Inspection of "Fix casing of same origin frame option" - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#4324)

by Joas

created 2017-04-12 10:38 UTC

Status

Indentation +226 added lines, -226 removed lines patch added patch discarded remove patch

@@ -29,245 +29,245 @@
 block discarded – undo
  */
 
 class OC_Response {
-	const STATUS_FOUND = 304;
-	const STATUS_NOT_MODIFIED = 304;
-	const STATUS_TEMPORARY_REDIRECT = 307;
-	const STATUS_BAD_REQUEST = 400;
-	const STATUS_FORBIDDEN = 403;
-	const STATUS_NOT_FOUND = 404;
-	const STATUS_INTERNAL_SERVER_ERROR = 500;
-	const STATUS_SERVICE_UNAVAILABLE = 503;
+    const STATUS_FOUND = 304;
+    const STATUS_NOT_MODIFIED = 304;
+    const STATUS_TEMPORARY_REDIRECT = 307;
+    const STATUS_BAD_REQUEST = 400;
+    const STATUS_FORBIDDEN = 403;
+    const STATUS_NOT_FOUND = 404;
+    const STATUS_INTERNAL_SERVER_ERROR = 500;
+    const STATUS_SERVICE_UNAVAILABLE = 503;
 
-	/**
-	* Enable response caching by sending correct HTTP headers
-	* @param integer $cache_time time to cache the response
-	*  >0		cache time in seconds
-	*  0 and <0	enable default browser caching
-	*  null		cache indefinitely
-	*/
-	static public function enableCaching($cache_time = null) {
-		if (is_numeric($cache_time)) {
-			header('Pragma: public');// enable caching in IE
-			if ($cache_time > 0) {
-				self::setExpiresHeader('PT'.$cache_time.'S');
-				header('Cache-Control: max-age='.$cache_time.', must-revalidate');
-			}
-			else {
-				self::setExpiresHeader(0);
-				header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
-			}
-		}
-		else {
-			header('Cache-Control: cache');
-			header('Pragma: cache');
-		}
+    /**
+     * Enable response caching by sending correct HTTP headers
+     * @param integer $cache_time time to cache the response
+     *  >0		cache time in seconds
+     *  0 and <0	enable default browser caching
+     *  null		cache indefinitely
+     */
+    static public function enableCaching($cache_time = null) {
+        if (is_numeric($cache_time)) {
+            header('Pragma: public');// enable caching in IE
+            if ($cache_time > 0) {
+                self::setExpiresHeader('PT'.$cache_time.'S');
+                header('Cache-Control: max-age='.$cache_time.', must-revalidate');
+            }
+            else {
+                self::setExpiresHeader(0);
+                header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+            }
+        }
+        else {
+            header('Cache-Control: cache');
+            header('Pragma: cache');
+        }
 
-	}
+    }
 
-	/**
-	* disable browser caching
-	* @see enableCaching with cache_time = 0
-	*/
-	static public function disableCaching() {
-		self::enableCaching(0);
-	}
+    /**
+     * disable browser caching
+     * @see enableCaching with cache_time = 0
+     */
+    static public function disableCaching() {
+        self::enableCaching(0);
+    }
 
-	/**
-	* Set response status
-	* @param int $status a HTTP status code, see also the STATUS constants
-	*/
-	static public function setStatus($status) {
-		$protocol = \OC::$server->getRequest()->getHttpProtocol();
-		switch($status) {
-			case self::STATUS_NOT_MODIFIED:
-				$status = $status . ' Not Modified';
-				break;
-			case self::STATUS_TEMPORARY_REDIRECT:
-				if ($protocol == 'HTTP/1.1') {
-					$status = $status . ' Temporary Redirect';
-					break;
-				} else {
-					$status = self::STATUS_FOUND;
-					// fallthrough
-				}
-			case self::STATUS_FOUND;
-				$status = $status . ' Found';
-				break;
-			case self::STATUS_NOT_FOUND;
-				$status = $status . ' Not Found';
-				break;
-			case self::STATUS_INTERNAL_SERVER_ERROR;
-				$status = $status . ' Internal Server Error';
-				break;
-			case self::STATUS_SERVICE_UNAVAILABLE;
-				$status = $status . ' Service Unavailable';
-				break;
-		}
-		header($protocol.' '.$status);
-	}
+    /**
+     * Set response status
+     * @param int $status a HTTP status code, see also the STATUS constants
+     */
+    static public function setStatus($status) {
+        $protocol = \OC::$server->getRequest()->getHttpProtocol();
+        switch($status) {
+            case self::STATUS_NOT_MODIFIED:
+                $status = $status . ' Not Modified';
+                break;
+            case self::STATUS_TEMPORARY_REDIRECT:
+                if ($protocol == 'HTTP/1.1') {
+                    $status = $status . ' Temporary Redirect';
+                    break;
+                } else {
+                    $status = self::STATUS_FOUND;
+                    // fallthrough
+                }
+            case self::STATUS_FOUND;
+                $status = $status . ' Found';
+                break;
+            case self::STATUS_NOT_FOUND;
+                $status = $status . ' Not Found';
+                break;
+            case self::STATUS_INTERNAL_SERVER_ERROR;
+                $status = $status . ' Internal Server Error';
+                break;
+            case self::STATUS_SERVICE_UNAVAILABLE;
+                $status = $status . ' Service Unavailable';
+                break;
+        }
+        header($protocol.' '.$status);
+    }
 
-	/**
-	* Send redirect response
-	* @param string $location to redirect to
-	*/
-	static public function redirect($location) {
-		self::setStatus(self::STATUS_TEMPORARY_REDIRECT);
-		header('Location: '.$location);
-	}
+    /**
+     * Send redirect response
+     * @param string $location to redirect to
+     */
+    static public function redirect($location) {
+        self::setStatus(self::STATUS_TEMPORARY_REDIRECT);
+        header('Location: '.$location);
+    }
 
-	/**
-	* Set response expire time
-	* @param string|DateTime $expires date-time when the response expires
-	*  string for DateInterval from now
-	*  DateTime object when to expire response
-	*/
-	static public function setExpiresHeader($expires) {
-		if (is_string($expires) && $expires[0] == 'P') {
-			$interval = $expires;
-			$expires = new DateTime('now');
-			$expires->add(new DateInterval($interval));
-		}
-		if ($expires instanceof DateTime) {
-			$expires->setTimezone(new DateTimeZone('GMT'));
-			$expires = $expires->format(DateTime::RFC2822);
-		}
-		header('Expires: '.$expires);
-	}
+    /**
+     * Set response expire time
+     * @param string|DateTime $expires date-time when the response expires
+     *  string for DateInterval from now
+     *  DateTime object when to expire response
+     */
+    static public function setExpiresHeader($expires) {
+        if (is_string($expires) && $expires[0] == 'P') {
+            $interval = $expires;
+            $expires = new DateTime('now');
+            $expires->add(new DateInterval($interval));
+        }
+        if ($expires instanceof DateTime) {
+            $expires->setTimezone(new DateTimeZone('GMT'));
+            $expires = $expires->format(DateTime::RFC2822);
+        }
+        header('Expires: '.$expires);
+    }
 
-	/**
-	* Checks and set ETag header, when the request matches sends a
-	* 'not modified' response
-	* @param string $etag token to use for modification check
-	*/
-	static public function setETagHeader($etag) {
-		if (empty($etag)) {
-			return;
-		}
-		$etag = '"'.$etag.'"';
-		if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
-		    trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
-			self::setStatus(self::STATUS_NOT_MODIFIED);
-			exit;
-		}
-		header('ETag: '.$etag);
-	}
+    /**
+     * Checks and set ETag header, when the request matches sends a
+     * 'not modified' response
+     * @param string $etag token to use for modification check
+     */
+    static public function setETagHeader($etag) {
+        if (empty($etag)) {
+            return;
+        }
+        $etag = '"'.$etag.'"';
+        if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
+            trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
+            self::setStatus(self::STATUS_NOT_MODIFIED);
+            exit;
+        }
+        header('ETag: '.$etag);
+    }
 
-	/**
-	* Checks and set Last-Modified header, when the request matches sends a
-	* 'not modified' response
-	* @param int|DateTime|string $lastModified time when the response was last modified
-	*/
-	static public function setLastModifiedHeader($lastModified) {
-		if (empty($lastModified)) {
-			return;
-		}
-		if (is_int($lastModified)) {
-			$lastModified = gmdate(DateTime::RFC2822, $lastModified);
-		}
-		if ($lastModified instanceof DateTime) {
-			$lastModified = $lastModified->format(DateTime::RFC2822);
-		}
-		if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&
-		    trim($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified) {
-			self::setStatus(self::STATUS_NOT_MODIFIED);
-			exit;
-		}
-		header('Last-Modified: '.$lastModified);
-	}
+    /**
+     * Checks and set Last-Modified header, when the request matches sends a
+     * 'not modified' response
+     * @param int|DateTime|string $lastModified time when the response was last modified
+     */
+    static public function setLastModifiedHeader($lastModified) {
+        if (empty($lastModified)) {
+            return;
+        }
+        if (is_int($lastModified)) {
+            $lastModified = gmdate(DateTime::RFC2822, $lastModified);
+        }
+        if ($lastModified instanceof DateTime) {
+            $lastModified = $lastModified->format(DateTime::RFC2822);
+        }
+        if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&
+            trim($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified) {
+            self::setStatus(self::STATUS_NOT_MODIFIED);
+            exit;
+        }
+        header('Last-Modified: '.$lastModified);
+    }
 
-	/**
-	 * Sets the content disposition header (with possible workarounds)
-	 * @param string $filename file name
-	 * @param string $type disposition type, either 'attachment' or 'inline'
-	 */
-	static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
-		if (\OC::$server->getRequest()->isUserAgent(
-			[
-				\OC\AppFramework\Http\Request::USER_AGENT_IE,
-				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
-				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
-			])) {
-			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
-		} else {
-			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
-												 . '; filename="' . rawurlencode( $filename ) . '"' );
-		}
-	}
+    /**
+     * Sets the content disposition header (with possible workarounds)
+     * @param string $filename file name
+     * @param string $type disposition type, either 'attachment' or 'inline'
+     */
+    static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
+        if (\OC::$server->getRequest()->isUserAgent(
+            [
+                \OC\AppFramework\Http\Request::USER_AGENT_IE,
+                \OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
+                \OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
+            ])) {
+            header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
+        } else {
+            header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
+                                                    . '; filename="' . rawurlencode( $filename ) . '"' );
+        }
+    }
 
-	/**
-	 * Sets the content length header (with possible workarounds)
-	 * @param string|int|float $length Length to be sent
-	 */
-	static public function setContentLengthHeader($length) {
-		if (PHP_INT_SIZE === 4) {
-			if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
-				// Apache PHP SAPI casts Content-Length headers to PHP integers.
-				// This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
-				// platforms). So, if the length is greater than PHP_INT_MAX,
-				// we just do not send a Content-Length header to prevent
-				// bodies from being received incompletely.
-				return;
-			}
-			// Convert signed integer or float to unsigned base-10 string.
-			$lfh = new \OC\LargeFileHelper;
-			$length = $lfh->formatUnsignedInteger($length);
-		}
-		header('Content-Length: '.$length);
-	}
+    /**
+     * Sets the content length header (with possible workarounds)
+     * @param string|int|float $length Length to be sent
+     */
+    static public function setContentLengthHeader($length) {
+        if (PHP_INT_SIZE === 4) {
+            if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
+                // Apache PHP SAPI casts Content-Length headers to PHP integers.
+                // This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
+                // platforms). So, if the length is greater than PHP_INT_MAX,
+                // we just do not send a Content-Length header to prevent
+                // bodies from being received incompletely.
+                return;
+            }
+            // Convert signed integer or float to unsigned base-10 string.
+            $lfh = new \OC\LargeFileHelper;
+            $length = $lfh->formatUnsignedInteger($length);
+        }
+        header('Content-Length: '.$length);
+    }
 
-	/**
-	 * Send file as response, checking and setting caching headers
-	 * @param string $filepath of file to send
-	 * @deprecated 8.1.0 - Use \OCP\AppFramework\Http\StreamResponse or another AppFramework controller instead
-	 */
-	static public function sendFile($filepath) {
-		$fp = fopen($filepath, 'rb');
-		if ($fp) {
-			self::setLastModifiedHeader(filemtime($filepath));
-			self::setETagHeader(md5_file($filepath));
+    /**
+     * Send file as response, checking and setting caching headers
+     * @param string $filepath of file to send
+     * @deprecated 8.1.0 - Use \OCP\AppFramework\Http\StreamResponse or another AppFramework controller instead
+     */
+    static public function sendFile($filepath) {
+        $fp = fopen($filepath, 'rb');
+        if ($fp) {
+            self::setLastModifiedHeader(filemtime($filepath));
+            self::setETagHeader(md5_file($filepath));
 
-			self::setContentLengthHeader(filesize($filepath));
-			fpassthru($fp);
-		}
-		else {
-			self::setStatus(self::STATUS_NOT_FOUND);
-		}
-	}
+            self::setContentLengthHeader(filesize($filepath));
+            fpassthru($fp);
+        }
+        else {
+            self::setStatus(self::STATUS_NOT_FOUND);
+        }
+    }
 
-	/**
-	 * This function adds some security related headers to all requests served via base.php
-	 * The implementation of this function has to happen here to ensure that all third-party
-	 * components (e.g. SabreDAV) also benefit from this headers.
-	 */
-	public static function addSecurityHeaders() {
-		/**
-		 * FIXME: Content Security Policy for legacy ownCloud components. This
-		 * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
-		 * is used everywhere.
-		 * @see \OCP\AppFramework\Http\Response::getHeaders
-		 */
-		$policy = 'default-src \'self\'; '
-			. 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
-			. 'style-src \'self\' \'unsafe-inline\'; '
-			. 'frame-src *; '
-			. 'img-src * data: blob:; '
-			. 'font-src \'self\' data:; '
-			. 'media-src *; ' 
-			. 'connect-src *; '
-			. 'object-src \'none\'; '
-			. 'base-uri \'self\'; ';
-		header('Content-Security-Policy:' . $policy);
-		header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
+    /**
+     * This function adds some security related headers to all requests served via base.php
+     * The implementation of this function has to happen here to ensure that all third-party
+     * components (e.g. SabreDAV) also benefit from this headers.
+     */
+    public static function addSecurityHeaders() {
+        /**
+         * FIXME: Content Security Policy for legacy ownCloud components. This
+         * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
+         * is used everywhere.
+         * @see \OCP\AppFramework\Http\Response::getHeaders
+         */
+        $policy = 'default-src \'self\'; '
+            . 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
+            . 'style-src \'self\' \'unsafe-inline\'; '
+            . 'frame-src *; '
+            . 'img-src * data: blob:; '
+            . 'font-src \'self\' data:; '
+            . 'media-src *; ' 
+            . 'connect-src *; '
+            . 'object-src \'none\'; '
+            . 'base-uri \'self\'; ';
+        header('Content-Security-Policy:' . $policy);
+        header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
 
-		// Send fallback headers for installations that don't have the possibility to send
-		// custom headers on the webserver side
-		if(getenv('modHeadersAvailable') !== 'true') {
-			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
-			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
-			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
-			header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
-			header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
-		}
-	}
+        // Send fallback headers for installations that don't have the possibility to send
+        // custom headers on the webserver side
+        if(getenv('modHeadersAvailable') !== 'true') {
+            header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
+            header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+            header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+            header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
+            header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+        }
+    }
 
 }

Please login to merge, or discard this patch.

Spacing +14 added lines, -14 removed lines patch added patch discarded remove patch

@@ -47,7 +47,7 @@  discard block
 block discarded – undo
 	*/
 	static public function enableCaching($cache_time = null) {
 		if (is_numeric($cache_time)) {
-			header('Pragma: public');// enable caching in IE
+			header('Pragma: public'); // enable caching in IE
 			if ($cache_time > 0) {
 				self::setExpiresHeader('PT'.$cache_time.'S');
 				header('Cache-Control: max-age='.$cache_time.', must-revalidate');
@@ -78,29 +78,29 @@  discard block
 block discarded – undo
 	*/
 	static public function setStatus($status) {
 		$protocol = \OC::$server->getRequest()->getHttpProtocol();
-		switch($status) {
+		switch ($status) {
 			case self::STATUS_NOT_MODIFIED:
-				$status = $status . ' Not Modified';
+				$status = $status.' Not Modified';
 				break;
 			case self::STATUS_TEMPORARY_REDIRECT:
 				if ($protocol == 'HTTP/1.1') {
-					$status = $status . ' Temporary Redirect';
+					$status = $status.' Temporary Redirect';
 					break;
 				} else {
 					$status = self::STATUS_FOUND;
 					// fallthrough
 				}
 			case self::STATUS_FOUND;
-				$status = $status . ' Found';
+				$status = $status.' Found';
 				break;
 			case self::STATUS_NOT_FOUND;
-				$status = $status . ' Not Found';
+				$status = $status.' Not Found';
 				break;
 			case self::STATUS_INTERNAL_SERVER_ERROR;
-				$status = $status . ' Internal Server Error';
+				$status = $status.' Internal Server Error';
 				break;
 			case self::STATUS_SERVICE_UNAVAILABLE;
-				$status = $status . ' Service Unavailable';
+				$status = $status.' Service Unavailable';
 				break;
 		}
 		header($protocol.' '.$status);
@@ -180,17 +180,17 @@  discard block
 block discarded – undo
 	 * @param string $filename file name
 	 * @param string $type disposition type, either 'attachment' or 'inline'
 	 */
-	static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
+	static public function setContentDispositionHeader($filename, $type = 'attachment') {
 		if (\OC::$server->getRequest()->isUserAgent(
 			[
 				\OC\AppFramework\Http\Request::USER_AGENT_IE,
 				\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
 				\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
 			])) {
-			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
+			header('Content-Disposition: '.rawurlencode($type).'; filename="'.rawurlencode($filename).'"');
 		} else {
-			header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
-												 . '; filename="' . rawurlencode( $filename ) . '"' );
+			header('Content-Disposition: '.rawurlencode($type).'; filename*=UTF-8\'\''.rawurlencode($filename)
+												 . '; filename="'.rawurlencode($filename).'"');
 		}
 	}
 
@@ -256,12 +256,12 @@  discard block
 block discarded – undo
 			. 'connect-src *; '
 			. 'object-src \'none\'; '
 			. 'base-uri \'self\'; ';
-		header('Content-Security-Policy:' . $policy);
+		header('Content-Security-Policy:'.$policy);
 		header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
 
 		// Send fallback headers for installations that don't have the possibility to send
 		// custom headers on the webserver side
-		if(getenv('modHeadersAvailable') !== 'true') {
+		if (getenv('modHeadersAvailable') !== 'true') {
 			header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 			header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 			header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

Please login to merge, or discard this patch.

		@@ -47,7 +47,7 @@ discard block
		block discarded – undo
47	47	*/
48	48	static public function enableCaching($cache_time = null) {
49	49	if (is_numeric($cache_time)) {
50		- header('Pragma: public');// enable caching in IE
	50	+ header('Pragma: public'); // enable caching in IE
51	51	if ($cache_time > 0) {
52	52	self::setExpiresHeader('PT'.$cache_time.'S');
53	53	header('Cache-Control: max-age='.$cache_time.', must-revalidate');
		@@ -78,29 +78,29 @@ discard block
		block discarded – undo
78	78	*/
79	79	static public function setStatus($status) {
80	80	$protocol = \OC::$server->getRequest()->getHttpProtocol();
81		- switch($status) {
	81	+ switch ($status) {
82	82	case self::STATUS_NOT_MODIFIED:
83		- $status = $status . ' Not Modified';
	83	+ $status = $status.' Not Modified';
84	84	break;
85	85	case self::STATUS_TEMPORARY_REDIRECT:
86	86	if ($protocol == 'HTTP/1.1') {
87		- $status = $status . ' Temporary Redirect';
	87	+ $status = $status.' Temporary Redirect';
88	88	break;
89	89	} else {
90	90	$status = self::STATUS_FOUND;
91	91	// fallthrough
92	92	}
93	93	case self::STATUS_FOUND;
94		- $status = $status . ' Found';
	94	+ $status = $status.' Found';
95	95	break;
96	96	case self::STATUS_NOT_FOUND;
97		- $status = $status . ' Not Found';
	97	+ $status = $status.' Not Found';
98	98	break;
99	99	case self::STATUS_INTERNAL_SERVER_ERROR;
100		- $status = $status . ' Internal Server Error';
	100	+ $status = $status.' Internal Server Error';
101	101	break;
102	102	case self::STATUS_SERVICE_UNAVAILABLE;
103		- $status = $status . ' Service Unavailable';
	103	+ $status = $status.' Service Unavailable';
104	104	break;
105	105	}
106	106	header($protocol.' '.$status);
		@@ -180,17 +180,17 @@ discard block
		block discarded – undo
180	180	* @param string $filename file name
181	181	* @param string $type disposition type, either 'attachment' or 'inline'
182	182	*/
183		- static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
	183	+ static public function setContentDispositionHeader($filename, $type = 'attachment') {
184	184	if (\OC::$server->getRequest()->isUserAgent(
185	185	[
186	186	\OC\AppFramework\Http\Request::USER_AGENT_IE,
187	187	\OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
188	188	\OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
189	189	])) {
190		- header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
	190	+ header('Content-Disposition: '.rawurlencode($type).'; filename="'.rawurlencode($filename).'"');
191	191	} else {
192		- header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
193		- . '; filename="' . rawurlencode( $filename ) . '"' );
	192	+ header('Content-Disposition: '.rawurlencode($type).'; filename*=UTF-8\'\''.rawurlencode($filename)
	193	+ . '; filename="'.rawurlencode($filename).'"');
194	194	}
195	195	}
196	196
		@@ -256,12 +256,12 @@ discard block
		block discarded – undo
256	256	. 'connect-src *; '
257	257	. 'object-src \'none\'; '
258	258	. 'base-uri \'self\'; ';
259		- header('Content-Security-Policy:' . $policy);
	259	+ header('Content-Security-Policy:'.$policy);
260	260	header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
261	261
262	262	// Send fallback headers for installations that don't have the possibility to send
263	263	// custom headers on the webserver side
264		- if(getenv('modHeadersAvailable') !== 'true') {
	264	+ if (getenv('modHeadersAvailable') !== 'true') {
265	265	header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
266	266	header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
267	267	header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag

		@@ -29,245 +29,245 @@
		block discarded – undo
29	29	*/
30	30
31	31	class OC_Response {
32		- const STATUS_FOUND = 304;
33		- const STATUS_NOT_MODIFIED = 304;
34		- const STATUS_TEMPORARY_REDIRECT = 307;
35		- const STATUS_BAD_REQUEST = 400;
36		- const STATUS_FORBIDDEN = 403;
37		- const STATUS_NOT_FOUND = 404;
38		- const STATUS_INTERNAL_SERVER_ERROR = 500;
39		- const STATUS_SERVICE_UNAVAILABLE = 503;
	32	+ const STATUS_FOUND = 304;
	33	+ const STATUS_NOT_MODIFIED = 304;
	34	+ const STATUS_TEMPORARY_REDIRECT = 307;
	35	+ const STATUS_BAD_REQUEST = 400;
	36	+ const STATUS_FORBIDDEN = 403;
	37	+ const STATUS_NOT_FOUND = 404;
	38	+ const STATUS_INTERNAL_SERVER_ERROR = 500;
	39	+ const STATUS_SERVICE_UNAVAILABLE = 503;
40	40
41		- /**
42		- * Enable response caching by sending correct HTTP headers
43		- * @param integer $cache_time time to cache the response
44		- * >0 cache time in seconds
45		- * 0 and <0 enable default browser caching
46		- * null cache indefinitely
47		- */
48		- static public function enableCaching($cache_time = null) {
49		- if (is_numeric($cache_time)) {
50		- header('Pragma: public');// enable caching in IE
51		- if ($cache_time > 0) {
52		- self::setExpiresHeader('PT'.$cache_time.'S');
53		- header('Cache-Control: max-age='.$cache_time.', must-revalidate');
54		- }
55		- else {
56		- self::setExpiresHeader(0);
57		- header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
58		- }
59		- }
60		- else {
61		- header('Cache-Control: cache');
62		- header('Pragma: cache');
63		- }
	41	+ /**
	42	+ * Enable response caching by sending correct HTTP headers
	43	+ * @param integer $cache_time time to cache the response
	44	+ * >0 cache time in seconds
	45	+ * 0 and <0 enable default browser caching
	46	+ * null cache indefinitely
	47	+ */
	48	+ static public function enableCaching($cache_time = null) {
	49	+ if (is_numeric($cache_time)) {
	50	+ header('Pragma: public');// enable caching in IE
	51	+ if ($cache_time > 0) {
	52	+ self::setExpiresHeader('PT'.$cache_time.'S');
	53	+ header('Cache-Control: max-age='.$cache_time.', must-revalidate');
	54	+ }
	55	+ else {
	56	+ self::setExpiresHeader(0);
	57	+ header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
	58	+ }
	59	+ }
	60	+ else {
	61	+ header('Cache-Control: cache');
	62	+ header('Pragma: cache');
	63	+ }
64	64
65		- }
	65	+ }
66	66
67		- /**
68		- * disable browser caching
69		- * @see enableCaching with cache_time = 0
70		- */
71		- static public function disableCaching() {
72		- self::enableCaching(0);
73		- }
	67	+ /**
	68	+ * disable browser caching
	69	+ * @see enableCaching with cache_time = 0
	70	+ */
	71	+ static public function disableCaching() {
	72	+ self::enableCaching(0);
	73	+ }
74	74
75		- /**
76		- * Set response status
77		- * @param int $status a HTTP status code, see also the STATUS constants
78		- */
79		- static public function setStatus($status) {
80		- $protocol = \OC::$server->getRequest()->getHttpProtocol();
81		- switch($status) {
82		- case self::STATUS_NOT_MODIFIED:
83		- $status = $status . ' Not Modified';
84		- break;
85		- case self::STATUS_TEMPORARY_REDIRECT:
86		- if ($protocol == 'HTTP/1.1') {
87		- $status = $status . ' Temporary Redirect';
88		- break;
89		- } else {
90		- $status = self::STATUS_FOUND;
91		- // fallthrough
92		- }
93		- case self::STATUS_FOUND;
94		- $status = $status . ' Found';
95		- break;
96		- case self::STATUS_NOT_FOUND;
97		- $status = $status . ' Not Found';
98		- break;
99		- case self::STATUS_INTERNAL_SERVER_ERROR;
100		- $status = $status . ' Internal Server Error';
101		- break;
102		- case self::STATUS_SERVICE_UNAVAILABLE;
103		- $status = $status . ' Service Unavailable';
104		- break;
105		- }
106		- header($protocol.' '.$status);
107		- }
	75	+ /**
	76	+ * Set response status
	77	+ * @param int $status a HTTP status code, see also the STATUS constants
	78	+ */
	79	+ static public function setStatus($status) {
	80	+ $protocol = \OC::$server->getRequest()->getHttpProtocol();
	81	+ switch($status) {
	82	+ case self::STATUS_NOT_MODIFIED:
	83	+ $status = $status . ' Not Modified';
	84	+ break;
	85	+ case self::STATUS_TEMPORARY_REDIRECT:
	86	+ if ($protocol == 'HTTP/1.1') {
	87	+ $status = $status . ' Temporary Redirect';
	88	+ break;
	89	+ } else {
	90	+ $status = self::STATUS_FOUND;
	91	+ // fallthrough
	92	+ }
	93	+ case self::STATUS_FOUND;
	94	+ $status = $status . ' Found';
	95	+ break;
	96	+ case self::STATUS_NOT_FOUND;
	97	+ $status = $status . ' Not Found';
	98	+ break;
	99	+ case self::STATUS_INTERNAL_SERVER_ERROR;
	100	+ $status = $status . ' Internal Server Error';
	101	+ break;
	102	+ case self::STATUS_SERVICE_UNAVAILABLE;
	103	+ $status = $status . ' Service Unavailable';
	104	+ break;
	105	+ }
	106	+ header($protocol.' '.$status);
	107	+ }
108	108
109		- /**
110		- * Send redirect response
111		- * @param string $location to redirect to
112		- */
113		- static public function redirect($location) {
114		- self::setStatus(self::STATUS_TEMPORARY_REDIRECT);
115		- header('Location: '.$location);
116		- }
	109	+ /**
	110	+ * Send redirect response
	111	+ * @param string $location to redirect to
	112	+ */
	113	+ static public function redirect($location) {
	114	+ self::setStatus(self::STATUS_TEMPORARY_REDIRECT);
	115	+ header('Location: '.$location);
	116	+ }
117	117
118		- /**
119		- * Set response expire time
120		- * @param string\|DateTime $expires date-time when the response expires
121		- * string for DateInterval from now
122		- * DateTime object when to expire response
123		- */
124		- static public function setExpiresHeader($expires) {
125		- if (is_string($expires) && $expires[0] == 'P') {
126		- $interval = $expires;
127		- $expires = new DateTime('now');
128		- $expires->add(new DateInterval($interval));
129		- }
130		- if ($expires instanceof DateTime) {
131		- $expires->setTimezone(new DateTimeZone('GMT'));
132		- $expires = $expires->format(DateTime::RFC2822);
133		- }
134		- header('Expires: '.$expires);
135		- }
	118	+ /**
	119	+ * Set response expire time
	120	+ * @param string\|DateTime $expires date-time when the response expires
	121	+ * string for DateInterval from now
	122	+ * DateTime object when to expire response
	123	+ */
	124	+ static public function setExpiresHeader($expires) {
	125	+ if (is_string($expires) && $expires[0] == 'P') {
	126	+ $interval = $expires;
	127	+ $expires = new DateTime('now');
	128	+ $expires->add(new DateInterval($interval));
	129	+ }
	130	+ if ($expires instanceof DateTime) {
	131	+ $expires->setTimezone(new DateTimeZone('GMT'));
	132	+ $expires = $expires->format(DateTime::RFC2822);
	133	+ }
	134	+ header('Expires: '.$expires);
	135	+ }
136	136
137		- /**
138		- * Checks and set ETag header, when the request matches sends a
139		- * 'not modified' response
140		- * @param string $etag token to use for modification check
141		- */
142		- static public function setETagHeader($etag) {
143		- if (empty($etag)) {
144		- return;
145		- }
146		- $etag = '"'.$etag.'"';
147		- if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
148		- trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
149		- self::setStatus(self::STATUS_NOT_MODIFIED);
150		- exit;
151		- }
152		- header('ETag: '.$etag);
153		- }
	137	+ /**
	138	+ * Checks and set ETag header, when the request matches sends a
	139	+ * 'not modified' response
	140	+ * @param string $etag token to use for modification check
	141	+ */
	142	+ static public function setETagHeader($etag) {
	143	+ if (empty($etag)) {
	144	+ return;
	145	+ }
	146	+ $etag = '"'.$etag.'"';
	147	+ if (isset($_SERVER['HTTP_IF_NONE_MATCH']) &&
	148	+ trim($_SERVER['HTTP_IF_NONE_MATCH']) == $etag) {
	149	+ self::setStatus(self::STATUS_NOT_MODIFIED);
	150	+ exit;
	151	+ }
	152	+ header('ETag: '.$etag);
	153	+ }
154	154
155		- /**
156		- * Checks and set Last-Modified header, when the request matches sends a
157		- * 'not modified' response
158		- * @param int\|DateTime\|string $lastModified time when the response was last modified
159		- */
160		- static public function setLastModifiedHeader($lastModified) {
161		- if (empty($lastModified)) {
162		- return;
163		- }
164		- if (is_int($lastModified)) {
165		- $lastModified = gmdate(DateTime::RFC2822, $lastModified);
166		- }
167		- if ($lastModified instanceof DateTime) {
168		- $lastModified = $lastModified->format(DateTime::RFC2822);
169		- }
170		- if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&
171		- trim($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified) {
172		- self::setStatus(self::STATUS_NOT_MODIFIED);
173		- exit;
174		- }
175		- header('Last-Modified: '.$lastModified);
176		- }
	155	+ /**
	156	+ * Checks and set Last-Modified header, when the request matches sends a
	157	+ * 'not modified' response
	158	+ * @param int\|DateTime\|string $lastModified time when the response was last modified
	159	+ */
	160	+ static public function setLastModifiedHeader($lastModified) {
	161	+ if (empty($lastModified)) {
	162	+ return;
	163	+ }
	164	+ if (is_int($lastModified)) {
	165	+ $lastModified = gmdate(DateTime::RFC2822, $lastModified);
	166	+ }
	167	+ if ($lastModified instanceof DateTime) {
	168	+ $lastModified = $lastModified->format(DateTime::RFC2822);
	169	+ }
	170	+ if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) &&
	171	+ trim($_SERVER['HTTP_IF_MODIFIED_SINCE']) == $lastModified) {
	172	+ self::setStatus(self::STATUS_NOT_MODIFIED);
	173	+ exit;
	174	+ }
	175	+ header('Last-Modified: '.$lastModified);
	176	+ }
177	177
178		- /**
179		- * Sets the content disposition header (with possible workarounds)
180		- * @param string $filename file name
181		- * @param string $type disposition type, either 'attachment' or 'inline'
182		- */
183		- static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
184		- if (\OC::$server->getRequest()->isUserAgent(
185		- [
186		- \OC\AppFramework\Http\Request::USER_AGENT_IE,
187		- \OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
188		- \OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
189		- ])) {
190		- header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
191		- } else {
192		- header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
193		- . '; filename="' . rawurlencode( $filename ) . '"' );
194		- }
195		- }
	178	+ /**
	179	+ * Sets the content disposition header (with possible workarounds)
	180	+ * @param string $filename file name
	181	+ * @param string $type disposition type, either 'attachment' or 'inline'
	182	+ */
	183	+ static public function setContentDispositionHeader( $filename, $type = 'attachment' ) {
	184	+ if (\OC::$server->getRequest()->isUserAgent(
	185	+ [
	186	+ \OC\AppFramework\Http\Request::USER_AGENT_IE,
	187	+ \OC\AppFramework\Http\Request::USER_AGENT_ANDROID_MOBILE_CHROME,
	188	+ \OC\AppFramework\Http\Request::USER_AGENT_FREEBOX,
	189	+ ])) {
	190	+ header( 'Content-Disposition: ' . rawurlencode($type) . '; filename="' . rawurlencode( $filename ) . '"' );
	191	+ } else {
	192	+ header( 'Content-Disposition: ' . rawurlencode($type) . '; filename*=UTF-8\'\'' . rawurlencode( $filename )
	193	+ . '; filename="' . rawurlencode( $filename ) . '"' );
	194	+ }
	195	+ }
196	196
197		- /**
198		- * Sets the content length header (with possible workarounds)
199		- * @param string\|int\|float $length Length to be sent
200		- */
201		- static public function setContentLengthHeader($length) {
202		- if (PHP_INT_SIZE === 4) {
203		- if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
204		- // Apache PHP SAPI casts Content-Length headers to PHP integers.
205		- // This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
206		- // platforms). So, if the length is greater than PHP_INT_MAX,
207		- // we just do not send a Content-Length header to prevent
208		- // bodies from being received incompletely.
209		- return;
210		- }
211		- // Convert signed integer or float to unsigned base-10 string.
212		- $lfh = new \OC\LargeFileHelper;
213		- $length = $lfh->formatUnsignedInteger($length);
214		- }
215		- header('Content-Length: '.$length);
216		- }
	197	+ /**
	198	+ * Sets the content length header (with possible workarounds)
	199	+ * @param string\|int\|float $length Length to be sent
	200	+ */
	201	+ static public function setContentLengthHeader($length) {
	202	+ if (PHP_INT_SIZE === 4) {
	203	+ if ($length > PHP_INT_MAX && stripos(PHP_SAPI, 'apache') === 0) {
	204	+ // Apache PHP SAPI casts Content-Length headers to PHP integers.
	205	+ // This enforces a limit of PHP_INT_MAX (2147483647 on 32-bit
	206	+ // platforms). So, if the length is greater than PHP_INT_MAX,
	207	+ // we just do not send a Content-Length header to prevent
	208	+ // bodies from being received incompletely.
	209	+ return;
	210	+ }
	211	+ // Convert signed integer or float to unsigned base-10 string.
	212	+ $lfh = new \OC\LargeFileHelper;
	213	+ $length = $lfh->formatUnsignedInteger($length);
	214	+ }
	215	+ header('Content-Length: '.$length);
	216	+ }
217	217
218		- /**
219		- * Send file as response, checking and setting caching headers
220		- * @param string $filepath of file to send
221		- * @deprecated 8.1.0 - Use \OCP\AppFramework\Http\StreamResponse or another AppFramework controller instead
222		- */
223		- static public function sendFile($filepath) {
224		- $fp = fopen($filepath, 'rb');
225		- if ($fp) {
226		- self::setLastModifiedHeader(filemtime($filepath));
227		- self::setETagHeader(md5_file($filepath));
	218	+ /**
	219	+ * Send file as response, checking and setting caching headers
	220	+ * @param string $filepath of file to send
	221	+ * @deprecated 8.1.0 - Use \OCP\AppFramework\Http\StreamResponse or another AppFramework controller instead
	222	+ */
	223	+ static public function sendFile($filepath) {
	224	+ $fp = fopen($filepath, 'rb');
	225	+ if ($fp) {
	226	+ self::setLastModifiedHeader(filemtime($filepath));
	227	+ self::setETagHeader(md5_file($filepath));
228	228
229		- self::setContentLengthHeader(filesize($filepath));
230		- fpassthru($fp);
231		- }
232		- else {
233		- self::setStatus(self::STATUS_NOT_FOUND);
234		- }
235		- }
	229	+ self::setContentLengthHeader(filesize($filepath));
	230	+ fpassthru($fp);
	231	+ }
	232	+ else {
	233	+ self::setStatus(self::STATUS_NOT_FOUND);
	234	+ }
	235	+ }
236	236
237		- /**
238		- * This function adds some security related headers to all requests served via base.php
239		- * The implementation of this function has to happen here to ensure that all third-party
240		- * components (e.g. SabreDAV) also benefit from this headers.
241		- */
242		- public static function addSecurityHeaders() {
243		- /**
244		- * FIXME: Content Security Policy for legacy ownCloud components. This
245		- * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
246		- * is used everywhere.
247		- * @see \OCP\AppFramework\Http\Response::getHeaders
248		- */
249		- $policy = 'default-src \'self\'; '
250		- . 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
251		- . 'style-src \'self\' \'unsafe-inline\'; '
252		- . 'frame-src *; '
253		- . 'img-src * data: blob:; '
254		- . 'font-src \'self\' data:; '
255		- . 'media-src *; '
256		- . 'connect-src *; '
257		- . 'object-src \'none\'; '
258		- . 'base-uri \'self\'; ';
259		- header('Content-Security-Policy:' . $policy);
260		- header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
	237	+ /**
	238	+ * This function adds some security related headers to all requests served via base.php
	239	+ * The implementation of this function has to happen here to ensure that all third-party
	240	+ * components (e.g. SabreDAV) also benefit from this headers.
	241	+ */
	242	+ public static function addSecurityHeaders() {
	243	+ /**
	244	+ * FIXME: Content Security Policy for legacy ownCloud components. This
	245	+ * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
	246	+ * is used everywhere.
	247	+ * @see \OCP\AppFramework\Http\Response::getHeaders
	248	+ */
	249	+ $policy = 'default-src \'self\'; '
	250	+ . 'script-src \'self\' \'unsafe-eval\' \'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\'; '
	251	+ . 'style-src \'self\' \'unsafe-inline\'; '
	252	+ . 'frame-src *; '
	253	+ . 'img-src * data: blob:; '
	254	+ . 'font-src \'self\' data:; '
	255	+ . 'media-src *; '
	256	+ . 'connect-src *; '
	257	+ . 'object-src \'none\'; '
	258	+ . 'base-uri \'self\'; ';
	259	+ header('Content-Security-Policy:' . $policy);
	260	+ header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
261	261
262		- // Send fallback headers for installations that don't have the possibility to send
263		- // custom headers on the webserver side
264		- if(getenv('modHeadersAvailable') !== 'true') {
265		- header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
266		- header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
267		- header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
268		- header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
269		- header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
270		- }
271		- }
	262	+ // Send fallback headers for installations that don't have the possibility to send
	263	+ // custom headers on the webserver side
	264	+ if(getenv('modHeadersAvailable') !== 'true') {
	265	+ header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
	266	+ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
	267	+ header('X-Robots-Tag: none'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
	268	+ header('X-Download-Options: noopen'); // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
	269	+ header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
	270	+ }
	271	+ }
272	272
273	273	}

nextcloud / server

Pull Request — master (#4324)

Status

Category

Indentation +226 added lines, -226 removed lines patch added patch discarded remove patch

Spacing +14 added lines, -14 removed lines patch added patch discarded remove patch