nextcloud /
server
@@ -25,99 +25,99 @@ |
||
| 25 | 25 | |
| 26 | 26 | class LegacySetting implements ISetting { |
| 27 | 27 | |
| 28 | - /** @var string */ |
|
| 29 | - protected $identifier; |
|
| 30 | - /** @var string */ |
|
| 31 | - protected $name; |
|
| 32 | - /** @var bool */ |
|
| 33 | - protected $canChangeStream; |
|
| 34 | - /** @var bool */ |
|
| 35 | - protected $isDefaultEnabledStream; |
|
| 36 | - /** @var bool */ |
|
| 37 | - protected $canChangeMail; |
|
| 38 | - /** @var bool */ |
|
| 39 | - protected $isDefaultEnabledMail; |
|
| 28 | + /** @var string */ |
|
| 29 | + protected $identifier; |
|
| 30 | + /** @var string */ |
|
| 31 | + protected $name; |
|
| 32 | + /** @var bool */ |
|
| 33 | + protected $canChangeStream; |
|
| 34 | + /** @var bool */ |
|
| 35 | + protected $isDefaultEnabledStream; |
|
| 36 | + /** @var bool */ |
|
| 37 | + protected $canChangeMail; |
|
| 38 | + /** @var bool */ |
|
| 39 | + protected $isDefaultEnabledMail; |
|
| 40 | 40 | |
| 41 | - /** |
|
| 42 | - * LegacySetting constructor. |
|
| 43 | - * |
|
| 44 | - * @param string $identifier |
|
| 45 | - * @param string $name |
|
| 46 | - * @param bool $canChangeStream |
|
| 47 | - * @param bool $isDefaultEnabledStream |
|
| 48 | - * @param bool $canChangeMail |
|
| 49 | - * @param bool $isDefaultEnabledMail |
|
| 50 | - */ |
|
| 51 | - public function __construct($identifier, |
|
| 52 | - $name, |
|
| 53 | - $canChangeStream, |
|
| 54 | - $isDefaultEnabledStream, |
|
| 55 | - $canChangeMail, |
|
| 56 | - $isDefaultEnabledMail) { |
|
| 57 | - $this->identifier = $identifier; |
|
| 58 | - $this->name = $name; |
|
| 59 | - $this->canChangeStream = $canChangeStream; |
|
| 60 | - $this->isDefaultEnabledStream = $isDefaultEnabledStream; |
|
| 61 | - $this->canChangeMail = $canChangeMail; |
|
| 62 | - $this->isDefaultEnabledMail = $isDefaultEnabledMail; |
|
| 63 | - } |
|
| 41 | + /** |
|
| 42 | + * LegacySetting constructor. |
|
| 43 | + * |
|
| 44 | + * @param string $identifier |
|
| 45 | + * @param string $name |
|
| 46 | + * @param bool $canChangeStream |
|
| 47 | + * @param bool $isDefaultEnabledStream |
|
| 48 | + * @param bool $canChangeMail |
|
| 49 | + * @param bool $isDefaultEnabledMail |
|
| 50 | + */ |
|
| 51 | + public function __construct($identifier, |
|
| 52 | + $name, |
|
| 53 | + $canChangeStream, |
|
| 54 | + $isDefaultEnabledStream, |
|
| 55 | + $canChangeMail, |
|
| 56 | + $isDefaultEnabledMail) { |
|
| 57 | + $this->identifier = $identifier; |
|
| 58 | + $this->name = $name; |
|
| 59 | + $this->canChangeStream = $canChangeStream; |
|
| 60 | + $this->isDefaultEnabledStream = $isDefaultEnabledStream; |
|
| 61 | + $this->canChangeMail = $canChangeMail; |
|
| 62 | + $this->isDefaultEnabledMail = $isDefaultEnabledMail; |
|
| 63 | + } |
|
| 64 | 64 | |
| 65 | - /** |
|
| 66 | - * @return string Lowercase a-z and underscore only identifier |
|
| 67 | - * @since 11.0.0 |
|
| 68 | - */ |
|
| 69 | - public function getIdentifier() { |
|
| 70 | - return $this->identifier; |
|
| 71 | - } |
|
| 65 | + /** |
|
| 66 | + * @return string Lowercase a-z and underscore only identifier |
|
| 67 | + * @since 11.0.0 |
|
| 68 | + */ |
|
| 69 | + public function getIdentifier() { |
|
| 70 | + return $this->identifier; |
|
| 71 | + } |
|
| 72 | 72 | |
| 73 | - /** |
|
| 74 | - * @return string A translated string |
|
| 75 | - * @since 11.0.0 |
|
| 76 | - */ |
|
| 77 | - public function getName() { |
|
| 78 | - return $this->name; |
|
| 79 | - } |
|
| 73 | + /** |
|
| 74 | + * @return string A translated string |
|
| 75 | + * @since 11.0.0 |
|
| 76 | + */ |
|
| 77 | + public function getName() { |
|
| 78 | + return $this->name; |
|
| 79 | + } |
|
| 80 | 80 | |
| 81 | - /** |
|
| 82 | - * @return int whether the filter should be rather on the top or bottom of |
|
| 83 | - * the admin section. The filters are arranged in ascending order of the |
|
| 84 | - * priority values. It is required to return a value between 0 and 100. |
|
| 85 | - * @since 11.0.0 |
|
| 86 | - */ |
|
| 87 | - public function getPriority() { |
|
| 88 | - return 70; |
|
| 89 | - } |
|
| 81 | + /** |
|
| 82 | + * @return int whether the filter should be rather on the top or bottom of |
|
| 83 | + * the admin section. The filters are arranged in ascending order of the |
|
| 84 | + * priority values. It is required to return a value between 0 and 100. |
|
| 85 | + * @since 11.0.0 |
|
| 86 | + */ |
|
| 87 | + public function getPriority() { |
|
| 88 | + return 70; |
|
| 89 | + } |
|
| 90 | 90 | |
| 91 | - /** |
|
| 92 | - * @return bool True when the option can be changed for the stream |
|
| 93 | - * @since 11.0.0 |
|
| 94 | - */ |
|
| 95 | - public function canChangeStream() { |
|
| 96 | - return $this->canChangeStream; |
|
| 97 | - } |
|
| 91 | + /** |
|
| 92 | + * @return bool True when the option can be changed for the stream |
|
| 93 | + * @since 11.0.0 |
|
| 94 | + */ |
|
| 95 | + public function canChangeStream() { |
|
| 96 | + return $this->canChangeStream; |
|
| 97 | + } |
|
| 98 | 98 | |
| 99 | - /** |
|
| 100 | - * @return bool True when the option can be changed for the stream |
|
| 101 | - * @since 11.0.0 |
|
| 102 | - */ |
|
| 103 | - public function isDefaultEnabledStream() { |
|
| 104 | - return $this->isDefaultEnabledStream; |
|
| 105 | - } |
|
| 99 | + /** |
|
| 100 | + * @return bool True when the option can be changed for the stream |
|
| 101 | + * @since 11.0.0 |
|
| 102 | + */ |
|
| 103 | + public function isDefaultEnabledStream() { |
|
| 104 | + return $this->isDefaultEnabledStream; |
|
| 105 | + } |
|
| 106 | 106 | |
| 107 | - /** |
|
| 108 | - * @return bool True when the option can be changed for the mail |
|
| 109 | - * @since 11.0.0 |
|
| 110 | - */ |
|
| 111 | - public function canChangeMail() { |
|
| 112 | - return $this->canChangeMail; |
|
| 113 | - } |
|
| 107 | + /** |
|
| 108 | + * @return bool True when the option can be changed for the mail |
|
| 109 | + * @since 11.0.0 |
|
| 110 | + */ |
|
| 111 | + public function canChangeMail() { |
|
| 112 | + return $this->canChangeMail; |
|
| 113 | + } |
|
| 114 | 114 | |
| 115 | - /** |
|
| 116 | - * @return bool True when the option can be changed for the stream |
|
| 117 | - * @since 11.0.0 |
|
| 118 | - */ |
|
| 119 | - public function isDefaultEnabledMail() { |
|
| 120 | - return $this->isDefaultEnabledMail; |
|
| 121 | - } |
|
| 115 | + /** |
|
| 116 | + * @return bool True when the option can be changed for the stream |
|
| 117 | + * @since 11.0.0 |
|
| 118 | + */ |
|
| 119 | + public function isDefaultEnabledMail() { |
|
| 120 | + return $this->isDefaultEnabledMail; |
|
| 121 | + } |
|
| 122 | 122 | } |
| 123 | 123 | |
@@ -29,52 +29,52 @@ |
||
| 29 | 29 | * @package OC\Security\CSP |
| 30 | 30 | */ |
| 31 | 31 | class ContentSecurityPolicyNonceManager { |
| 32 | - /** @var CsrfTokenManager */ |
|
| 33 | - private $csrfTokenManager; |
|
| 34 | - /** @var IRequest */ |
|
| 35 | - private $request; |
|
| 36 | - /** @var string */ |
|
| 37 | - private $nonce = ''; |
|
| 32 | + /** @var CsrfTokenManager */ |
|
| 33 | + private $csrfTokenManager; |
|
| 34 | + /** @var IRequest */ |
|
| 35 | + private $request; |
|
| 36 | + /** @var string */ |
|
| 37 | + private $nonce = ''; |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param CsrfTokenManager $csrfTokenManager |
|
| 41 | - * @param IRequest $request |
|
| 42 | - */ |
|
| 43 | - public function __construct(CsrfTokenManager $csrfTokenManager, |
|
| 44 | - IRequest $request) { |
|
| 45 | - $this->csrfTokenManager = $csrfTokenManager; |
|
| 46 | - $this->request = $request; |
|
| 47 | - } |
|
| 39 | + /** |
|
| 40 | + * @param CsrfTokenManager $csrfTokenManager |
|
| 41 | + * @param IRequest $request |
|
| 42 | + */ |
|
| 43 | + public function __construct(CsrfTokenManager $csrfTokenManager, |
|
| 44 | + IRequest $request) { |
|
| 45 | + $this->csrfTokenManager = $csrfTokenManager; |
|
| 46 | + $this->request = $request; |
|
| 47 | + } |
|
| 48 | 48 | |
| 49 | - /** |
|
| 50 | - * Returns the current CSP nounce |
|
| 51 | - * |
|
| 52 | - * @return string |
|
| 53 | - */ |
|
| 54 | - public function getNonce() { |
|
| 55 | - if($this->nonce === '') { |
|
| 56 | - $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue()); |
|
| 57 | - } |
|
| 49 | + /** |
|
| 50 | + * Returns the current CSP nounce |
|
| 51 | + * |
|
| 52 | + * @return string |
|
| 53 | + */ |
|
| 54 | + public function getNonce() { |
|
| 55 | + if($this->nonce === '') { |
|
| 56 | + $this->nonce = base64_encode($this->csrfTokenManager->getToken()->getEncryptedValue()); |
|
| 57 | + } |
|
| 58 | 58 | |
| 59 | - return $this->nonce; |
|
| 60 | - } |
|
| 59 | + return $this->nonce; |
|
| 60 | + } |
|
| 61 | 61 | |
| 62 | - /** |
|
| 63 | - * Check if the browser supports CSP v3 |
|
| 64 | - * |
|
| 65 | - * @return bool |
|
| 66 | - */ |
|
| 67 | - public function browserSupportsCspV3() { |
|
| 68 | - $browserWhitelist = [ |
|
| 69 | - Request::USER_AGENT_CHROME, |
|
| 70 | - // Firefox 45+ |
|
| 71 | - '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/', |
|
| 72 | - ]; |
|
| 62 | + /** |
|
| 63 | + * Check if the browser supports CSP v3 |
|
| 64 | + * |
|
| 65 | + * @return bool |
|
| 66 | + */ |
|
| 67 | + public function browserSupportsCspV3() { |
|
| 68 | + $browserWhitelist = [ |
|
| 69 | + Request::USER_AGENT_CHROME, |
|
| 70 | + // Firefox 45+ |
|
| 71 | + '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/(4[5-9]|[5-9][0-9])\.[0-9.]+$/', |
|
| 72 | + ]; |
|
| 73 | 73 | |
| 74 | - if($this->request->isUserAgent($browserWhitelist)) { |
|
| 75 | - return true; |
|
| 76 | - } |
|
| 74 | + if($this->request->isUserAgent($browserWhitelist)) { |
|
| 75 | + return true; |
|
| 76 | + } |
|
| 77 | 77 | |
| 78 | - return false; |
|
| 79 | - } |
|
| 78 | + return false; |
|
| 79 | + } |
|
| 80 | 80 | } |
@@ -29,172 +29,172 @@ |
||
| 29 | 29 | * @package OC\Security\CSP |
| 30 | 30 | */ |
| 31 | 31 | class ContentSecurityPolicy extends \OCP\AppFramework\Http\ContentSecurityPolicy { |
| 32 | - /** |
|
| 33 | - * @return boolean |
|
| 34 | - */ |
|
| 35 | - public function isInlineScriptAllowed() { |
|
| 36 | - return $this->inlineScriptAllowed; |
|
| 37 | - } |
|
| 38 | - |
|
| 39 | - /** |
|
| 40 | - * @param boolean $inlineScriptAllowed |
|
| 41 | - */ |
|
| 42 | - public function setInlineScriptAllowed($inlineScriptAllowed) { |
|
| 43 | - $this->inlineScriptAllowed = $inlineScriptAllowed; |
|
| 44 | - } |
|
| 45 | - |
|
| 46 | - /** |
|
| 47 | - * @return boolean |
|
| 48 | - */ |
|
| 49 | - public function isEvalScriptAllowed() { |
|
| 50 | - return $this->evalScriptAllowed; |
|
| 51 | - } |
|
| 52 | - |
|
| 53 | - /** |
|
| 54 | - * @param boolean $evalScriptAllowed |
|
| 55 | - */ |
|
| 56 | - public function setEvalScriptAllowed($evalScriptAllowed) { |
|
| 57 | - $this->evalScriptAllowed = $evalScriptAllowed; |
|
| 58 | - } |
|
| 59 | - |
|
| 60 | - /** |
|
| 61 | - * @return array |
|
| 62 | - */ |
|
| 63 | - public function getAllowedScriptDomains() { |
|
| 64 | - return $this->allowedScriptDomains; |
|
| 65 | - } |
|
| 66 | - |
|
| 67 | - /** |
|
| 68 | - * @param array $allowedScriptDomains |
|
| 69 | - */ |
|
| 70 | - public function setAllowedScriptDomains($allowedScriptDomains) { |
|
| 71 | - $this->allowedScriptDomains = $allowedScriptDomains; |
|
| 72 | - } |
|
| 73 | - |
|
| 74 | - /** |
|
| 75 | - * @return boolean |
|
| 76 | - */ |
|
| 77 | - public function isInlineStyleAllowed() { |
|
| 78 | - return $this->inlineStyleAllowed; |
|
| 79 | - } |
|
| 80 | - |
|
| 81 | - /** |
|
| 82 | - * @param boolean $inlineStyleAllowed |
|
| 83 | - */ |
|
| 84 | - public function setInlineStyleAllowed($inlineStyleAllowed) { |
|
| 85 | - $this->inlineStyleAllowed = $inlineStyleAllowed; |
|
| 86 | - } |
|
| 87 | - |
|
| 88 | - /** |
|
| 89 | - * @return array |
|
| 90 | - */ |
|
| 91 | - public function getAllowedStyleDomains() { |
|
| 92 | - return $this->allowedStyleDomains; |
|
| 93 | - } |
|
| 94 | - |
|
| 95 | - /** |
|
| 96 | - * @param array $allowedStyleDomains |
|
| 97 | - */ |
|
| 98 | - public function setAllowedStyleDomains($allowedStyleDomains) { |
|
| 99 | - $this->allowedStyleDomains = $allowedStyleDomains; |
|
| 100 | - } |
|
| 101 | - |
|
| 102 | - /** |
|
| 103 | - * @return array |
|
| 104 | - */ |
|
| 105 | - public function getAllowedImageDomains() { |
|
| 106 | - return $this->allowedImageDomains; |
|
| 107 | - } |
|
| 108 | - |
|
| 109 | - /** |
|
| 110 | - * @param array $allowedImageDomains |
|
| 111 | - */ |
|
| 112 | - public function setAllowedImageDomains($allowedImageDomains) { |
|
| 113 | - $this->allowedImageDomains = $allowedImageDomains; |
|
| 114 | - } |
|
| 115 | - |
|
| 116 | - /** |
|
| 117 | - * @return array |
|
| 118 | - */ |
|
| 119 | - public function getAllowedConnectDomains() { |
|
| 120 | - return $this->allowedConnectDomains; |
|
| 121 | - } |
|
| 122 | - |
|
| 123 | - /** |
|
| 124 | - * @param array $allowedConnectDomains |
|
| 125 | - */ |
|
| 126 | - public function setAllowedConnectDomains($allowedConnectDomains) { |
|
| 127 | - $this->allowedConnectDomains = $allowedConnectDomains; |
|
| 128 | - } |
|
| 129 | - |
|
| 130 | - /** |
|
| 131 | - * @return array |
|
| 132 | - */ |
|
| 133 | - public function getAllowedMediaDomains() { |
|
| 134 | - return $this->allowedMediaDomains; |
|
| 135 | - } |
|
| 136 | - |
|
| 137 | - /** |
|
| 138 | - * @param array $allowedMediaDomains |
|
| 139 | - */ |
|
| 140 | - public function setAllowedMediaDomains($allowedMediaDomains) { |
|
| 141 | - $this->allowedMediaDomains = $allowedMediaDomains; |
|
| 142 | - } |
|
| 143 | - |
|
| 144 | - /** |
|
| 145 | - * @return array |
|
| 146 | - */ |
|
| 147 | - public function getAllowedObjectDomains() { |
|
| 148 | - return $this->allowedObjectDomains; |
|
| 149 | - } |
|
| 150 | - |
|
| 151 | - /** |
|
| 152 | - * @param array $allowedObjectDomains |
|
| 153 | - */ |
|
| 154 | - public function setAllowedObjectDomains($allowedObjectDomains) { |
|
| 155 | - $this->allowedObjectDomains = $allowedObjectDomains; |
|
| 156 | - } |
|
| 157 | - |
|
| 158 | - /** |
|
| 159 | - * @return array |
|
| 160 | - */ |
|
| 161 | - public function getAllowedFrameDomains() { |
|
| 162 | - return $this->allowedFrameDomains; |
|
| 163 | - } |
|
| 164 | - |
|
| 165 | - /** |
|
| 166 | - * @param array $allowedFrameDomains |
|
| 167 | - */ |
|
| 168 | - public function setAllowedFrameDomains($allowedFrameDomains) { |
|
| 169 | - $this->allowedFrameDomains = $allowedFrameDomains; |
|
| 170 | - } |
|
| 171 | - |
|
| 172 | - /** |
|
| 173 | - * @return array |
|
| 174 | - */ |
|
| 175 | - public function getAllowedFontDomains() { |
|
| 176 | - return $this->allowedFontDomains; |
|
| 177 | - } |
|
| 178 | - |
|
| 179 | - /** |
|
| 180 | - * @param array $allowedFontDomains |
|
| 181 | - */ |
|
| 182 | - public function setAllowedFontDomains($allowedFontDomains) { |
|
| 183 | - $this->allowedFontDomains = $allowedFontDomains; |
|
| 184 | - } |
|
| 185 | - |
|
| 186 | - /** |
|
| 187 | - * @return array |
|
| 188 | - */ |
|
| 189 | - public function getAllowedChildSrcDomains() { |
|
| 190 | - return $this->allowedChildSrcDomains; |
|
| 191 | - } |
|
| 192 | - |
|
| 193 | - /** |
|
| 194 | - * @param array $allowedChildSrcDomains |
|
| 195 | - */ |
|
| 196 | - public function setAllowedChildSrcDomains($allowedChildSrcDomains) { |
|
| 197 | - $this->allowedChildSrcDomains = $allowedChildSrcDomains; |
|
| 198 | - } |
|
| 32 | + /** |
|
| 33 | + * @return boolean |
|
| 34 | + */ |
|
| 35 | + public function isInlineScriptAllowed() { |
|
| 36 | + return $this->inlineScriptAllowed; |
|
| 37 | + } |
|
| 38 | + |
|
| 39 | + /** |
|
| 40 | + * @param boolean $inlineScriptAllowed |
|
| 41 | + */ |
|
| 42 | + public function setInlineScriptAllowed($inlineScriptAllowed) { |
|
| 43 | + $this->inlineScriptAllowed = $inlineScriptAllowed; |
|
| 44 | + } |
|
| 45 | + |
|
| 46 | + /** |
|
| 47 | + * @return boolean |
|
| 48 | + */ |
|
| 49 | + public function isEvalScriptAllowed() { |
|
| 50 | + return $this->evalScriptAllowed; |
|
| 51 | + } |
|
| 52 | + |
|
| 53 | + /** |
|
| 54 | + * @param boolean $evalScriptAllowed |
|
| 55 | + */ |
|
| 56 | + public function setEvalScriptAllowed($evalScriptAllowed) { |
|
| 57 | + $this->evalScriptAllowed = $evalScriptAllowed; |
|
| 58 | + } |
|
| 59 | + |
|
| 60 | + /** |
|
| 61 | + * @return array |
|
| 62 | + */ |
|
| 63 | + public function getAllowedScriptDomains() { |
|
| 64 | + return $this->allowedScriptDomains; |
|
| 65 | + } |
|
| 66 | + |
|
| 67 | + /** |
|
| 68 | + * @param array $allowedScriptDomains |
|
| 69 | + */ |
|
| 70 | + public function setAllowedScriptDomains($allowedScriptDomains) { |
|
| 71 | + $this->allowedScriptDomains = $allowedScriptDomains; |
|
| 72 | + } |
|
| 73 | + |
|
| 74 | + /** |
|
| 75 | + * @return boolean |
|
| 76 | + */ |
|
| 77 | + public function isInlineStyleAllowed() { |
|
| 78 | + return $this->inlineStyleAllowed; |
|
| 79 | + } |
|
| 80 | + |
|
| 81 | + /** |
|
| 82 | + * @param boolean $inlineStyleAllowed |
|
| 83 | + */ |
|
| 84 | + public function setInlineStyleAllowed($inlineStyleAllowed) { |
|
| 85 | + $this->inlineStyleAllowed = $inlineStyleAllowed; |
|
| 86 | + } |
|
| 87 | + |
|
| 88 | + /** |
|
| 89 | + * @return array |
|
| 90 | + */ |
|
| 91 | + public function getAllowedStyleDomains() { |
|
| 92 | + return $this->allowedStyleDomains; |
|
| 93 | + } |
|
| 94 | + |
|
| 95 | + /** |
|
| 96 | + * @param array $allowedStyleDomains |
|
| 97 | + */ |
|
| 98 | + public function setAllowedStyleDomains($allowedStyleDomains) { |
|
| 99 | + $this->allowedStyleDomains = $allowedStyleDomains; |
|
| 100 | + } |
|
| 101 | + |
|
| 102 | + /** |
|
| 103 | + * @return array |
|
| 104 | + */ |
|
| 105 | + public function getAllowedImageDomains() { |
|
| 106 | + return $this->allowedImageDomains; |
|
| 107 | + } |
|
| 108 | + |
|
| 109 | + /** |
|
| 110 | + * @param array $allowedImageDomains |
|
| 111 | + */ |
|
| 112 | + public function setAllowedImageDomains($allowedImageDomains) { |
|
| 113 | + $this->allowedImageDomains = $allowedImageDomains; |
|
| 114 | + } |
|
| 115 | + |
|
| 116 | + /** |
|
| 117 | + * @return array |
|
| 118 | + */ |
|
| 119 | + public function getAllowedConnectDomains() { |
|
| 120 | + return $this->allowedConnectDomains; |
|
| 121 | + } |
|
| 122 | + |
|
| 123 | + /** |
|
| 124 | + * @param array $allowedConnectDomains |
|
| 125 | + */ |
|
| 126 | + public function setAllowedConnectDomains($allowedConnectDomains) { |
|
| 127 | + $this->allowedConnectDomains = $allowedConnectDomains; |
|
| 128 | + } |
|
| 129 | + |
|
| 130 | + /** |
|
| 131 | + * @return array |
|
| 132 | + */ |
|
| 133 | + public function getAllowedMediaDomains() { |
|
| 134 | + return $this->allowedMediaDomains; |
|
| 135 | + } |
|
| 136 | + |
|
| 137 | + /** |
|
| 138 | + * @param array $allowedMediaDomains |
|
| 139 | + */ |
|
| 140 | + public function setAllowedMediaDomains($allowedMediaDomains) { |
|
| 141 | + $this->allowedMediaDomains = $allowedMediaDomains; |
|
| 142 | + } |
|
| 143 | + |
|
| 144 | + /** |
|
| 145 | + * @return array |
|
| 146 | + */ |
|
| 147 | + public function getAllowedObjectDomains() { |
|
| 148 | + return $this->allowedObjectDomains; |
|
| 149 | + } |
|
| 150 | + |
|
| 151 | + /** |
|
| 152 | + * @param array $allowedObjectDomains |
|
| 153 | + */ |
|
| 154 | + public function setAllowedObjectDomains($allowedObjectDomains) { |
|
| 155 | + $this->allowedObjectDomains = $allowedObjectDomains; |
|
| 156 | + } |
|
| 157 | + |
|
| 158 | + /** |
|
| 159 | + * @return array |
|
| 160 | + */ |
|
| 161 | + public function getAllowedFrameDomains() { |
|
| 162 | + return $this->allowedFrameDomains; |
|
| 163 | + } |
|
| 164 | + |
|
| 165 | + /** |
|
| 166 | + * @param array $allowedFrameDomains |
|
| 167 | + */ |
|
| 168 | + public function setAllowedFrameDomains($allowedFrameDomains) { |
|
| 169 | + $this->allowedFrameDomains = $allowedFrameDomains; |
|
| 170 | + } |
|
| 171 | + |
|
| 172 | + /** |
|
| 173 | + * @return array |
|
| 174 | + */ |
|
| 175 | + public function getAllowedFontDomains() { |
|
| 176 | + return $this->allowedFontDomains; |
|
| 177 | + } |
|
| 178 | + |
|
| 179 | + /** |
|
| 180 | + * @param array $allowedFontDomains |
|
| 181 | + */ |
|
| 182 | + public function setAllowedFontDomains($allowedFontDomains) { |
|
| 183 | + $this->allowedFontDomains = $allowedFontDomains; |
|
| 184 | + } |
|
| 185 | + |
|
| 186 | + /** |
|
| 187 | + * @return array |
|
| 188 | + */ |
|
| 189 | + public function getAllowedChildSrcDomains() { |
|
| 190 | + return $this->allowedChildSrcDomains; |
|
| 191 | + } |
|
| 192 | + |
|
| 193 | + /** |
|
| 194 | + * @param array $allowedChildSrcDomains |
|
| 195 | + */ |
|
| 196 | + public function setAllowedChildSrcDomains($allowedChildSrcDomains) { |
|
| 197 | + $this->allowedChildSrcDomains = $allowedChildSrcDomains; |
|
| 198 | + } |
|
| 199 | 199 | |
| 200 | 200 | } |
@@ -27,48 +27,48 @@ |
||
| 27 | 27 | use OCP\Security\IContentSecurityPolicyManager; |
| 28 | 28 | |
| 29 | 29 | class ContentSecurityPolicyManager implements IContentSecurityPolicyManager { |
| 30 | - /** @var ContentSecurityPolicy[] */ |
|
| 31 | - private $policies = []; |
|
| 30 | + /** @var ContentSecurityPolicy[] */ |
|
| 31 | + private $policies = []; |
|
| 32 | 32 | |
| 33 | - /** {@inheritdoc} */ |
|
| 34 | - public function addDefaultPolicy(EmptyContentSecurityPolicy $policy) { |
|
| 35 | - $this->policies[] = $policy; |
|
| 36 | - } |
|
| 33 | + /** {@inheritdoc} */ |
|
| 34 | + public function addDefaultPolicy(EmptyContentSecurityPolicy $policy) { |
|
| 35 | + $this->policies[] = $policy; |
|
| 36 | + } |
|
| 37 | 37 | |
| 38 | - /** |
|
| 39 | - * Get the configured default policy. This is not in the public namespace |
|
| 40 | - * as it is only supposed to be used by core itself. |
|
| 41 | - * |
|
| 42 | - * @return ContentSecurityPolicy |
|
| 43 | - */ |
|
| 44 | - public function getDefaultPolicy() { |
|
| 45 | - $defaultPolicy = new \OC\Security\CSP\ContentSecurityPolicy(); |
|
| 46 | - foreach($this->policies as $policy) { |
|
| 47 | - $defaultPolicy = $this->mergePolicies($defaultPolicy, $policy); |
|
| 48 | - } |
|
| 49 | - return $defaultPolicy; |
|
| 50 | - } |
|
| 38 | + /** |
|
| 39 | + * Get the configured default policy. This is not in the public namespace |
|
| 40 | + * as it is only supposed to be used by core itself. |
|
| 41 | + * |
|
| 42 | + * @return ContentSecurityPolicy |
|
| 43 | + */ |
|
| 44 | + public function getDefaultPolicy() { |
|
| 45 | + $defaultPolicy = new \OC\Security\CSP\ContentSecurityPolicy(); |
|
| 46 | + foreach($this->policies as $policy) { |
|
| 47 | + $defaultPolicy = $this->mergePolicies($defaultPolicy, $policy); |
|
| 48 | + } |
|
| 49 | + return $defaultPolicy; |
|
| 50 | + } |
|
| 51 | 51 | |
| 52 | - /** |
|
| 53 | - * Merges the first given policy with the second one |
|
| 54 | - * |
|
| 55 | - * @param ContentSecurityPolicy $defaultPolicy |
|
| 56 | - * @param EmptyContentSecurityPolicy $originalPolicy |
|
| 57 | - * @return ContentSecurityPolicy |
|
| 58 | - */ |
|
| 59 | - public function mergePolicies(ContentSecurityPolicy $defaultPolicy, |
|
| 60 | - EmptyContentSecurityPolicy $originalPolicy) { |
|
| 61 | - foreach((object)(array)$originalPolicy as $name => $value) { |
|
| 62 | - $setter = 'set'.ucfirst($name); |
|
| 63 | - if(is_array($value)) { |
|
| 64 | - $getter = 'get'.ucfirst($name); |
|
| 65 | - $currentValues = is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : []; |
|
| 66 | - $defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value)))); |
|
| 67 | - } elseif (is_bool($value)) { |
|
| 68 | - $defaultPolicy->$setter($value); |
|
| 69 | - } |
|
| 70 | - } |
|
| 52 | + /** |
|
| 53 | + * Merges the first given policy with the second one |
|
| 54 | + * |
|
| 55 | + * @param ContentSecurityPolicy $defaultPolicy |
|
| 56 | + * @param EmptyContentSecurityPolicy $originalPolicy |
|
| 57 | + * @return ContentSecurityPolicy |
|
| 58 | + */ |
|
| 59 | + public function mergePolicies(ContentSecurityPolicy $defaultPolicy, |
|
| 60 | + EmptyContentSecurityPolicy $originalPolicy) { |
|
| 61 | + foreach((object)(array)$originalPolicy as $name => $value) { |
|
| 62 | + $setter = 'set'.ucfirst($name); |
|
| 63 | + if(is_array($value)) { |
|
| 64 | + $getter = 'get'.ucfirst($name); |
|
| 65 | + $currentValues = is_array($defaultPolicy->$getter()) ? $defaultPolicy->$getter() : []; |
|
| 66 | + $defaultPolicy->$setter(array_values(array_unique(array_merge($currentValues, $value)))); |
|
| 67 | + } elseif (is_bool($value)) { |
|
| 68 | + $defaultPolicy->$setter($value); |
|
| 69 | + } |
|
| 70 | + } |
|
| 71 | 71 | |
| 72 | - return $defaultPolicy; |
|
| 73 | - } |
|
| 72 | + return $defaultPolicy; |
|
| 73 | + } |
|
| 74 | 74 | } |
@@ -34,93 +34,93 @@ |
||
| 34 | 34 | */ |
| 35 | 35 | class CredentialsManager implements ICredentialsManager { |
| 36 | 36 | |
| 37 | - const DB_TABLE = 'credentials'; |
|
| 37 | + const DB_TABLE = 'credentials'; |
|
| 38 | 38 | |
| 39 | - /** @var ICrypto */ |
|
| 40 | - protected $crypto; |
|
| 39 | + /** @var ICrypto */ |
|
| 40 | + protected $crypto; |
|
| 41 | 41 | |
| 42 | - /** @var IDBConnection */ |
|
| 43 | - protected $dbConnection; |
|
| 42 | + /** @var IDBConnection */ |
|
| 43 | + protected $dbConnection; |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * @param ICrypto $crypto |
|
| 47 | - * @param IDBConnection $dbConnection |
|
| 48 | - */ |
|
| 49 | - public function __construct(ICrypto $crypto, IDBConnection $dbConnection) { |
|
| 50 | - $this->crypto = $crypto; |
|
| 51 | - $this->dbConnection = $dbConnection; |
|
| 52 | - } |
|
| 45 | + /** |
|
| 46 | + * @param ICrypto $crypto |
|
| 47 | + * @param IDBConnection $dbConnection |
|
| 48 | + */ |
|
| 49 | + public function __construct(ICrypto $crypto, IDBConnection $dbConnection) { |
|
| 50 | + $this->crypto = $crypto; |
|
| 51 | + $this->dbConnection = $dbConnection; |
|
| 52 | + } |
|
| 53 | 53 | |
| 54 | - /** |
|
| 55 | - * Store a set of credentials |
|
| 56 | - * |
|
| 57 | - * @param string|null $userId Null for system-wide credentials |
|
| 58 | - * @param string $identifier |
|
| 59 | - * @param mixed $credentials |
|
| 60 | - */ |
|
| 61 | - public function store($userId, $identifier, $credentials) { |
|
| 62 | - $value = $this->crypto->encrypt(json_encode($credentials)); |
|
| 54 | + /** |
|
| 55 | + * Store a set of credentials |
|
| 56 | + * |
|
| 57 | + * @param string|null $userId Null for system-wide credentials |
|
| 58 | + * @param string $identifier |
|
| 59 | + * @param mixed $credentials |
|
| 60 | + */ |
|
| 61 | + public function store($userId, $identifier, $credentials) { |
|
| 62 | + $value = $this->crypto->encrypt(json_encode($credentials)); |
|
| 63 | 63 | |
| 64 | - $this->dbConnection->setValues(self::DB_TABLE, [ |
|
| 65 | - 'user' => $userId, |
|
| 66 | - 'identifier' => $identifier, |
|
| 67 | - ], [ |
|
| 68 | - 'credentials' => $value, |
|
| 69 | - ]); |
|
| 70 | - } |
|
| 64 | + $this->dbConnection->setValues(self::DB_TABLE, [ |
|
| 65 | + 'user' => $userId, |
|
| 66 | + 'identifier' => $identifier, |
|
| 67 | + ], [ |
|
| 68 | + 'credentials' => $value, |
|
| 69 | + ]); |
|
| 70 | + } |
|
| 71 | 71 | |
| 72 | - /** |
|
| 73 | - * Retrieve a set of credentials |
|
| 74 | - * |
|
| 75 | - * @param string|null $userId Null for system-wide credentials |
|
| 76 | - * @param string $identifier |
|
| 77 | - * @return mixed |
|
| 78 | - */ |
|
| 79 | - public function retrieve($userId, $identifier) { |
|
| 80 | - $qb = $this->dbConnection->getQueryBuilder(); |
|
| 81 | - $qb->select('credentials') |
|
| 82 | - ->from(self::DB_TABLE) |
|
| 83 | - ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 84 | - ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) |
|
| 85 | - ; |
|
| 86 | - $result = $qb->execute()->fetch(); |
|
| 72 | + /** |
|
| 73 | + * Retrieve a set of credentials |
|
| 74 | + * |
|
| 75 | + * @param string|null $userId Null for system-wide credentials |
|
| 76 | + * @param string $identifier |
|
| 77 | + * @return mixed |
|
| 78 | + */ |
|
| 79 | + public function retrieve($userId, $identifier) { |
|
| 80 | + $qb = $this->dbConnection->getQueryBuilder(); |
|
| 81 | + $qb->select('credentials') |
|
| 82 | + ->from(self::DB_TABLE) |
|
| 83 | + ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 84 | + ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) |
|
| 85 | + ; |
|
| 86 | + $result = $qb->execute()->fetch(); |
|
| 87 | 87 | |
| 88 | - if (!$result) { |
|
| 89 | - return null; |
|
| 90 | - } |
|
| 91 | - $value = $result['credentials']; |
|
| 88 | + if (!$result) { |
|
| 89 | + return null; |
|
| 90 | + } |
|
| 91 | + $value = $result['credentials']; |
|
| 92 | 92 | |
| 93 | - return json_decode($this->crypto->decrypt($value), true); |
|
| 94 | - } |
|
| 93 | + return json_decode($this->crypto->decrypt($value), true); |
|
| 94 | + } |
|
| 95 | 95 | |
| 96 | - /** |
|
| 97 | - * Delete a set of credentials |
|
| 98 | - * |
|
| 99 | - * @param string|null $userId Null for system-wide credentials |
|
| 100 | - * @param string $identifier |
|
| 101 | - * @return int rows removed |
|
| 102 | - */ |
|
| 103 | - public function delete($userId, $identifier) { |
|
| 104 | - $qb = $this->dbConnection->getQueryBuilder(); |
|
| 105 | - $qb->delete(self::DB_TABLE) |
|
| 106 | - ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 107 | - ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) |
|
| 108 | - ; |
|
| 109 | - return $qb->execute(); |
|
| 110 | - } |
|
| 96 | + /** |
|
| 97 | + * Delete a set of credentials |
|
| 98 | + * |
|
| 99 | + * @param string|null $userId Null for system-wide credentials |
|
| 100 | + * @param string $identifier |
|
| 101 | + * @return int rows removed |
|
| 102 | + */ |
|
| 103 | + public function delete($userId, $identifier) { |
|
| 104 | + $qb = $this->dbConnection->getQueryBuilder(); |
|
| 105 | + $qb->delete(self::DB_TABLE) |
|
| 106 | + ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 107 | + ->andWhere($qb->expr()->eq('identifier', $qb->createNamedParameter($identifier))) |
|
| 108 | + ; |
|
| 109 | + return $qb->execute(); |
|
| 110 | + } |
|
| 111 | 111 | |
| 112 | - /** |
|
| 113 | - * Erase all credentials stored for a user |
|
| 114 | - * |
|
| 115 | - * @param string $userId |
|
| 116 | - * @return int rows removed |
|
| 117 | - */ |
|
| 118 | - public function erase($userId) { |
|
| 119 | - $qb = $this->dbConnection->getQueryBuilder(); |
|
| 120 | - $qb->delete(self::DB_TABLE) |
|
| 121 | - ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 122 | - ; |
|
| 123 | - return $qb->execute(); |
|
| 124 | - } |
|
| 112 | + /** |
|
| 113 | + * Erase all credentials stored for a user |
|
| 114 | + * |
|
| 115 | + * @param string $userId |
|
| 116 | + * @return int rows removed |
|
| 117 | + */ |
|
| 118 | + public function erase($userId) { |
|
| 119 | + $qb = $this->dbConnection->getQueryBuilder(); |
|
| 120 | + $qb->delete(self::DB_TABLE) |
|
| 121 | + ->where($qb->expr()->eq('user', $qb->createNamedParameter($userId))) |
|
| 122 | + ; |
|
| 123 | + return $qb->execute(); |
|
| 124 | + } |
|
| 125 | 125 | |
| 126 | 126 | } |
@@ -32,68 +32,68 @@ |
||
| 32 | 32 | * @package OC\Security |
| 33 | 33 | */ |
| 34 | 34 | class TrustedDomainHelper { |
| 35 | - /** @var IConfig */ |
|
| 36 | - private $config; |
|
| 35 | + /** @var IConfig */ |
|
| 36 | + private $config; |
|
| 37 | 37 | |
| 38 | - /** |
|
| 39 | - * @param IConfig $config |
|
| 40 | - */ |
|
| 41 | - function __construct(IConfig $config) { |
|
| 42 | - $this->config = $config; |
|
| 43 | - } |
|
| 38 | + /** |
|
| 39 | + * @param IConfig $config |
|
| 40 | + */ |
|
| 41 | + function __construct(IConfig $config) { |
|
| 42 | + $this->config = $config; |
|
| 43 | + } |
|
| 44 | 44 | |
| 45 | - /** |
|
| 46 | - * Strips a potential port from a domain (in format domain:port) |
|
| 47 | - * @param string $host |
|
| 48 | - * @return string $host without appended port |
|
| 49 | - */ |
|
| 50 | - private function getDomainWithoutPort($host) { |
|
| 51 | - $pos = strrpos($host, ':'); |
|
| 52 | - if ($pos !== false) { |
|
| 53 | - $port = substr($host, $pos + 1); |
|
| 54 | - if (is_numeric($port)) { |
|
| 55 | - $host = substr($host, 0, $pos); |
|
| 56 | - } |
|
| 57 | - } |
|
| 58 | - return $host; |
|
| 59 | - } |
|
| 45 | + /** |
|
| 46 | + * Strips a potential port from a domain (in format domain:port) |
|
| 47 | + * @param string $host |
|
| 48 | + * @return string $host without appended port |
|
| 49 | + */ |
|
| 50 | + private function getDomainWithoutPort($host) { |
|
| 51 | + $pos = strrpos($host, ':'); |
|
| 52 | + if ($pos !== false) { |
|
| 53 | + $port = substr($host, $pos + 1); |
|
| 54 | + if (is_numeric($port)) { |
|
| 55 | + $host = substr($host, 0, $pos); |
|
| 56 | + } |
|
| 57 | + } |
|
| 58 | + return $host; |
|
| 59 | + } |
|
| 60 | 60 | |
| 61 | - /** |
|
| 62 | - * Checks whether a domain is considered as trusted from the list |
|
| 63 | - * of trusted domains. If no trusted domains have been configured, returns |
|
| 64 | - * true. |
|
| 65 | - * This is used to prevent Host Header Poisoning. |
|
| 66 | - * @param string $domainWithPort |
|
| 67 | - * @return bool true if the given domain is trusted or if no trusted domains |
|
| 68 | - * have been configured |
|
| 69 | - */ |
|
| 70 | - public function isTrustedDomain($domainWithPort) { |
|
| 71 | - $domain = $this->getDomainWithoutPort($domainWithPort); |
|
| 61 | + /** |
|
| 62 | + * Checks whether a domain is considered as trusted from the list |
|
| 63 | + * of trusted domains. If no trusted domains have been configured, returns |
|
| 64 | + * true. |
|
| 65 | + * This is used to prevent Host Header Poisoning. |
|
| 66 | + * @param string $domainWithPort |
|
| 67 | + * @return bool true if the given domain is trusted or if no trusted domains |
|
| 68 | + * have been configured |
|
| 69 | + */ |
|
| 70 | + public function isTrustedDomain($domainWithPort) { |
|
| 71 | + $domain = $this->getDomainWithoutPort($domainWithPort); |
|
| 72 | 72 | |
| 73 | - // Read trusted domains from config |
|
| 74 | - $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
| 75 | - if (!is_array($trustedList)) { |
|
| 76 | - return false; |
|
| 77 | - } |
|
| 73 | + // Read trusted domains from config |
|
| 74 | + $trustedList = $this->config->getSystemValue('trusted_domains', []); |
|
| 75 | + if (!is_array($trustedList)) { |
|
| 76 | + return false; |
|
| 77 | + } |
|
| 78 | 78 | |
| 79 | - // Always allow access from localhost |
|
| 80 | - if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
| 81 | - return true; |
|
| 82 | - } |
|
| 83 | - // Reject misformed domains in any case |
|
| 84 | - if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
| 85 | - return false; |
|
| 86 | - } |
|
| 87 | - // Match, allowing for * wildcards |
|
| 88 | - foreach ($trustedList as $trusted) { |
|
| 89 | - if (gettype($trusted) !== 'string') { |
|
| 90 | - break; |
|
| 91 | - } |
|
| 92 | - $regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/'; |
|
| 93 | - if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
| 94 | - return true; |
|
| 95 | - } |
|
| 96 | - } |
|
| 97 | - return false; |
|
| 98 | - } |
|
| 79 | + // Always allow access from localhost |
|
| 80 | + if (preg_match(Request::REGEX_LOCALHOST, $domain) === 1) { |
|
| 81 | + return true; |
|
| 82 | + } |
|
| 83 | + // Reject misformed domains in any case |
|
| 84 | + if (strpos($domain,'-') === 0 || strpos($domain,'..') !== false) { |
|
| 85 | + return false; |
|
| 86 | + } |
|
| 87 | + // Match, allowing for * wildcards |
|
| 88 | + foreach ($trustedList as $trusted) { |
|
| 89 | + if (gettype($trusted) !== 'string') { |
|
| 90 | + break; |
|
| 91 | + } |
|
| 92 | + $regex = '/^' . join('[-\.a-zA-Z0-9]*', array_map(function($v) { return preg_quote($v, '/'); }, explode('*', $trusted))) . '$/'; |
|
| 93 | + if (preg_match($regex, $domain) || preg_match($regex, $domainWithPort)) { |
|
| 94 | + return true; |
|
| 95 | + } |
|
| 96 | + } |
|
| 97 | + return false; |
|
| 98 | + } |
|
| 99 | 99 | } |
@@ -46,116 +46,116 @@ |
||
| 46 | 46 | * @package OC\Security |
| 47 | 47 | */ |
| 48 | 48 | class Hasher implements IHasher { |
| 49 | - /** @var IConfig */ |
|
| 50 | - private $config; |
|
| 51 | - /** @var array Options passed to password_hash and password_needs_rehash */ |
|
| 52 | - private $options = array(); |
|
| 53 | - /** @var string Salt used for legacy passwords */ |
|
| 54 | - private $legacySalt = null; |
|
| 55 | - /** @var int Current version of the generated hash */ |
|
| 56 | - private $currentVersion = 1; |
|
| 57 | - |
|
| 58 | - /** |
|
| 59 | - * @param IConfig $config |
|
| 60 | - */ |
|
| 61 | - function __construct(IConfig $config) { |
|
| 62 | - $this->config = $config; |
|
| 63 | - |
|
| 64 | - $hashingCost = $this->config->getSystemValue('hashingCost', null); |
|
| 65 | - if(!is_null($hashingCost)) { |
|
| 66 | - $this->options['cost'] = $hashingCost; |
|
| 67 | - } |
|
| 68 | - } |
|
| 69 | - |
|
| 70 | - /** |
|
| 71 | - * Hashes a message using PHP's `password_hash` functionality. |
|
| 72 | - * Please note that the size of the returned string is not guaranteed |
|
| 73 | - * and can be up to 255 characters. |
|
| 74 | - * |
|
| 75 | - * @param string $message Message to generate hash from |
|
| 76 | - * @return string Hash of the message with appended version parameter |
|
| 77 | - */ |
|
| 78 | - public function hash($message) { |
|
| 79 | - return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options); |
|
| 80 | - } |
|
| 81 | - |
|
| 82 | - /** |
|
| 83 | - * Get the version and hash from a prefixedHash |
|
| 84 | - * @param string $prefixedHash |
|
| 85 | - * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo') |
|
| 86 | - */ |
|
| 87 | - protected function splitHash($prefixedHash) { |
|
| 88 | - $explodedString = explode('|', $prefixedHash, 2); |
|
| 89 | - if(sizeof($explodedString) === 2) { |
|
| 90 | - if((int)$explodedString[0] > 0) { |
|
| 91 | - return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]); |
|
| 92 | - } |
|
| 93 | - } |
|
| 94 | - |
|
| 95 | - return null; |
|
| 96 | - } |
|
| 97 | - |
|
| 98 | - /** |
|
| 99 | - * Verify legacy hashes |
|
| 100 | - * @param string $message Message to verify |
|
| 101 | - * @param string $hash Assumed hash of the message |
|
| 102 | - * @param null|string &$newHash Reference will contain the updated hash |
|
| 103 | - * @return bool Whether $hash is a valid hash of $message |
|
| 104 | - */ |
|
| 105 | - protected function legacyHashVerify($message, $hash, &$newHash = null) { |
|
| 106 | - if(empty($this->legacySalt)) { |
|
| 107 | - $this->legacySalt = $this->config->getSystemValue('passwordsalt', ''); |
|
| 108 | - } |
|
| 109 | - |
|
| 110 | - // Verify whether it matches a legacy PHPass or SHA1 string |
|
| 111 | - $hashLength = strlen($hash); |
|
| 112 | - if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) || |
|
| 113 | - $hashLength === 40 && hash_equals($hash, sha1($message))) { |
|
| 114 | - $newHash = $this->hash($message); |
|
| 115 | - return true; |
|
| 116 | - } |
|
| 117 | - |
|
| 118 | - return false; |
|
| 119 | - } |
|
| 120 | - |
|
| 121 | - /** |
|
| 122 | - * Verify V1 hashes |
|
| 123 | - * @param string $message Message to verify |
|
| 124 | - * @param string $hash Assumed hash of the message |
|
| 125 | - * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. |
|
| 126 | - * @return bool Whether $hash is a valid hash of $message |
|
| 127 | - */ |
|
| 128 | - protected function verifyHashV1($message, $hash, &$newHash = null) { |
|
| 129 | - if(password_verify($message, $hash)) { |
|
| 130 | - if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) { |
|
| 131 | - $newHash = $this->hash($message); |
|
| 132 | - } |
|
| 133 | - return true; |
|
| 134 | - } |
|
| 135 | - |
|
| 136 | - return false; |
|
| 137 | - } |
|
| 138 | - |
|
| 139 | - /** |
|
| 140 | - * @param string $message Message to verify |
|
| 141 | - * @param string $hash Assumed hash of the message |
|
| 142 | - * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. |
|
| 143 | - * @return bool Whether $hash is a valid hash of $message |
|
| 144 | - */ |
|
| 145 | - public function verify($message, $hash, &$newHash = null) { |
|
| 146 | - $splittedHash = $this->splitHash($hash); |
|
| 147 | - |
|
| 148 | - if(isset($splittedHash['version'])) { |
|
| 149 | - switch ($splittedHash['version']) { |
|
| 150 | - case 1: |
|
| 151 | - return $this->verifyHashV1($message, $splittedHash['hash'], $newHash); |
|
| 152 | - } |
|
| 153 | - } else { |
|
| 154 | - return $this->legacyHashVerify($message, $hash, $newHash); |
|
| 155 | - } |
|
| 156 | - |
|
| 157 | - |
|
| 158 | - return false; |
|
| 159 | - } |
|
| 49 | + /** @var IConfig */ |
|
| 50 | + private $config; |
|
| 51 | + /** @var array Options passed to password_hash and password_needs_rehash */ |
|
| 52 | + private $options = array(); |
|
| 53 | + /** @var string Salt used for legacy passwords */ |
|
| 54 | + private $legacySalt = null; |
|
| 55 | + /** @var int Current version of the generated hash */ |
|
| 56 | + private $currentVersion = 1; |
|
| 57 | + |
|
| 58 | + /** |
|
| 59 | + * @param IConfig $config |
|
| 60 | + */ |
|
| 61 | + function __construct(IConfig $config) { |
|
| 62 | + $this->config = $config; |
|
| 63 | + |
|
| 64 | + $hashingCost = $this->config->getSystemValue('hashingCost', null); |
|
| 65 | + if(!is_null($hashingCost)) { |
|
| 66 | + $this->options['cost'] = $hashingCost; |
|
| 67 | + } |
|
| 68 | + } |
|
| 69 | + |
|
| 70 | + /** |
|
| 71 | + * Hashes a message using PHP's `password_hash` functionality. |
|
| 72 | + * Please note that the size of the returned string is not guaranteed |
|
| 73 | + * and can be up to 255 characters. |
|
| 74 | + * |
|
| 75 | + * @param string $message Message to generate hash from |
|
| 76 | + * @return string Hash of the message with appended version parameter |
|
| 77 | + */ |
|
| 78 | + public function hash($message) { |
|
| 79 | + return $this->currentVersion . '|' . password_hash($message, PASSWORD_DEFAULT, $this->options); |
|
| 80 | + } |
|
| 81 | + |
|
| 82 | + /** |
|
| 83 | + * Get the version and hash from a prefixedHash |
|
| 84 | + * @param string $prefixedHash |
|
| 85 | + * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo') |
|
| 86 | + */ |
|
| 87 | + protected function splitHash($prefixedHash) { |
|
| 88 | + $explodedString = explode('|', $prefixedHash, 2); |
|
| 89 | + if(sizeof($explodedString) === 2) { |
|
| 90 | + if((int)$explodedString[0] > 0) { |
|
| 91 | + return array('version' => (int)$explodedString[0], 'hash' => $explodedString[1]); |
|
| 92 | + } |
|
| 93 | + } |
|
| 94 | + |
|
| 95 | + return null; |
|
| 96 | + } |
|
| 97 | + |
|
| 98 | + /** |
|
| 99 | + * Verify legacy hashes |
|
| 100 | + * @param string $message Message to verify |
|
| 101 | + * @param string $hash Assumed hash of the message |
|
| 102 | + * @param null|string &$newHash Reference will contain the updated hash |
|
| 103 | + * @return bool Whether $hash is a valid hash of $message |
|
| 104 | + */ |
|
| 105 | + protected function legacyHashVerify($message, $hash, &$newHash = null) { |
|
| 106 | + if(empty($this->legacySalt)) { |
|
| 107 | + $this->legacySalt = $this->config->getSystemValue('passwordsalt', ''); |
|
| 108 | + } |
|
| 109 | + |
|
| 110 | + // Verify whether it matches a legacy PHPass or SHA1 string |
|
| 111 | + $hashLength = strlen($hash); |
|
| 112 | + if($hashLength === 60 && password_verify($message.$this->legacySalt, $hash) || |
|
| 113 | + $hashLength === 40 && hash_equals($hash, sha1($message))) { |
|
| 114 | + $newHash = $this->hash($message); |
|
| 115 | + return true; |
|
| 116 | + } |
|
| 117 | + |
|
| 118 | + return false; |
|
| 119 | + } |
|
| 120 | + |
|
| 121 | + /** |
|
| 122 | + * Verify V1 hashes |
|
| 123 | + * @param string $message Message to verify |
|
| 124 | + * @param string $hash Assumed hash of the message |
|
| 125 | + * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. |
|
| 126 | + * @return bool Whether $hash is a valid hash of $message |
|
| 127 | + */ |
|
| 128 | + protected function verifyHashV1($message, $hash, &$newHash = null) { |
|
| 129 | + if(password_verify($message, $hash)) { |
|
| 130 | + if(password_needs_rehash($hash, PASSWORD_DEFAULT, $this->options)) { |
|
| 131 | + $newHash = $this->hash($message); |
|
| 132 | + } |
|
| 133 | + return true; |
|
| 134 | + } |
|
| 135 | + |
|
| 136 | + return false; |
|
| 137 | + } |
|
| 138 | + |
|
| 139 | + /** |
|
| 140 | + * @param string $message Message to verify |
|
| 141 | + * @param string $hash Assumed hash of the message |
|
| 142 | + * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. |
|
| 143 | + * @return bool Whether $hash is a valid hash of $message |
|
| 144 | + */ |
|
| 145 | + public function verify($message, $hash, &$newHash = null) { |
|
| 146 | + $splittedHash = $this->splitHash($hash); |
|
| 147 | + |
|
| 148 | + if(isset($splittedHash['version'])) { |
|
| 149 | + switch ($splittedHash['version']) { |
|
| 150 | + case 1: |
|
| 151 | + return $this->verifyHashV1($message, $splittedHash['hash'], $newHash); |
|
| 152 | + } |
|
| 153 | + } else { |
|
| 154 | + return $this->legacyHashVerify($message, $hash, $newHash); |
|
| 155 | + } |
|
| 156 | + |
|
| 157 | + |
|
| 158 | + return false; |
|
| 159 | + } |
|
| 160 | 160 | |
| 161 | 161 | } |
@@ -31,46 +31,46 @@ |
||
| 31 | 31 | * @package OC\Security\CSRF |
| 32 | 32 | */ |
| 33 | 33 | class CsrfToken { |
| 34 | - /** @var string */ |
|
| 35 | - private $value; |
|
| 36 | - /** @var string */ |
|
| 37 | - private $encryptedValue = ''; |
|
| 34 | + /** @var string */ |
|
| 35 | + private $value; |
|
| 36 | + /** @var string */ |
|
| 37 | + private $encryptedValue = ''; |
|
| 38 | 38 | |
| 39 | - /** |
|
| 40 | - * @param string $value Value of the token. Can be encrypted or not encrypted. |
|
| 41 | - */ |
|
| 42 | - public function __construct($value) { |
|
| 43 | - $this->value = $value; |
|
| 44 | - } |
|
| 39 | + /** |
|
| 40 | + * @param string $value Value of the token. Can be encrypted or not encrypted. |
|
| 41 | + */ |
|
| 42 | + public function __construct($value) { |
|
| 43 | + $this->value = $value; |
|
| 44 | + } |
|
| 45 | 45 | |
| 46 | - /** |
|
| 47 | - * Encrypted value of the token. This is used to mitigate BREACH alike |
|
| 48 | - * vulnerabilities. For display measures do use this functionality. |
|
| 49 | - * |
|
| 50 | - * @return string |
|
| 51 | - */ |
|
| 52 | - public function getEncryptedValue() { |
|
| 53 | - if($this->encryptedValue === '') { |
|
| 54 | - $sharedSecret = random_bytes(strlen($this->value)); |
|
| 55 | - $this->encryptedValue = base64_encode($this->value ^ $sharedSecret) . ':' . base64_encode($sharedSecret); |
|
| 56 | - } |
|
| 46 | + /** |
|
| 47 | + * Encrypted value of the token. This is used to mitigate BREACH alike |
|
| 48 | + * vulnerabilities. For display measures do use this functionality. |
|
| 49 | + * |
|
| 50 | + * @return string |
|
| 51 | + */ |
|
| 52 | + public function getEncryptedValue() { |
|
| 53 | + if($this->encryptedValue === '') { |
|
| 54 | + $sharedSecret = random_bytes(strlen($this->value)); |
|
| 55 | + $this->encryptedValue = base64_encode($this->value ^ $sharedSecret) . ':' . base64_encode($sharedSecret); |
|
| 56 | + } |
|
| 57 | 57 | |
| 58 | - return $this->encryptedValue; |
|
| 59 | - } |
|
| 58 | + return $this->encryptedValue; |
|
| 59 | + } |
|
| 60 | 60 | |
| 61 | - /** |
|
| 62 | - * The unencrypted value of the token. Used for decrypting an already |
|
| 63 | - * encrypted token. |
|
| 64 | - * |
|
| 65 | - * @return int |
|
| 66 | - */ |
|
| 67 | - public function getDecryptedValue() { |
|
| 68 | - $token = explode(':', $this->value); |
|
| 69 | - if (count($token) !== 2) { |
|
| 70 | - return ''; |
|
| 71 | - } |
|
| 72 | - $obfuscatedToken = $token[0]; |
|
| 73 | - $secret = $token[1]; |
|
| 74 | - return base64_decode($obfuscatedToken) ^ base64_decode($secret); |
|
| 75 | - } |
|
| 61 | + /** |
|
| 62 | + * The unencrypted value of the token. Used for decrypting an already |
|
| 63 | + * encrypted token. |
|
| 64 | + * |
|
| 65 | + * @return int |
|
| 66 | + */ |
|
| 67 | + public function getDecryptedValue() { |
|
| 68 | + $token = explode(':', $this->value); |
|
| 69 | + if (count($token) !== 2) { |
|
| 70 | + return ''; |
|
| 71 | + } |
|
| 72 | + $obfuscatedToken = $token[0]; |
|
| 73 | + $secret = $token[1]; |
|
| 74 | + return base64_decode($obfuscatedToken) ^ base64_decode($secret); |
|
| 75 | + } |
|
| 76 | 76 | } |
@@ -30,59 +30,59 @@ |
||
| 30 | 30 | * @package OC\Security\CSRF\TokenStorage |
| 31 | 31 | */ |
| 32 | 32 | class SessionStorage { |
| 33 | - /** @var ISession */ |
|
| 34 | - private $session; |
|
| 33 | + /** @var ISession */ |
|
| 34 | + private $session; |
|
| 35 | 35 | |
| 36 | - /** |
|
| 37 | - * @param ISession $session |
|
| 38 | - */ |
|
| 39 | - public function __construct(ISession $session) { |
|
| 40 | - $this->session = $session; |
|
| 41 | - } |
|
| 36 | + /** |
|
| 37 | + * @param ISession $session |
|
| 38 | + */ |
|
| 39 | + public function __construct(ISession $session) { |
|
| 40 | + $this->session = $session; |
|
| 41 | + } |
|
| 42 | 42 | |
| 43 | - /** |
|
| 44 | - * @param ISession $session |
|
| 45 | - */ |
|
| 46 | - public function setSession(ISession $session) { |
|
| 47 | - $this->session = $session; |
|
| 48 | - } |
|
| 43 | + /** |
|
| 44 | + * @param ISession $session |
|
| 45 | + */ |
|
| 46 | + public function setSession(ISession $session) { |
|
| 47 | + $this->session = $session; |
|
| 48 | + } |
|
| 49 | 49 | |
| 50 | - /** |
|
| 51 | - * Returns the current token or throws an exception if none is found. |
|
| 52 | - * |
|
| 53 | - * @return string |
|
| 54 | - * @throws \Exception |
|
| 55 | - */ |
|
| 56 | - public function getToken() { |
|
| 57 | - $token = $this->session->get('requesttoken'); |
|
| 58 | - if(empty($token)) { |
|
| 59 | - throw new \Exception('Session does not contain a requesttoken'); |
|
| 60 | - } |
|
| 50 | + /** |
|
| 51 | + * Returns the current token or throws an exception if none is found. |
|
| 52 | + * |
|
| 53 | + * @return string |
|
| 54 | + * @throws \Exception |
|
| 55 | + */ |
|
| 56 | + public function getToken() { |
|
| 57 | + $token = $this->session->get('requesttoken'); |
|
| 58 | + if(empty($token)) { |
|
| 59 | + throw new \Exception('Session does not contain a requesttoken'); |
|
| 60 | + } |
|
| 61 | 61 | |
| 62 | - return $token; |
|
| 63 | - } |
|
| 62 | + return $token; |
|
| 63 | + } |
|
| 64 | 64 | |
| 65 | - /** |
|
| 66 | - * Set the valid current token to $value. |
|
| 67 | - * |
|
| 68 | - * @param string $value |
|
| 69 | - */ |
|
| 70 | - public function setToken($value) { |
|
| 71 | - $this->session->set('requesttoken', $value); |
|
| 72 | - } |
|
| 65 | + /** |
|
| 66 | + * Set the valid current token to $value. |
|
| 67 | + * |
|
| 68 | + * @param string $value |
|
| 69 | + */ |
|
| 70 | + public function setToken($value) { |
|
| 71 | + $this->session->set('requesttoken', $value); |
|
| 72 | + } |
|
| 73 | 73 | |
| 74 | - /** |
|
| 75 | - * Removes the current token. |
|
| 76 | - */ |
|
| 77 | - public function removeToken() { |
|
| 78 | - $this->session->remove('requesttoken'); |
|
| 79 | - } |
|
| 80 | - /** |
|
| 81 | - * Whether the storage has a storage. |
|
| 82 | - * |
|
| 83 | - * @return bool |
|
| 84 | - */ |
|
| 85 | - public function hasToken() { |
|
| 86 | - return $this->session->exists('requesttoken'); |
|
| 87 | - } |
|
| 74 | + /** |
|
| 75 | + * Removes the current token. |
|
| 76 | + */ |
|
| 77 | + public function removeToken() { |
|
| 78 | + $this->session->remove('requesttoken'); |
|
| 79 | + } |
|
| 80 | + /** |
|
| 81 | + * Whether the storage has a storage. |
|
| 82 | + * |
|
| 83 | + * @return bool |
|
| 84 | + */ |
|
| 85 | + public function hasToken() { |
|
| 86 | + return $this->session->exists('requesttoken'); |
|
| 87 | + } |
|
| 88 | 88 | } |
