Commit Graph

41 Commits

Author SHA1 Message Date
b108@volgograd bf167ad3ac Remove duplicate functionality
This functionality implemented in the next line:

$requestUri = preg_replace('%/{2,}%', '/', $requestUri);
2019-01-20 13:29:58 +04:00
Roeland Jago Douma 514426e27d Only trust the X-FORWARDED-HOST header for trusted proxies
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-12-17 15:54:45 +01:00
Morris Jobke dccfe4bf84 Merge pull request #12036 from olivermg/master
Add capability of specifying "trusted_proxies" entries in CIDR notation (IPv4)
2018-10-30 10:49:08 +01:00
Oliver Wegner 401ca28f07 Adding handling of CIDR notation to trusted_proxies for IPv4
Signed-off-by: Oliver Wegner <void1976@gmail.com>
2018-10-30 09:15:42 +01:00
Daniel Kesselberg 986f4df2a5 Add REMOTE_ADDR to getHeader
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2018-10-25 22:26:49 +02:00
Robin Appelman c0a283fefb ensure we always return an array from Request::getParams
Signed-off-by: Robin Appelman <robin@icewind.nl>
2018-08-28 18:11:42 +02:00
Roeland Jago Douma 043a824e6a Fix comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma 0ee45d3d20 Fix proper types
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma a229095af1 Make Request strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-22 15:51:19 +01:00
Roeland Jago Douma ca9f364fd4 Fix tests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 10:55:52 +01:00
Roeland Jago Douma bb0c7b2943 Make AppFramework/Http/Dispatcher strict
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-02-21 08:51:46 +01:00
Morris Jobke 4ef302c0be Request->getHeader() should always return a string
PHPDoc (of the public API) says that this method returns string but it also returns null, which is not allowed in some method calls. This fixes that behaviour and returns an empty string and fixes all code paths that explicitly checked for null to be still compliant.

Found while enabling the strict_typing for lib/private for the PHP7+ migration.

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-01-17 09:51:31 +01:00
Roeland Jago Douma ca70694502 Also check for empty content lenth
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-12-14 21:48:59 +01:00
Morris Jobke 31c5c2a592 Change @georgehrke's email
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 20:38:59 +01:00
Morris Jobke 0eebff152a Update license headers
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-06 16:56:19 +01:00
Roeland Jago Douma c257cd57d4 Handle SameSiteCookie check for index.php in AppFramework Middleware
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-09-24 21:07:16 +02:00
Roeland Jago Douma 9717cdfb9e If there is no content don't error
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-09 15:51:13 +02:00
Roeland Jago Douma ede15f0988 Fix L10N::t
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-08-01 08:20:17 +02:00
coderkun bdc7bb1f26 Add IPv6 to “localhost” regex (#440)
Signed-off-by: Oliver Hanraths <olli@coderkun.de>
2017-05-14 21:29:03 +02:00
Joas Schilling 695696a4a6 Use constants
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-04-13 12:04:32 -05:00
Juan Pablo Villafáñez 38e5135cb9 Reorder the entries of the log for easier reading 2017-04-12 13:03:19 +02:00
Roeland Jago Douma 2a9192334e Don't try to parse empty body if there is no body
Fixes #3890

If we do a put request without a body the current code still tries to
read the body. This patch makes sure that we do not try to read the body
if the content length is 0.

See RFC 2616 Section 4.3

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-04-04 08:22:33 +02:00
Roeland Jago Douma 8626ccab1c dont require strict same site cookies for ocs requests
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-03-09 16:48:48 +01:00
Joas Schilling 33fb86f68b Fix detection of the new iOS app
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 10:10:21 +01:00
Christoph Wurst 5e728d0eda oc_token should be nc_token
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2017-02-02 21:56:44 +01:00
Lukas Reschke a05b8b7953 Harden cookies more appropriate
This adds the __Host- prefix to the same-site cookies. This is a small but yet nice security hardening.

See https://googlechrome.github.io/samples/cookie-prefixes/ for the implications.

Fixes https://github.com/nextcloud/server/issues/1412

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-11-23 12:53:44 +01:00
Robin Appelman 4235b18a88 allow passing a stream to StreamResponse
Signed-off-by: Robin Appelman <robin@icewind.nl>
2016-11-16 15:30:36 +01:00
Joas Schilling c20ab0049f Identify Chromium as Chrome
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-10-26 12:07:10 +02:00
Joas Schilling f9cea0b582 Merge pull request #797 from nextcloud/only-match-for-auth-cookie
Match only for actual session cookie
2016-08-31 15:59:16 +02:00
Lukas Reschke d50e7ee36c Remove reading PATH_INFO from server variable
Having two code paths for this is unreliable and can lead to bugs. Also, in some cases Apache isn't setting the PATH_INFO variable when mod_rewrite is used.

Fixes https://github.com/nextcloud/server/issues/983
2016-08-19 14:48:13 +02:00
Roeland Jago Douma 8f3dc0ba43 Remove IE_8 user agent string 2016-08-16 21:01:32 +02:00
Lukas Reschke b53ea18ea5 Match only for actual session cookie
OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
2016-08-09 19:23:08 +02:00
Morris Jobke 8c7d7d7746 Merge pull request #507 from nextcloud/run-le-script
Update emails and license headers with latest changes
2016-07-21 23:27:15 +02:00
Joas Schilling 0215b004da Update with robin 2016-07-21 18:13:58 +02:00
Joas Schilling ba87db3fcc Fix others 2016-07-21 18:13:57 +02:00
Roeland Jago Douma e42f2f2650 AppFramework do not get default response
The OCSResponse differs from other responses in that it defaults to
XML. However we fell back to json by default.

This makes sure that if nothing is set we don't pass anything.
Which defaults then to the controllers default (which is often 'json')
but in the case of the OCSResponse 'xml'.
2016-07-20 22:05:43 +02:00
Lukas Reschke a299fa38a9 [master] Port Same-Site Cookies to master
Fixes https://github.com/nextcloud/server/issues/50
2016-07-20 18:37:57 +02:00
Joas Schilling b1d652e8b0 Copy the regexes to the public interface 2016-07-18 15:11:44 +02:00
Lukas Reschke aba539703c Update license headers 2016-05-26 19:57:24 +02:00
Roeland Jago Douma eb11ed1851 Make ownCloud work again in php 7.0.6
See https://bugs.php.net/bug.php?id=72117
2016-04-28 12:23:17 +02:00
Roeland Jago Douma 1d33a5ef13 Move \OC\AppFramework to PSR-4
* Also moved the autoloader setup a bit up since we need it in initpaths
2016-04-22 15:28:09 +02:00