 10:36:13 +01:00
Alexander Piskun
0b8a3b578d fixed Drone test 
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
 2023-10-06 13:46:37 +03:00
Alexander Piskun
f16c9f42c6 added CORS skip if session was created by AppAPI 
Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
 2023-10-02 11:08:21 +03:00
Christoph Wurst
e477bb7eaf feat(appframework): Expose programmatic rate limiter 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-09-20 20:25:27 +02:00
Joas Schilling
25309bcb45 techdebt(DI): Use public IThrottler interface which exists since Nextcloud 25 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-28 15:50:45 +02:00
Joas Schilling
381c35080d fix(middleware): Fix header injection for bruteforce middleware 
Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons
So shifting back to old standard practise for now

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-22 16:00:39 +02:00
Joas Schilling
2f06f2355d feat: Add a header which signals that the request was throttled 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:04 +02:00
jld3103
12f8543815 Rewrite OCS CSRF check to be readable 
Signed-off-by: jld3103 <jld3103yt@gmail.com>
 2023-08-16 15:52:36 +02:00
Robin Appelman
9f1d497a0b Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private 
Refactors "strpos" calls in  lib/private to improve code readability.
 2023-06-01 23:10:00 +02:00
Joas Schilling
3a6bc7aba2 fix(middleware): Also abort the request when reaching max delay in afterController 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-05-15 16:20:19 +02:00
Faraz Samapoor
e7cc7653b8 Refactors "strpos" calls in lib/private to improve code readability. 
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
 2023-05-15 15:17:19 +03:30
Joas Schilling
ecb8b55c5c feat(security): Add PHP \Attribute for remaining security annotations 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-04-25 14:50:32 +02:00
Joas Schilling
89c3c31402 feat(ratelimit): Add Attributes support to rate limit middleware 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-04-24 12:24:48 +02:00
Christoph Wurst
a06898a2d0 fix(security)!: Use consistent HTTP status for strict cookie checks 
Before: 503/412
Now: 412 + json body explaining the error

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-04-17 16:06:37 +00:00
Joas Schilling
2b49861679 Add a debug message when throttling without defining 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-03-08 12:09:22 +01:00
Joas Schilling
e839eb9b5c feat(middleware): Migrate BruteForceProtection annotation to PHP Attribute and allow multiple 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-03-08 12:09:22 +01:00
Ferdinand Thiessen
f655f83c84 fix(CORS): CORS should only be bypassed on PublicPage if not logged in to prevent CSRF attack vectors 
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
 2023-02-16 22:55:18 +01:00
Côme Chilliet
f5c361cf44 composer run cs:fix 
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
 2023-01-20 11:45:08 +01:00
Jonas Rittershofer
c8b7a233a5 Allow CSRF on CORS routes 
Co-authored-by: Julius Härtl <jus@bitgrid.net>
Co-authored-by: Andreas Brinner <andreas@everlanes.net>
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
 2022-09-21 10:42:00 +00:00
Carl Schwan
b70c6a128f Update core to PHP 7.4 standard 
- Typed properties
- Port to LoggerInterface

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-05-20 22:18:06 +02:00
Vincent Petry
80388663af Add direct arg to login flow 
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Co-Authored-by: Carl Schwan <carl@carlschwan.eu>
 2022-03-28 10:28:45 +02:00
Carl Schwan
6312c0df69 Check style update 
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2022-01-13 00:19:07 +01:00
Julius Härtl
61dd1d3d97 Pass username prefill through unauthenticated request redirects 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2021-12-29 11:52:31 +01:00
Carl Schwan
6958d8005a Add admin privilege delegation for admin settings 
This makes it possible for selected groups to access some settings
pages.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
 2021-09-29 21:43:31 +02:00
John Molakvoæ (skjnldsv)
215aef3cbd Update php licenses 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
 2021-06-04 22:02:41 +02:00
korelstar
b38e8678e4 fix error when using CORS with no auth credentials 2021-05-18 07:11:10 +02:00
Christoph Wurst
99f0b10421 Merge pull request #26591 from nextcloud/techdebt/noid/less-ilogger 
Less ILogger
 2021-04-27 15:38:12 +02:00
Joas Schilling
56ae87c281 Less ILogger 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-04-27 14:34:32 +02:00
Joas Schilling
174f4dd043 Fix ratelimit template 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2021-04-27 13:55:34 +02:00
Christoph Wurst
d9015a8c94 Format code to a single space around binary operators 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-10-05 20:25:24 +02:00
Christoph Wurst
2a054e6c04 Update the license headers for Nextcloud 20 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-08-24 14:54:25 +02:00
Joas Schilling
35a8519591 Fix CS 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:36 +02:00
Joas Schilling
e66bc4a8a7 Send "429 Too Many Requests" in case of brute force protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-08-19 11:20:35 +02:00
Holger Hees
e70249e089 Update SecurityMiddleware.php 
OC::$WEBROOT can be empty in case if your nextcloud installation has no url prefix. This will result in an empty Location Header.

in other areas OC::$WEBROOT is always used together with an /
 2020-07-06 21:34:46 +02:00
Christoph Wurst
cb057829f7 Update license headers for 19 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-04-29 11:57:22 +02:00
Christoph Wurst
caff1023ea Format control structures, classes, methods and function 
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.

This also removes and empty lines from method/function bodies at the
beginning and end.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-04-10 14:19:56 +02:00
Christoph Wurst
afbd9c4e6e Unify function spacing to PSR2 recommendation 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-04-09 13:54:22 +02:00
Christoph Wurst
2fbad1ed72 Fix (array) indent style to always use one tab 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-04-09 10:16:08 +02:00
Christoph Wurst
74936c49ea Remove unused imports 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2020-03-25 22:08:08 +01:00
Joas Schilling
d445f9b9fe Fix loaded controller check 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2020-01-21 16:35:10 +01:00
Christoph Wurst
5bf3d1bb38 Update license headers 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2019-12-05 15:38:45 +01:00
Roeland Jago Douma
68748d4f85 Some php-cs fixes 
* Order the imports
* No leading slash on imports
* Empty line before namespace
* One line per import
* Empty after imports
* Emmpty line at bottom of file

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2019-11-22 20:52:10 +01:00
Joas Schilling
6ad54f3f27 Merge pull request #17850 from nextcloud/bugfix/noid/mark-spreed-as-active-on-call-urls 
Mark "Talk" active on /call/token URLs
 2019-11-20 10:33:45 +01:00
Daniel Kesselberg
9055f46351 Make phan happy ;) 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2019-11-19 16:16:26 +01:00
Arthur Schiwon
0a1937208f Fixes a 500 without userid 
plus cleanup of unused use statements

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
 2019-11-16 01:10:19 +01:00
Joas Schilling
15f00f0126 Mark "Talk" active on /call/token URLs 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2019-11-12 21:39:20 +01:00
Roeland Jago Douma
b8c5008acf Add feature policy header 
This adds the events and the classes to modify the feature policy.
It also adds a default restricted feature policy.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2019-08-10 14:26:22 +02:00
Roeland Jago Douma
37a4282c7a Split up security middleware 
With upcoming work for the feature policy header. Splitting this in
smaller classes that just do 1 thing makes sense.

I rather have a few small classes that are tiny and do 1 thing right
(and we all understand what is going on) than have big ones.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
 2019-07-27 16:11:45 +02:00
Christoph Wurst
22ae682823 Make it possible to show admin settings for sub admins 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2019-05-23 20:31:40 +02:00