averello/nextcloud-server-mirror
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-04 18:28:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,659 Commits 712 Branches 1,186 Tags
b0197c5dfcb0dac94de43bfbfa89a2889fc1e30b
Commit Graph

237 Commits

Author SHA1 Message Date
dependabot[bot]
bb598c8451 chore(deps): Bump nextcloud/coding-standard in /vendor-bin/cs-fixer 
Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v1.3.1...v1.3.2)

---
updated-dependencies:
- dependency-name: nextcloud/coding-standard
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-10-19 07:57:35 +02:00
Ferdinand Thiessen
2ef74b9860 Merge pull request #47329 from nextcloud/feat/add-datetime-qbmapper-support 
feat(AppFramework): Add full support for date / time / datetime columns
 2024-10-18 19:05:08 +02:00
Git'Fellow
a1681b0756 chore(db): Apply query prepared statements 
Fix: psalm

fix: bad file

fix: bug

chore: add batch

chore: add batch

chore: add batch

fix: psalm
 2024-10-17 20:30:47 +02:00
Ferdinand Thiessen
db94e10af0 fix: Prevent breaking change in IQueryBuilder 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-17 18:31:44 +02:00
Ferdinand Thiessen
e314d52118 fix: Adjust parameter type usage and add SQLite support 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-10-17 18:31:44 +02:00
Git'Fellow
c254855222 chore(db): Correctly apply query types 
fix: psalm

fix: error

fix: add batch

fix: fatal error

fix: add batch

chore: add batch

chore: add batch

fix: psalm

fix: typo

fix: psalm

fix: return bool

fix: revert Manager
 2024-10-17 09:21:07 +02:00
provokateurin
54ec472d9a fix(BackgroundJobs): Adjust intervals and time sensitivities 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-10-08 11:26:53 +02:00
Richard Steinmetz
19ad13571c fix: gracefully parse non-standard trusted certificates 
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
 2024-09-24 12:36:09 +02:00
provokateurin
9836e9b164 chore(deps): Update nextcloud/coding-standard to v1.3.1 
Signed-off-by: provokateurin <kate@provokateurin.de>
 2024-09-19 14:21:20 +02:00
Christoph Wurst
1ee833efab refactor: Replace __CLASS__ with ::class references 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2024-09-15 21:40:55 +02:00
Anna Larch
8af7ecb257 chore: adjust code to adhere to coding standard 
Signed-off-by: Anna Larch <anna@nextcloud.com>
 2024-09-05 21:23:38 +02:00
Daniel Kesselberg
af6de04e9e style: update codestyle for coding-standard 1.2.3 
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
 2024-08-25 19:34:58 +02:00
Ferdinand Thiessen
2916e5df7e feat: Provide CSP nonce as <meta> element 
This way we use the CSP nonce for dynamically loaded scripts.
Important to notice: The CSP nonce must NOT be injected in `content` as
this can lead to value exfiltration using e.g. side-channel attacts (CSS selectors).

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-13 10:32:44 +02:00
Ferdinand Thiessen
86f01a3358 fix: Make sure CSP nonce is not double base64 encoded 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-08-13 09:52:33 +02:00
Stephan Orbaugh
9ed2d3e495 Merge pull request #46571 from nextcloud/chore/migrate-to-filenamevalidator 
refactor: Migrate some legacy and core functions to `IFilenameValidator`
 2024-07-22 10:40:50 +02:00
Ferdinand Thiessen
9716b0d735 refactor: Migrate some legacy and core functions to IFilenameValidator 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-07-19 19:41:46 +02:00
Benjamin Gaussorgues
f1d97a3188 feat(Security): add Factory for IP addresses and ranges 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +02:00
Joas Schilling
047479ccf9 feat(security): Add public API to allow validating IP Ranges and checking for "in range" 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +02:00
Benjamin Gaussorgues
202e5b1e95 feat(security): restrict admin actions to IP ranges 
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2024-07-19 16:28:03 +02:00
Christopher Ng
415edcac9b chore: More explicit splitHash typing 
Signed-off-by: Christopher Ng <chrng8@gmail.com>
 2024-07-04 17:05:45 -07:00
Christopher Ng
d9bf6c432e feat: Add method to validate an IHasher hash 
Signed-off-by: Christopher Ng <chrng8@gmail.com>
 2024-07-04 17:05:45 -07:00
Robin Appelman
e140907123 fix: don't use custom certificate bundle if no customer certificates are configured 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2024-06-14 16:27:41 +02:00
John Molakvoæ
258bb03cf5 Merge branch 'master' into refactor/OC-Server-getSecureRandom 
Signed-off-by: John Molakvoæ <skjnldsv@users.noreply.github.com>
 2024-05-30 14:24:22 +02:00
Andy Scherzinger
dae7c159f7 chore: Add SPDX header 
Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de>
 2024-05-24 13:11:22 +02:00
Joas Schilling
b627e6efe4 fix: Correctly check result of function 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2024-05-15 12:24:25 +02:00
Ferdinand Thiessen
5a513c924f fix(CSP): Add CSP nonce by default and convert browserSupportsCspV3 to blocklist 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2024-03-26 17:08:22 +01:00
Andrew Summers
f9ce6bfdff Refactor OC\Server::getHasher 
Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>
 2024-03-15 13:04:27 +01:00
Julius Härtl
02d6d3f5b1 fix: Add edge as supported user agent for CSPv3 nonces 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
 2024-03-08 12:11:46 +01:00
Joas Schilling
33e1c8b236 fix(security): Handle idn_to_utf8 returning false 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-12-04 10:38:46 +01:00
Joas Schilling
aa5f037af7 chore: apply changes from Nextcloud coding standards 1.1.1 
Signed-off-by: Joas Schilling <coding@schilljs.com>
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-23 10:36:13 +01:00
Ferdinand Thiessen
7df9eb3351 feat(ContentSecurityPolicy): Allow to set strict-dynamic on script-src-elem only 
This adds the possibility to set `strict-dynamic` on `script-src-elem` only while keep the default rules for `script-src`.
The idea is to allow loading module js which imports other files and thus does not allow nonces on import but on the initial script tag.

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
 2023-11-17 11:12:57 +01:00
Benjamin Gaussorgues
f04035caa0 Simplify IP address normalizer with IP masks 
Remove dead code

Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
 2023-11-08 11:55:07 +01:00
Faraz Samapoor
f313ca92e7 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-27 09:03:15 +03:30
Robin Appelman
6b767e060a Merge pull request #39013 from fsamapoor/refactor_lib_private_security_part3 
[3/3] Refactors lib/private/Security
 2023-09-22 11:13:44 +02:00
Faraz Samapoor
1c023e6666 Update lib/private/Security/Certificate.php 
Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <f.samapoor@gmail.com>
 2023-09-21 11:20:12 +03:30
Faraz Samapoor
f9596edb00 Updates the typed properties. 
Based on: https://github.com/nextcloud/server/pull/39013#discussion_r1242340826

Co-authored-by: Côme Chilliet <91878298+come-nc@users.noreply.github.com>
Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +03:30
Faraz Samapoor
4f46656d39 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-09-21 11:20:12 +03:30
Christoph Wurst
e477bb7eaf feat(appframework): Expose programmatic rate limiter 
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
 2023-09-20 20:25:27 +02:00
Andrew Summers
1395a53602 Refactor OC\Server::getSecureRandom 
Signed-off-by: Andrew Summers <18727110+summersab@users.noreply.github.com>
 2023-08-29 21:32:40 -05:00
Joas Schilling
124588d4a6 fix: Make bypass function public API 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:40:24 +02:00
Joas Schilling
fd9b2d488e feat: Expose if the own IP is allowed to bypass bruteforce protection 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:04 +02:00
Joas Schilling
abc98d343c feat(security): Add a "testing mode" for bruteforce protection that doesn't sleep 
Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +02:00
Joas Schilling
a95800c647 feat(security): Add a bruteforce protection backend base on memcache 
Similar to the ratelimit backend

Signed-off-by: Joas Schilling <coding@schilljs.com>
 2023-08-21 16:36:03 +02:00
Daniel Calviño Sánchez
41f2d912d2 Allow "wasm-unsafe-eval" in CSP 
If a page has a Content Security Policy header and the `script-src` (or
`default-src`) directive does not contain neither `wasm-unsafe-eval` nor
`unsafe-eval` loading and executing WebAssembly is blocked in the page
(although it is still possible to load and execute WebAssembly in a
worker thread).

Although the Nextcloud classes to manage the CSP already supported
allowing `unsafe-eval` this affects not only WebAssembly, but also the
`eval` operation in JavaScript.

To make possible to allow WebAssembly execution without allowing
JavaScript `eval` this commit adds support for allowing
`wasm-unsafe-eval`.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
 2023-08-10 02:38:41 +02:00
Faraz Samapoor
e73757b4a5 Refactors lib/private/Security. 
Mainly using PHP8's constructor property promotion.

Signed-off-by: Faraz Samapoor <fsa@adlas.at>
 2023-06-26 15:03:13 +03:30
Robin Appelman
9f1d497a0b Merge pull request #38261 from fsamapoor/replace_strpos_calls_in_lib_private 
Refactors "strpos" calls in  lib/private to improve code readability.
 2023-06-01 23:10:00 +02:00
Robin Appelman
223612b15a log failures to read certificates during listing 
Signed-off-by: Robin Appelman <robin@icewind.nl>
 2023-05-31 14:40:45 +02:00
Faraz Samapoor
e7cc7653b8 Refactors "strpos" calls in lib/private to improve code readability. 
Signed-off-by: Faraz Samapoor <fsamapoor@gmail.com>
 2023-05-15 15:17:19 +03:30
John Molakvoæ
46459ae93f Merge pull request #35092 from Messj1/bugfix/type-error-cert-manager-cache-path 2023-05-04 21:53:49 +02:00
Jan Messer
647c65a640 [BUGFIX] throw exception instead of error if unable to create file handler (only exceptions are catch) 
Signed-off-by: Jan Messer <jan@mtec-studios.ch>
 2023-04-06 23:03:49 +02:00