nextcloud / server

lib/private/OCS/ApiHelper.php

Indentation +50 added lines, -50 removed lines

@@ -18,64 +18,64 @@
 use OCP\Server;
 
 class ApiHelper {
-	/**
-	 * Respond to a call
-	 * @psalm-taint-escape html
-	 * @param int $overrideHttpStatusCode force the HTTP status code, only used for the special case of maintenance mode which return 503 even for v1
-	 */
-	public static function respond(int $statusCode, string $statusMessage, array $headers = [], ?int $overrideHttpStatusCode = null): void {
-		$request = Server::get(IRequest::class);
-		$format = $request->getFormat() ?? 'xml';
+    /**
+     * Respond to a call
+     * @psalm-taint-escape html
+     * @param int $overrideHttpStatusCode force the HTTP status code, only used for the special case of maintenance mode which return 503 even for v1
+     */
+    public static function respond(int $statusCode, string $statusMessage, array $headers = [], ?int $overrideHttpStatusCode = null): void {
+        $request = Server::get(IRequest::class);
+        $format = $request->getFormat() ?? 'xml';
 
-		if (self::isV2($request)) {
-			$response = new V2Response(new DataResponse([], $statusCode, $headers), $format, $statusMessage);
-		} else {
-			$response = new V1Response(new DataResponse([], $statusCode, $headers), $format, $statusMessage);
-		}
+        if (self::isV2($request)) {
+            $response = new V2Response(new DataResponse([], $statusCode, $headers), $format, $statusMessage);
+        } else {
+            $response = new V1Response(new DataResponse([], $statusCode, $headers), $format, $statusMessage);
+        }
 
-		// Send 401 headers if unauthorised
-		if ($response->getOCSStatus() === OCSController::RESPOND_UNAUTHORISED) {
-			// If request comes from JS return dummy auth request
-			if ($request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
-				header('WWW-Authenticate: DummyBasic realm="Authorisation Required"');
-			} else {
-				header('WWW-Authenticate: Basic realm="Authorisation Required"');
-			}
-			http_response_code(401);
-		}
+        // Send 401 headers if unauthorised
+        if ($response->getOCSStatus() === OCSController::RESPOND_UNAUTHORISED) {
+            // If request comes from JS return dummy auth request
+            if ($request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+                header('WWW-Authenticate: DummyBasic realm="Authorisation Required"');
+            } else {
+                header('WWW-Authenticate: Basic realm="Authorisation Required"');
+            }
+            http_response_code(401);
+        }
 
-		foreach ($response->getHeaders() as $name => $value) {
-			header($name . ': ' . $value);
-		}
+        foreach ($response->getHeaders() as $name => $value) {
+            header($name . ': ' . $value);
+        }
 
-		http_response_code($overrideHttpStatusCode ?? $response->getStatus());
+        http_response_code($overrideHttpStatusCode ?? $response->getStatus());
 
-		self::setContentType($format);
-		$body = $response->render();
-		echo $body;
-	}
+        self::setContentType($format);
+        $body = $response->render();
+        echo $body;
+    }
 
-	/**
-	 * Based on the requested format the response content type is set
-	 */
-	public static function setContentType(?string $format = null): void {
-		$format ??= Server::get(IRequest::class)->getFormat() ?? 'xml';
-		if ($format === 'xml') {
-			header('Content-type: text/xml; charset=UTF-8');
-			return;
-		}
+    /**
+     * Based on the requested format the response content type is set
+     */
+    public static function setContentType(?string $format = null): void {
+        $format ??= Server::get(IRequest::class)->getFormat() ?? 'xml';
+        if ($format === 'xml') {
+            header('Content-type: text/xml; charset=UTF-8');
+            return;
+        }
 
-		if ($format === 'json') {
-			header('Content-Type: application/json; charset=utf-8');
-			return;
-		}
+        if ($format === 'json') {
+            header('Content-Type: application/json; charset=utf-8');
+            return;
+        }
 
-		header('Content-Type: application/octet-stream; charset=utf-8');
-	}
+        header('Content-Type: application/octet-stream; charset=utf-8');
+    }
 
-	protected static function isV2(IRequest $request): bool {
-		$script = $request->getScriptName();
+    protected static function isV2(IRequest $request): bool {
+        $script = $request->getScriptName();
 
-		return str_ends_with($script, '/ocs/v2.php');
-	}
+        return str_ends_with($script, '/ocs/v2.php');
+    }
 }

lib/private/AppFramework/Http/Request.php

Indentation +866 added lines, -866 removed lines

@@ -30,870 +30,870 @@
  * @template-implements \ArrayAccess<string,mixed>
  */
 class Request implements \ArrayAccess, \Countable, IRequest {
-	public const USER_AGENT_IE = '/(MSIE)|(Trident)/';
-	// Microsoft Edge User Agent from https://msdn.microsoft.com/en-us/library/hh869301(v=vs.85).aspx
-	public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge?\/[0-9.]+$/';
-	// Firefox User Agent from https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
-	public const USER_AGENT_FIREFOX = '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/[0-9.]+$/';
-	// Chrome User Agent from https://developer.chrome.com/multidevice/user-agent
-	public const USER_AGENT_CHROME = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\)( Ubuntu Chromium\/[0-9.]+|) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+( (Vivaldi|Brave|OPR)\/[0-9.]+|)$/';
-	// Safari User Agent from http://www.useragentstring.com/pages/Safari/
-	public const USER_AGENT_SAFARI = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ Safari\/[0-9.A-Z]+$/';
-	public const USER_AGENT_SAFARI_MOBILE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ (Mobile\/[0-9.A-Z]+) Safari\/[0-9.A-Z]+$/';
-	// Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent
-	public const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';
-	public const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';
-	public const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost|\[::1\])$/';
-
-	protected string $inputStream;
-	private bool $isPutStreamContentAlreadySent = false;
-	protected array $items = [];
-	protected array $allowedKeys = [
-		'get',
-		'post',
-		'files',
-		'server',
-		'env',
-		'cookies',
-		'urlParams',
-		'parameters',
-		'method',
-		'requesttoken',
-	];
-	protected IRequestId $requestId;
-	protected IConfig $config;
-	protected ?CsrfTokenManager $csrfTokenManager;
-
-	protected bool $contentDecoded = false;
-	private ?\JsonException $decodingException = null;
-
-	/**
-	 * @param array $vars An associative array with the following optional values:
-	 *                    - array 'urlParams' the parameters which were matched from the URL
-	 *                    - array 'get' the $_GET array
-	 *                    - array|string 'post' the $_POST array or JSON string
-	 *                    - array 'files' the $_FILES array
-	 *                    - array 'server' the $_SERVER array
-	 *                    - array 'env' the $_ENV array
-	 *                    - array 'cookies' the $_COOKIE array
-	 *                    - string 'method' the request method (GET, POST etc)
-	 *                    - string|false 'requesttoken' the requesttoken or false when not available
-	 * @param IRequestId $requestId
-	 * @param IConfig $config
-	 * @param CsrfTokenManager|null $csrfTokenManager
-	 * @param string $stream
-	 * @see https://www.php.net/manual/en/reserved.variables.php
-	 */
-	public function __construct(array $vars,
-		IRequestId $requestId,
-		IConfig $config,
-		?CsrfTokenManager $csrfTokenManager = null,
-		string $stream = 'php://input') {
-		$this->inputStream = $stream;
-		$this->items['params'] = [];
-		$this->requestId = $requestId;
-		$this->config = $config;
-		$this->csrfTokenManager = $csrfTokenManager;
-
-		if (!array_key_exists('method', $vars)) {
-			$vars['method'] = 'GET';
-		}
-
-		foreach ($this->allowedKeys as $name) {
-			$this->items[$name] = $vars[$name] ?? [];
-		}
-
-		$this->items['parameters'] = array_merge(
-			$this->items['get'],
-			$this->items['post'],
-			$this->items['urlParams'],
-			$this->items['params']
-		);
-	}
-	/**
-	 * @param array $parameters
-	 */
-	public function setUrlParameters(array $parameters) {
-		$this->items['urlParams'] = $parameters;
-		$this->items['parameters'] = array_merge(
-			$this->items['parameters'],
-			$this->items['urlParams']
-		);
-	}
-
-	/**
-	 * Countable method
-	 * @return int
-	 */
-	public function count(): int {
-		return \count($this->items['parameters']);
-	}
-
-	/**
-	 * ArrayAccess methods
-	 *
-	 * Gives access to the combined GET, POST and urlParams arrays
-	 *
-	 * Examples:
-	 *
-	 * $var = $request['myvar'];
-	 *
-	 * or
-	 *
-	 * if(!isset($request['myvar']) {
-	 * 	// Do something
-	 * }
-	 *
-	 * $request['myvar'] = 'something'; // This throws an exception.
-	 *
-	 * @param string $offset The key to lookup
-	 * @return boolean
-	 */
-	public function offsetExists($offset): bool {
-		return isset($this->items['parameters'][$offset]);
-	}
-
-	/**
-	 * @see offsetExists
-	 * @param string $offset
-	 * @return mixed
-	 */
-	#[\ReturnTypeWillChange]
-	public function offsetGet($offset) {
-		return $this->items['parameters'][$offset] ?? null;
-	}
-
-	/**
-	 * @see offsetExists
-	 * @param string $offset
-	 * @param mixed $value
-	 */
-	public function offsetSet($offset, $value): void {
-		throw new \RuntimeException('You cannot change the contents of the request object');
-	}
-
-	/**
-	 * @see offsetExists
-	 * @param string $offset
-	 */
-	public function offsetUnset($offset): void {
-		throw new \RuntimeException('You cannot change the contents of the request object');
-	}
-
-	/**
-	 * Magic property accessors
-	 * @param string $name
-	 * @param mixed $value
-	 */
-	public function __set($name, $value) {
-		throw new \RuntimeException('You cannot change the contents of the request object');
-	}
-
-	/**
-	 * Access request variables by method and name.
-	 * Examples:
-	 *
-	 * $request->post['myvar']; // Only look for POST variables
-	 * $request->myvar; or $request->{'myvar'}; or $request->{$myvar}
-	 * Looks in the combined GET, POST and urlParams array.
-	 *
-	 * If you access e.g. ->post but the current HTTP request method
-	 * is GET a \LogicException will be thrown.
-	 *
-	 * @param string $name The key to look for.
-	 * @throws \LogicException
-	 * @return mixed|null
-	 */
-	public function __get($name) {
-		switch ($name) {
-			case 'put':
-			case 'patch':
-			case 'get':
-			case 'post':
-				if ($this->method !== strtoupper($name)) {
-					throw new \LogicException(sprintf('%s cannot be accessed in a %s request.', $name, $this->method));
-				}
-				return $this->getContent();
-			case 'files':
-			case 'server':
-			case 'env':
-			case 'cookies':
-			case 'urlParams':
-			case 'method':
-				return $this->items[$name] ?? null;
-			case 'parameters':
-			case 'params':
-				if ($this->isPutStreamContent()) {
-					return $this->items['parameters'];
-				}
-				return $this->getContent();
-			default:
-				return isset($this[$name])
-					? $this[$name]
-					: null;
-		}
-	}
-
-	/**
-	 * @param string $name
-	 * @return bool
-	 */
-	public function __isset($name) {
-		if (\in_array($name, $this->allowedKeys, true)) {
-			return true;
-		}
-		return isset($this->items['parameters'][$name]);
-	}
-
-	/**
-	 * @param string $id
-	 */
-	public function __unset($id) {
-		throw new \RuntimeException('You cannot change the contents of the request object');
-	}
-
-	/**
-	 * Returns the value for a specific http header.
-	 *
-	 * This method returns an empty string if the header did not exist.
-	 *
-	 * @param string $name
-	 * @return string
-	 */
-	public function getHeader(string $name): string {
-		$name = strtoupper(str_replace('-', '_', $name));
-		if (isset($this->server['HTTP_' . $name])) {
-			return $this->server['HTTP_' . $name];
-		}
-
-		// There's a few headers that seem to end up in the top-level
-		// server array.
-		switch ($name) {
-			case 'CONTENT_TYPE':
-			case 'CONTENT_LENGTH':
-			case 'REMOTE_ADDR':
-				if (isset($this->server[$name])) {
-					return $this->server[$name];
-				}
-				break;
-		}
-
-		return '';
-	}
-
-	/**
-	 * Lets you access post and get parameters by the index
-	 * In case of json requests the encoded json body is accessed
-	 *
-	 * @param string $key the key which you want to access in the URL Parameter
-	 *                    placeholder, $_POST or $_GET array.
-	 *                    The priority how they're returned is the following:
-	 *                    1. URL parameters
-	 *                    2. POST parameters
-	 *                    3. GET parameters
-	 * @param mixed $default If the key is not found, this value will be returned
-	 * @return mixed the content of the array
-	 */
-	public function getParam(string $key, $default = null) {
-		return isset($this->parameters[$key])
-			? $this->parameters[$key]
-			: $default;
-	}
-
-	/**
-	 * Returns all params that were received, be it from the request
-	 * (as GET or POST) or through the URL by the route
-	 * @return array the array with all parameters
-	 */
-	public function getParams(): array {
-		return is_array($this->parameters) ? $this->parameters : [];
-	}
-
-	/**
-	 * Returns the method of the request
-	 * @return string the method of the request (POST, GET, etc)
-	 */
-	public function getMethod(): string {
-		return $this->method;
-	}
-
-	/**
-	 * Shortcut for accessing an uploaded file through the $_FILES array
-	 * @param string $key the key that will be taken from the $_FILES array
-	 * @return array the file in the $_FILES element
-	 */
-	public function getUploadedFile(string $key) {
-		return isset($this->files[$key]) ? $this->files[$key] : null;
-	}
-
-	/**
-	 * Shortcut for getting env variables
-	 * @param string $key the key that will be taken from the $_ENV array
-	 * @return array the value in the $_ENV element
-	 */
-	public function getEnv(string $key) {
-		return isset($this->env[$key]) ? $this->env[$key] : null;
-	}
-
-	/**
-	 * Shortcut for getting cookie variables
-	 * @param string $key the key that will be taken from the $_COOKIE array
-	 * @return string the value in the $_COOKIE element
-	 */
-	public function getCookie(string $key) {
-		return isset($this->cookies[$key]) ? $this->cookies[$key] : null;
-	}
-
-	/**
-	 * Returns the request body content.
-	 *
-	 * If the HTTP request method is PUT and the body
-	 * not application/x-www-form-urlencoded or application/json a stream
-	 * resource is returned, otherwise an array.
-	 *
-	 * @return array|string|resource The request body content or a resource to read the body stream.
-	 *
-	 * @throws \LogicException
-	 */
-	protected function getContent() {
-		// If the content can't be parsed into an array then return a stream resource.
-		if ($this->isPutStreamContent()) {
-			if ($this->isPutStreamContentAlreadySent) {
-				throw new \LogicException(
-					'"put" can only be accessed once if not '
-					. 'application/x-www-form-urlencoded or application/json.'
-				);
-			}
-			$this->isPutStreamContentAlreadySent = true;
-			return fopen($this->inputStream, 'rb');
-		} else {
-			$this->decodeContent();
-			return $this->items['parameters'];
-		}
-	}
-
-	private function isPutStreamContent(): bool {
-		return $this->method === 'PUT'
-			&& $this->getHeader('Content-Length') !== '0'
-			&& $this->getHeader('Content-Length') !== ''
-			&& !str_contains($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded')
-			&& !str_contains($this->getHeader('Content-Type'), 'application/json');
-	}
-
-	/**
-	 * Attempt to decode the content and populate parameters
-	 */
-	protected function decodeContent() {
-		if ($this->contentDecoded) {
-			return;
-		}
-		$params = [];
-
-		// 'application/json' and other JSON-related content types must be decoded manually.
-		if (preg_match(self::JSON_CONTENT_TYPE_REGEX, $this->getHeader('Content-Type')) === 1) {
-			$content = file_get_contents($this->inputStream);
-			if ($content !== '') {
-				try {
-					$params = json_decode($content, true, flags:JSON_THROW_ON_ERROR);
-				} catch (\JsonException $e) {
-					$this->decodingException = $e;
-				}
-			}
-			if (\is_array($params) && \count($params) > 0) {
-				$this->items['params'] = $params;
-				if ($this->method === 'POST') {
-					$this->items['post'] = $params;
-				}
-			}
-			// Handle application/x-www-form-urlencoded for methods other than GET
-			// or post correctly
-		} elseif ($this->method !== 'GET'
-				&& $this->method !== 'POST'
-				&& str_contains($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded')) {
-			parse_str(file_get_contents($this->inputStream), $params);
-			if (\is_array($params)) {
-				$this->items['params'] = $params;
-			}
-		}
-
-		if (\is_array($params)) {
-			$this->items['parameters'] = array_merge($this->items['parameters'], $params);
-		}
-		$this->contentDecoded = true;
-	}
-
-	public function throwDecodingExceptionIfAny(): void {
-		if ($this->decodingException !== null) {
-			throw $this->decodingException;
-		}
-	}
-
-
-	/**
-	 * Checks if the CSRF check was correct
-	 * @return bool true if CSRF check passed
-	 */
-	public function passesCSRFCheck(): bool {
-		if ($this->csrfTokenManager === null) {
-			return false;
-		}
-
-		if (!$this->passesStrictCookieCheck()) {
-			return false;
-		}
-
-		if ($this->getHeader('OCS-APIRequest') !== '') {
-			return true;
-		}
-
-		if (isset($this->items['get']['requesttoken'])) {
-			$token = $this->items['get']['requesttoken'];
-		} elseif (isset($this->items['post']['requesttoken'])) {
-			$token = $this->items['post']['requesttoken'];
-		} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
-			$token = $this->items['server']['HTTP_REQUESTTOKEN'];
-		} else {
-			//no token found.
-			return false;
-		}
-		$token = new CsrfToken($token);
-
-		return $this->csrfTokenManager->isTokenValid($token);
-	}
-
-	/**
-	 * Whether the cookie checks are required
-	 *
-	 * @return bool
-	 */
-	private function cookieCheckRequired(): bool {
-		if ($this->getHeader('OCS-APIREQUEST')) {
-			return false;
-		}
-		if ($this->getCookie(session_name()) === null && $this->getCookie('nc_token') === null) {
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * Wrapper around session_get_cookie_params
-	 *
-	 * @return array
-	 */
-	public function getCookieParams(): array {
-		return session_get_cookie_params();
-	}
-
-	/**
-	 * Appends the __Host- prefix to the cookie if applicable
-	 *
-	 * @param string $name
-	 * @return string
-	 */
-	protected function getProtectedCookieName(string $name): string {
-		$cookieParams = $this->getCookieParams();
-		$prefix = '';
-		if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
-			$prefix = '__Host-';
-		}
-
-		return $prefix . $name;
-	}
-
-	/**
-	 * Checks if the strict cookie has been sent with the request if the request
-	 * is including any cookies.
-	 *
-	 * @return bool
-	 * @since 9.1.0
-	 */
-	public function passesStrictCookieCheck(): bool {
-		if (!$this->cookieCheckRequired()) {
-			return true;
-		}
-
-		$cookieName = $this->getProtectedCookieName('nc_sameSiteCookiestrict');
-		if ($this->getCookie($cookieName) === 'true'
-			&& $this->passesLaxCookieCheck()) {
-			return true;
-		}
-		return false;
-	}
-
-	/**
-	 * Checks if the lax cookie has been sent with the request if the request
-	 * is including any cookies.
-	 *
-	 * @return bool
-	 * @since 9.1.0
-	 */
-	public function passesLaxCookieCheck(): bool {
-		if (!$this->cookieCheckRequired()) {
-			return true;
-		}
-
-		$cookieName = $this->getProtectedCookieName('nc_sameSiteCookielax');
-		if ($this->getCookie($cookieName) === 'true') {
-			return true;
-		}
-		return false;
-	}
-
-
-	/**
-	 * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
-	 * If `mod_unique_id` is installed this value will be taken.
-	 * @return string
-	 */
-	public function getId(): string {
-		return $this->requestId->getId();
-	}
-
-	/**
-	 * Checks if given $remoteAddress matches any entry in the given array $trustedProxies.
-	 * For details regarding what "match" means, refer to `matchesTrustedProxy`.
-	 * @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise
-	 */
-	protected function isTrustedProxy($trustedProxies, $remoteAddress) {
-		try {
-			return IpUtils::checkIp($remoteAddress, $trustedProxies);
-		} catch (\Throwable) {
-			// We can not log to our log here as the logger is using `getRemoteAddress` which uses the function, so we would have a cyclic dependency
-			// Reaching this line means `trustedProxies` is in invalid format.
-			error_log('Nextcloud trustedProxies has malformed entries');
-			return false;
-		}
-	}
-
-	/**
-	 * Returns the remote address, if the connection came from a trusted proxy
-	 * and `forwarded_for_headers` has been configured then the IP address
-	 * specified in this header will be returned instead.
-	 * Do always use this instead of $_SERVER['REMOTE_ADDR']
-	 * @return string IP address
-	 */
-	public function getRemoteAddress(): string {
-		$remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
-		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
-
-		if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
-			$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
-				'HTTP_X_FORWARDED_FOR'
-				// only have one default, so we cannot ship an insecure product out of the box
-			]);
-
-			// Read the x-forwarded-for headers and values in reverse order as per
-			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address
-			foreach (array_reverse($forwardedForHeaders) as $header) {
-				if (isset($this->server[$header])) {
-					foreach (array_reverse(explode(',', $this->server[$header])) as $IP) {
-						$IP = trim($IP);
-						$colons = substr_count($IP, ':');
-						if ($colons > 1) {
-							// Extract IP from string with brackets and optional port
-							if (preg_match('/^\[(.+?)\](?::\d+)?$/', $IP, $matches) && isset($matches[1])) {
-								$IP = $matches[1];
-							}
-						} elseif ($colons === 1) {
-							// IPv4 with port
-							$IP = substr($IP, 0, strpos($IP, ':'));
-						}
-
-						if ($this->isTrustedProxy($trustedProxies, $IP)) {
-							continue;
-						}
-
-						if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
-							return $IP;
-						}
-					}
-				}
-			}
-		}
-
-		return $remoteAddress;
-	}
-
-	/**
-	 * Check overwrite condition
-	 * @return bool
-	 */
-	private function isOverwriteCondition(): bool {
-		$regex = '/' . $this->config->getSystemValueString('overwritecondaddr', '') . '/';
-		$remoteAddr = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
-		return $regex === '//' || preg_match($regex, $remoteAddr) === 1;
-	}
-
-	/**
-	 * Returns the server protocol. It respects one or more reverse proxies servers
-	 * and load balancers. Precedence:
-	 *   1. `overwriteprotocol` config value
-	 *   2. `X-Forwarded-Proto` header value
-	 *   3. $_SERVER['HTTPS'] value
-	 * If an invalid protocol is provided, defaults to http, continues, but logs as an error.
-	 *
-	 * @return string Server protocol (http or https)
-	 */
-	public function getServerProtocol(): string {
-		$proto = 'http';
-
-		if ($this->config->getSystemValueString('overwriteprotocol') !== ''
-			&& $this->isOverwriteCondition()
-		) {
-			$proto = strtolower($this->config->getSystemValueString('overwriteprotocol'));
-		} elseif ($this->fromTrustedProxy()
-			&& isset($this->server['HTTP_X_FORWARDED_PROTO'])
-		) {
-			if (str_contains($this->server['HTTP_X_FORWARDED_PROTO'], ',')) {
-				$parts = explode(',', $this->server['HTTP_X_FORWARDED_PROTO']);
-				$proto = strtolower(trim($parts[0]));
-			} else {
-				$proto = strtolower($this->server['HTTP_X_FORWARDED_PROTO']);
-			}
-		} elseif (!empty($this->server['HTTPS'])
-			&& $this->server['HTTPS'] !== 'off'
-		) {
-			$proto = 'https';
-		}
-
-		if ($proto !== 'https' && $proto !== 'http') {
-			// log unrecognized value so admin has a chance to fix it
-			\OCP\Server::get(LoggerInterface::class)->critical(
-				'Server protocol is malformed [falling back to http] (check overwriteprotocol and/or X-Forwarded-Proto to remedy): ' . $proto,
-				['app' => 'core']
-			);
-		}
-
-		// default to http if provided an invalid value
-		return $proto === 'https' ? 'https' : 'http';
-	}
-
-	/**
-	 * Returns the used HTTP protocol.
-	 *
-	 * @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
-	 */
-	public function getHttpProtocol(): string {
-		$claimedProtocol = $this->server['SERVER_PROTOCOL'];
-
-		if (\is_string($claimedProtocol)) {
-			$claimedProtocol = strtoupper($claimedProtocol);
-		}
-
-		$validProtocols = [
-			'HTTP/1.0',
-			'HTTP/1.1',
-			'HTTP/2',
-		];
-
-		if (\in_array($claimedProtocol, $validProtocols, true)) {
-			return $claimedProtocol;
-		}
-
-		return 'HTTP/1.1';
-	}
-
-	/**
-	 * Returns the request uri, even if the website uses one or more
-	 * reverse proxies
-	 * @return string
-	 */
-	public function getRequestUri(): string {
-		$uri = isset($this->server['REQUEST_URI']) ? $this->server['REQUEST_URI'] : '';
-		if ($this->config->getSystemValueString('overwritewebroot') !== '' && $this->isOverwriteCondition()) {
-			$uri = $this->getScriptName() . substr($uri, \strlen($this->server['SCRIPT_NAME']));
-		}
-		return $uri;
-	}
-
-	/**
-	 * Get raw PathInfo from request (not urldecoded)
-	 * @throws \Exception
-	 * @return string Path info
-	 */
-	public function getRawPathInfo(): string {
-		$requestUri = isset($this->server['REQUEST_URI']) ? $this->server['REQUEST_URI'] : '';
-		// remove too many slashes - can be caused by reverse proxy configuration
-		$requestUri = preg_replace('%/{2,}%', '/', $requestUri);
-
-		// Remove the query string from REQUEST_URI
-		if ($pos = strpos($requestUri, '?')) {
-			$requestUri = substr($requestUri, 0, $pos);
-		}
-
-		$scriptName = $this->server['SCRIPT_NAME'];
-		$pathInfo = $requestUri;
-
-		// strip off the script name's dir and file name
-		// FIXME: Sabre does not really belong here
-		[$path, $name] = \Sabre\Uri\split($scriptName);
-		if (!empty($path)) {
-			if ($path === $pathInfo || str_starts_with($pathInfo, $path . '/')) {
-				$pathInfo = substr($pathInfo, \strlen($path));
-			} else {
-				throw new \Exception("The requested uri($requestUri) cannot be processed by the script '$scriptName')");
-			}
-		}
-		if ($name === null) {
-			$name = '';
-		}
-
-		if (str_starts_with($pathInfo, '/' . $name)) {
-			$pathInfo = substr($pathInfo, \strlen($name) + 1);
-		}
-		if ($name !== '' && str_starts_with($pathInfo, $name)) {
-			$pathInfo = substr($pathInfo, \strlen($name));
-		}
-		if ($pathInfo === false || $pathInfo === '/') {
-			return '';
-		} else {
-			return $pathInfo;
-		}
-	}
-
-	/**
-	 * Get PathInfo from request (rawurldecoded)
-	 * @throws \Exception
-	 * @return string|false Path info or false when not found
-	 */
-	public function getPathInfo(): string|false {
-		$pathInfo = $this->getRawPathInfo();
-		return \Sabre\HTTP\decodePath($pathInfo);
-	}
-
-	/**
-	 * Returns the script name, even if the website uses one or more
-	 * reverse proxies
-	 * @return string the script name
-	 */
-	public function getScriptName(): string {
-		$name = $this->server['SCRIPT_NAME'];
-		$overwriteWebRoot = $this->config->getSystemValueString('overwritewebroot');
-		if ($overwriteWebRoot !== '' && $this->isOverwriteCondition()) {
-			// FIXME: This code is untestable due to __DIR__, also that hardcoded path is really dangerous
-			$serverRoot = str_replace('\\', '/', substr(__DIR__, 0, -\strlen('lib/private/appframework/http/')));
-			$suburi = str_replace('\\', '/', substr(realpath($this->server['SCRIPT_FILENAME']), \strlen($serverRoot)));
-			$name = '/' . ltrim($overwriteWebRoot . $suburi, '/');
-		}
-		return $name;
-	}
-
-	/**
-	 * Checks whether the user agent matches a given regex
-	 * @param array $agent array of agent names
-	 * @return bool true if at least one of the given agent matches, false otherwise
-	 */
-	public function isUserAgent(array $agent): bool {
-		if (!isset($this->server['HTTP_USER_AGENT'])) {
-			return false;
-		}
-		foreach ($agent as $regex) {
-			if (preg_match($regex, $this->server['HTTP_USER_AGENT'])) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-	/**
-	 * Returns the unverified server host from the headers without checking
-	 * whether it is a trusted domain
-	 * @return string Server host
-	 */
-	public function getInsecureServerHost(): string {
-		if ($this->fromTrustedProxy() && $this->getOverwriteHost() !== null) {
-			return $this->getOverwriteHost();
-		}
-
-		$host = 'localhost';
-		if ($this->fromTrustedProxy() && isset($this->server['HTTP_X_FORWARDED_HOST'])) {
-			if (str_contains($this->server['HTTP_X_FORWARDED_HOST'], ',')) {
-				$parts = explode(',', $this->server['HTTP_X_FORWARDED_HOST']);
-				$host = trim(current($parts));
-			} else {
-				$host = $this->server['HTTP_X_FORWARDED_HOST'];
-			}
-		} else {
-			if (isset($this->server['HTTP_HOST'])) {
-				$host = $this->server['HTTP_HOST'];
-			} elseif (isset($this->server['SERVER_NAME'])) {
-				$host = $this->server['SERVER_NAME'];
-			}
-		}
-
-		return $host;
-	}
-
-
-	/**
-	 * Returns the server host from the headers, or the first configured
-	 * trusted domain if the host isn't in the trusted list
-	 * @return string Server host
-	 */
-	public function getServerHost(): string {
-		// overwritehost is always trusted
-		$host = $this->getOverwriteHost();
-		if ($host !== null) {
-			return $host;
-		}
-
-		// get the host from the headers
-		$host = $this->getInsecureServerHost();
-
-		// Verify that the host is a trusted domain if the trusted domains
-		// are defined
-		// If no trusted domain is provided the first trusted domain is returned
-		$trustedDomainHelper = new TrustedDomainHelper($this->config);
-		if ($trustedDomainHelper->isTrustedDomain($host)) {
-			return $host;
-		}
-
-		$trustedList = (array)$this->config->getSystemValue('trusted_domains', []);
-		if (count($trustedList) > 0) {
-			return reset($trustedList);
-		}
-
-		return '';
-	}
-
-	/**
-	 * Returns the overwritehost setting from the config if set and
-	 * if the overwrite condition is met
-	 * @return string|null overwritehost value or null if not defined or the defined condition
-	 *                     isn't met
-	 */
-	private function getOverwriteHost() {
-		if ($this->config->getSystemValueString('overwritehost') !== '' && $this->isOverwriteCondition()) {
-			return $this->config->getSystemValueString('overwritehost');
-		}
-		return null;
-	}
-
-	private function fromTrustedProxy(): bool {
-		$remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
-		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
-
-		return \is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress);
-	}
-
-	public function getFormat(): ?string {
-		$format = $this->getParam('format');
-		if ($format !== null) {
-			return $format;
-		}
-
-		$prefix = 'application/';
-		$headers = explode(',', $this->getHeader('Accept'));
-		foreach ($headers as $header) {
-			$header = strtolower(trim($header));
-
-			if (str_starts_with($header, $prefix)) {
-				return substr($header, strlen($prefix));
-			}
-		}
-
-		return null;
-	}
+    public const USER_AGENT_IE = '/(MSIE)|(Trident)/';
+    // Microsoft Edge User Agent from https://msdn.microsoft.com/en-us/library/hh869301(v=vs.85).aspx
+    public const USER_AGENT_MS_EDGE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+ Edge?\/[0-9.]+$/';
+    // Firefox User Agent from https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
+    public const USER_AGENT_FIREFOX = '/^Mozilla\/5\.0 \([^)]+\) Gecko\/[0-9.]+ Firefox\/[0-9.]+$/';
+    // Chrome User Agent from https://developer.chrome.com/multidevice/user-agent
+    public const USER_AGENT_CHROME = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\)( Ubuntu Chromium\/[0-9.]+|) Chrome\/[0-9.]+ (Mobile Safari|Safari)\/[0-9.]+( (Vivaldi|Brave|OPR)\/[0-9.]+|)$/';
+    // Safari User Agent from http://www.useragentstring.com/pages/Safari/
+    public const USER_AGENT_SAFARI = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ Safari\/[0-9.A-Z]+$/';
+    public const USER_AGENT_SAFARI_MOBILE = '/^Mozilla\/5\.0 \([^)]+\) AppleWebKit\/[0-9.]+ \(KHTML, like Gecko\) Version\/[0-9.]+ (Mobile\/[0-9.A-Z]+) Safari\/[0-9.A-Z]+$/';
+    // Android Chrome user agent: https://developers.google.com/chrome/mobile/docs/user-agent
+    public const USER_AGENT_ANDROID_MOBILE_CHROME = '#Android.*Chrome/[.0-9]*#';
+    public const USER_AGENT_FREEBOX = '#^Mozilla/5\.0$#';
+    public const REGEX_LOCALHOST = '/^(127\.0\.0\.1|localhost|\[::1\])$/';
+
+    protected string $inputStream;
+    private bool $isPutStreamContentAlreadySent = false;
+    protected array $items = [];
+    protected array $allowedKeys = [
+        'get',
+        'post',
+        'files',
+        'server',
+        'env',
+        'cookies',
+        'urlParams',
+        'parameters',
+        'method',
+        'requesttoken',
+    ];
+    protected IRequestId $requestId;
+    protected IConfig $config;
+    protected ?CsrfTokenManager $csrfTokenManager;
+
+    protected bool $contentDecoded = false;
+    private ?\JsonException $decodingException = null;
+
+    /**
+     * @param array $vars An associative array with the following optional values:
+     *                    - array 'urlParams' the parameters which were matched from the URL
+     *                    - array 'get' the $_GET array
+     *                    - array|string 'post' the $_POST array or JSON string
+     *                    - array 'files' the $_FILES array
+     *                    - array 'server' the $_SERVER array
+     *                    - array 'env' the $_ENV array
+     *                    - array 'cookies' the $_COOKIE array
+     *                    - string 'method' the request method (GET, POST etc)
+     *                    - string|false 'requesttoken' the requesttoken or false when not available
+     * @param IRequestId $requestId
+     * @param IConfig $config
+     * @param CsrfTokenManager|null $csrfTokenManager
+     * @param string $stream
+     * @see https://www.php.net/manual/en/reserved.variables.php
+     */
+    public function __construct(array $vars,
+        IRequestId $requestId,
+        IConfig $config,
+        ?CsrfTokenManager $csrfTokenManager = null,
+        string $stream = 'php://input') {
+        $this->inputStream = $stream;
+        $this->items['params'] = [];
+        $this->requestId = $requestId;
+        $this->config = $config;
+        $this->csrfTokenManager = $csrfTokenManager;
+
+        if (!array_key_exists('method', $vars)) {
+            $vars['method'] = 'GET';
+        }
+
+        foreach ($this->allowedKeys as $name) {
+            $this->items[$name] = $vars[$name] ?? [];
+        }
+
+        $this->items['parameters'] = array_merge(
+            $this->items['get'],
+            $this->items['post'],
+            $this->items['urlParams'],
+            $this->items['params']
+        );
+    }
+    /**
+     * @param array $parameters
+     */
+    public function setUrlParameters(array $parameters) {
+        $this->items['urlParams'] = $parameters;
+        $this->items['parameters'] = array_merge(
+            $this->items['parameters'],
+            $this->items['urlParams']
+        );
+    }
+
+    /**
+     * Countable method
+     * @return int
+     */
+    public function count(): int {
+        return \count($this->items['parameters']);
+    }
+
+    /**
+     * ArrayAccess methods
+     *
+     * Gives access to the combined GET, POST and urlParams arrays
+     *
+     * Examples:
+     *
+     * $var = $request['myvar'];
+     *
+     * or
+     *
+     * if(!isset($request['myvar']) {
+     * 	// Do something
+     * }
+     *
+     * $request['myvar'] = 'something'; // This throws an exception.
+     *
+     * @param string $offset The key to lookup
+     * @return boolean
+     */
+    public function offsetExists($offset): bool {
+        return isset($this->items['parameters'][$offset]);
+    }
+
+    /**
+     * @see offsetExists
+     * @param string $offset
+     * @return mixed
+     */
+    #[\ReturnTypeWillChange]
+    public function offsetGet($offset) {
+        return $this->items['parameters'][$offset] ?? null;
+    }
+
+    /**
+     * @see offsetExists
+     * @param string $offset
+     * @param mixed $value
+     */
+    public function offsetSet($offset, $value): void {
+        throw new \RuntimeException('You cannot change the contents of the request object');
+    }
+
+    /**
+     * @see offsetExists
+     * @param string $offset
+     */
+    public function offsetUnset($offset): void {
+        throw new \RuntimeException('You cannot change the contents of the request object');
+    }
+
+    /**
+     * Magic property accessors
+     * @param string $name
+     * @param mixed $value
+     */
+    public function __set($name, $value) {
+        throw new \RuntimeException('You cannot change the contents of the request object');
+    }
+
+    /**
+     * Access request variables by method and name.
+     * Examples:
+     *
+     * $request->post['myvar']; // Only look for POST variables
+     * $request->myvar; or $request->{'myvar'}; or $request->{$myvar}
+     * Looks in the combined GET, POST and urlParams array.
+     *
+     * If you access e.g. ->post but the current HTTP request method
+     * is GET a \LogicException will be thrown.
+     *
+     * @param string $name The key to look for.
+     * @throws \LogicException
+     * @return mixed|null
+     */
+    public function __get($name) {
+        switch ($name) {
+            case 'put':
+            case 'patch':
+            case 'get':
+            case 'post':
+                if ($this->method !== strtoupper($name)) {
+                    throw new \LogicException(sprintf('%s cannot be accessed in a %s request.', $name, $this->method));
+                }
+                return $this->getContent();
+            case 'files':
+            case 'server':
+            case 'env':
+            case 'cookies':
+            case 'urlParams':
+            case 'method':
+                return $this->items[$name] ?? null;
+            case 'parameters':
+            case 'params':
+                if ($this->isPutStreamContent()) {
+                    return $this->items['parameters'];
+                }
+                return $this->getContent();
+            default:
+                return isset($this[$name])
+                    ? $this[$name]
+                    : null;
+        }
+    }
+
+    /**
+     * @param string $name
+     * @return bool
+     */
+    public function __isset($name) {
+        if (\in_array($name, $this->allowedKeys, true)) {
+            return true;
+        }
+        return isset($this->items['parameters'][$name]);
+    }
+
+    /**
+     * @param string $id
+     */
+    public function __unset($id) {
+        throw new \RuntimeException('You cannot change the contents of the request object');
+    }
+
+    /**
+     * Returns the value for a specific http header.
+     *
+     * This method returns an empty string if the header did not exist.
+     *
+     * @param string $name
+     * @return string
+     */
+    public function getHeader(string $name): string {
+        $name = strtoupper(str_replace('-', '_', $name));
+        if (isset($this->server['HTTP_' . $name])) {
+            return $this->server['HTTP_' . $name];
+        }
+
+        // There's a few headers that seem to end up in the top-level
+        // server array.
+        switch ($name) {
+            case 'CONTENT_TYPE':
+            case 'CONTENT_LENGTH':
+            case 'REMOTE_ADDR':
+                if (isset($this->server[$name])) {
+                    return $this->server[$name];
+                }
+                break;
+        }
+
+        return '';
+    }
+
+    /**
+     * Lets you access post and get parameters by the index
+     * In case of json requests the encoded json body is accessed
+     *
+     * @param string $key the key which you want to access in the URL Parameter
+     *                    placeholder, $_POST or $_GET array.
+     *                    The priority how they're returned is the following:
+     *                    1. URL parameters
+     *                    2. POST parameters
+     *                    3. GET parameters
+     * @param mixed $default If the key is not found, this value will be returned
+     * @return mixed the content of the array
+     */
+    public function getParam(string $key, $default = null) {
+        return isset($this->parameters[$key])
+            ? $this->parameters[$key]
+            : $default;
+    }
+
+    /**
+     * Returns all params that were received, be it from the request
+     * (as GET or POST) or through the URL by the route
+     * @return array the array with all parameters
+     */
+    public function getParams(): array {
+        return is_array($this->parameters) ? $this->parameters : [];
+    }
+
+    /**
+     * Returns the method of the request
+     * @return string the method of the request (POST, GET, etc)
+     */
+    public function getMethod(): string {
+        return $this->method;
+    }
+
+    /**
+     * Shortcut for accessing an uploaded file through the $_FILES array
+     * @param string $key the key that will be taken from the $_FILES array
+     * @return array the file in the $_FILES element
+     */
+    public function getUploadedFile(string $key) {
+        return isset($this->files[$key]) ? $this->files[$key] : null;
+    }
+
+    /**
+     * Shortcut for getting env variables
+     * @param string $key the key that will be taken from the $_ENV array
+     * @return array the value in the $_ENV element
+     */
+    public function getEnv(string $key) {
+        return isset($this->env[$key]) ? $this->env[$key] : null;
+    }
+
+    /**
+     * Shortcut for getting cookie variables
+     * @param string $key the key that will be taken from the $_COOKIE array
+     * @return string the value in the $_COOKIE element
+     */
+    public function getCookie(string $key) {
+        return isset($this->cookies[$key]) ? $this->cookies[$key] : null;
+    }
+
+    /**
+     * Returns the request body content.
+     *
+     * If the HTTP request method is PUT and the body
+     * not application/x-www-form-urlencoded or application/json a stream
+     * resource is returned, otherwise an array.
+     *
+     * @return array|string|resource The request body content or a resource to read the body stream.
+     *
+     * @throws \LogicException
+     */
+    protected function getContent() {
+        // If the content can't be parsed into an array then return a stream resource.
+        if ($this->isPutStreamContent()) {
+            if ($this->isPutStreamContentAlreadySent) {
+                throw new \LogicException(
+                    '"put" can only be accessed once if not '
+                    . 'application/x-www-form-urlencoded or application/json.'
+                );
+            }
+            $this->isPutStreamContentAlreadySent = true;
+            return fopen($this->inputStream, 'rb');
+        } else {
+            $this->decodeContent();
+            return $this->items['parameters'];
+        }
+    }
+
+    private function isPutStreamContent(): bool {
+        return $this->method === 'PUT'
+            && $this->getHeader('Content-Length') !== '0'
+            && $this->getHeader('Content-Length') !== ''
+            && !str_contains($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded')
+            && !str_contains($this->getHeader('Content-Type'), 'application/json');
+    }
+
+    /**
+     * Attempt to decode the content and populate parameters
+     */
+    protected function decodeContent() {
+        if ($this->contentDecoded) {
+            return;
+        }
+        $params = [];
+
+        // 'application/json' and other JSON-related content types must be decoded manually.
+        if (preg_match(self::JSON_CONTENT_TYPE_REGEX, $this->getHeader('Content-Type')) === 1) {
+            $content = file_get_contents($this->inputStream);
+            if ($content !== '') {
+                try {
+                    $params = json_decode($content, true, flags:JSON_THROW_ON_ERROR);
+                } catch (\JsonException $e) {
+                    $this->decodingException = $e;
+                }
+            }
+            if (\is_array($params) && \count($params) > 0) {
+                $this->items['params'] = $params;
+                if ($this->method === 'POST') {
+                    $this->items['post'] = $params;
+                }
+            }
+            // Handle application/x-www-form-urlencoded for methods other than GET
+            // or post correctly
+        } elseif ($this->method !== 'GET'
+                && $this->method !== 'POST'
+                && str_contains($this->getHeader('Content-Type'), 'application/x-www-form-urlencoded')) {
+            parse_str(file_get_contents($this->inputStream), $params);
+            if (\is_array($params)) {
+                $this->items['params'] = $params;
+            }
+        }
+
+        if (\is_array($params)) {
+            $this->items['parameters'] = array_merge($this->items['parameters'], $params);
+        }
+        $this->contentDecoded = true;
+    }
+
+    public function throwDecodingExceptionIfAny(): void {
+        if ($this->decodingException !== null) {
+            throw $this->decodingException;
+        }
+    }
+
+
+    /**
+     * Checks if the CSRF check was correct
+     * @return bool true if CSRF check passed
+     */
+    public function passesCSRFCheck(): bool {
+        if ($this->csrfTokenManager === null) {
+            return false;
+        }
+
+        if (!$this->passesStrictCookieCheck()) {
+            return false;
+        }
+
+        if ($this->getHeader('OCS-APIRequest') !== '') {
+            return true;
+        }
+
+        if (isset($this->items['get']['requesttoken'])) {
+            $token = $this->items['get']['requesttoken'];
+        } elseif (isset($this->items['post']['requesttoken'])) {
+            $token = $this->items['post']['requesttoken'];
+        } elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
+            $token = $this->items['server']['HTTP_REQUESTTOKEN'];
+        } else {
+            //no token found.
+            return false;
+        }
+        $token = new CsrfToken($token);
+
+        return $this->csrfTokenManager->isTokenValid($token);
+    }
+
+    /**
+     * Whether the cookie checks are required
+     *
+     * @return bool
+     */
+    private function cookieCheckRequired(): bool {
+        if ($this->getHeader('OCS-APIREQUEST')) {
+            return false;
+        }
+        if ($this->getCookie(session_name()) === null && $this->getCookie('nc_token') === null) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Wrapper around session_get_cookie_params
+     *
+     * @return array
+     */
+    public function getCookieParams(): array {
+        return session_get_cookie_params();
+    }
+
+    /**
+     * Appends the __Host- prefix to the cookie if applicable
+     *
+     * @param string $name
+     * @return string
+     */
+    protected function getProtectedCookieName(string $name): string {
+        $cookieParams = $this->getCookieParams();
+        $prefix = '';
+        if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
+            $prefix = '__Host-';
+        }
+
+        return $prefix . $name;
+    }
+
+    /**
+     * Checks if the strict cookie has been sent with the request if the request
+     * is including any cookies.
+     *
+     * @return bool
+     * @since 9.1.0
+     */
+    public function passesStrictCookieCheck(): bool {
+        if (!$this->cookieCheckRequired()) {
+            return true;
+        }
+
+        $cookieName = $this->getProtectedCookieName('nc_sameSiteCookiestrict');
+        if ($this->getCookie($cookieName) === 'true'
+            && $this->passesLaxCookieCheck()) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Checks if the lax cookie has been sent with the request if the request
+     * is including any cookies.
+     *
+     * @return bool
+     * @since 9.1.0
+     */
+    public function passesLaxCookieCheck(): bool {
+        if (!$this->cookieCheckRequired()) {
+            return true;
+        }
+
+        $cookieName = $this->getProtectedCookieName('nc_sameSiteCookielax');
+        if ($this->getCookie($cookieName) === 'true') {
+            return true;
+        }
+        return false;
+    }
+
+
+    /**
+     * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
+     * If `mod_unique_id` is installed this value will be taken.
+     * @return string
+     */
+    public function getId(): string {
+        return $this->requestId->getId();
+    }
+
+    /**
+     * Checks if given $remoteAddress matches any entry in the given array $trustedProxies.
+     * For details regarding what "match" means, refer to `matchesTrustedProxy`.
+     * @return boolean true if $remoteAddress matches any entry in $trustedProxies, false otherwise
+     */
+    protected function isTrustedProxy($trustedProxies, $remoteAddress) {
+        try {
+            return IpUtils::checkIp($remoteAddress, $trustedProxies);
+        } catch (\Throwable) {
+            // We can not log to our log here as the logger is using `getRemoteAddress` which uses the function, so we would have a cyclic dependency
+            // Reaching this line means `trustedProxies` is in invalid format.
+            error_log('Nextcloud trustedProxies has malformed entries');
+            return false;
+        }
+    }
+
+    /**
+     * Returns the remote address, if the connection came from a trusted proxy
+     * and `forwarded_for_headers` has been configured then the IP address
+     * specified in this header will be returned instead.
+     * Do always use this instead of $_SERVER['REMOTE_ADDR']
+     * @return string IP address
+     */
+    public function getRemoteAddress(): string {
+        $remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
+        $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
+
+        if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
+            $forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
+                'HTTP_X_FORWARDED_FOR'
+                // only have one default, so we cannot ship an insecure product out of the box
+            ]);
+
+            // Read the x-forwarded-for headers and values in reverse order as per
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address
+            foreach (array_reverse($forwardedForHeaders) as $header) {
+                if (isset($this->server[$header])) {
+                    foreach (array_reverse(explode(',', $this->server[$header])) as $IP) {
+                        $IP = trim($IP);
+                        $colons = substr_count($IP, ':');
+                        if ($colons > 1) {
+                            // Extract IP from string with brackets and optional port
+                            if (preg_match('/^\[(.+?)\](?::\d+)?$/', $IP, $matches) && isset($matches[1])) {
+                                $IP = $matches[1];
+                            }
+                        } elseif ($colons === 1) {
+                            // IPv4 with port
+                            $IP = substr($IP, 0, strpos($IP, ':'));
+                        }
+
+                        if ($this->isTrustedProxy($trustedProxies, $IP)) {
+                            continue;
+                        }
+
+                        if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
+                            return $IP;
+                        }
+                    }
+                }
+            }
+        }
+
+        return $remoteAddress;
+    }
+
+    /**
+     * Check overwrite condition
+     * @return bool
+     */
+    private function isOverwriteCondition(): bool {
+        $regex = '/' . $this->config->getSystemValueString('overwritecondaddr', '') . '/';
+        $remoteAddr = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
+        return $regex === '//' || preg_match($regex, $remoteAddr) === 1;
+    }
+
+    /**
+     * Returns the server protocol. It respects one or more reverse proxies servers
+     * and load balancers. Precedence:
+     *   1. `overwriteprotocol` config value
+     *   2. `X-Forwarded-Proto` header value
+     *   3. $_SERVER['HTTPS'] value
+     * If an invalid protocol is provided, defaults to http, continues, but logs as an error.
+     *
+     * @return string Server protocol (http or https)
+     */
+    public function getServerProtocol(): string {
+        $proto = 'http';
+
+        if ($this->config->getSystemValueString('overwriteprotocol') !== ''
+            && $this->isOverwriteCondition()
+        ) {
+            $proto = strtolower($this->config->getSystemValueString('overwriteprotocol'));
+        } elseif ($this->fromTrustedProxy()
+            && isset($this->server['HTTP_X_FORWARDED_PROTO'])
+        ) {
+            if (str_contains($this->server['HTTP_X_FORWARDED_PROTO'], ',')) {
+                $parts = explode(',', $this->server['HTTP_X_FORWARDED_PROTO']);
+                $proto = strtolower(trim($parts[0]));
+            } else {
+                $proto = strtolower($this->server['HTTP_X_FORWARDED_PROTO']);
+            }
+        } elseif (!empty($this->server['HTTPS'])
+            && $this->server['HTTPS'] !== 'off'
+        ) {
+            $proto = 'https';
+        }
+
+        if ($proto !== 'https' && $proto !== 'http') {
+            // log unrecognized value so admin has a chance to fix it
+            \OCP\Server::get(LoggerInterface::class)->critical(
+                'Server protocol is malformed [falling back to http] (check overwriteprotocol and/or X-Forwarded-Proto to remedy): ' . $proto,
+                ['app' => 'core']
+            );
+        }
+
+        // default to http if provided an invalid value
+        return $proto === 'https' ? 'https' : 'http';
+    }
+
+    /**
+     * Returns the used HTTP protocol.
+     *
+     * @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
+     */
+    public function getHttpProtocol(): string {
+        $claimedProtocol = $this->server['SERVER_PROTOCOL'];
+
+        if (\is_string($claimedProtocol)) {
+            $claimedProtocol = strtoupper($claimedProtocol);
+        }
+
+        $validProtocols = [
+            'HTTP/1.0',
+            'HTTP/1.1',
+            'HTTP/2',
+        ];
+
+        if (\in_array($claimedProtocol, $validProtocols, true)) {
+            return $claimedProtocol;
+        }
+
+        return 'HTTP/1.1';
+    }
+
+    /**
+     * Returns the request uri, even if the website uses one or more
+     * reverse proxies
+     * @return string
+     */
+    public function getRequestUri(): string {
+        $uri = isset($this->server['REQUEST_URI']) ? $this->server['REQUEST_URI'] : '';
+        if ($this->config->getSystemValueString('overwritewebroot') !== '' && $this->isOverwriteCondition()) {
+            $uri = $this->getScriptName() . substr($uri, \strlen($this->server['SCRIPT_NAME']));
+        }
+        return $uri;
+    }
+
+    /**
+     * Get raw PathInfo from request (not urldecoded)
+     * @throws \Exception
+     * @return string Path info
+     */
+    public function getRawPathInfo(): string {
+        $requestUri = isset($this->server['REQUEST_URI']) ? $this->server['REQUEST_URI'] : '';
+        // remove too many slashes - can be caused by reverse proxy configuration
+        $requestUri = preg_replace('%/{2,}%', '/', $requestUri);
+
+        // Remove the query string from REQUEST_URI
+        if ($pos = strpos($requestUri, '?')) {
+            $requestUri = substr($requestUri, 0, $pos);
+        }
+
+        $scriptName = $this->server['SCRIPT_NAME'];
+        $pathInfo = $requestUri;
+
+        // strip off the script name's dir and file name
+        // FIXME: Sabre does not really belong here
+        [$path, $name] = \Sabre\Uri\split($scriptName);
+        if (!empty($path)) {
+            if ($path === $pathInfo || str_starts_with($pathInfo, $path . '/')) {
+                $pathInfo = substr($pathInfo, \strlen($path));
+            } else {
+                throw new \Exception("The requested uri($requestUri) cannot be processed by the script '$scriptName')");
+            }
+        }
+        if ($name === null) {
+            $name = '';
+        }
+
+        if (str_starts_with($pathInfo, '/' . $name)) {
+            $pathInfo = substr($pathInfo, \strlen($name) + 1);
+        }
+        if ($name !== '' && str_starts_with($pathInfo, $name)) {
+            $pathInfo = substr($pathInfo, \strlen($name));
+        }
+        if ($pathInfo === false || $pathInfo === '/') {
+            return '';
+        } else {
+            return $pathInfo;
+        }
+    }
+
+    /**
+     * Get PathInfo from request (rawurldecoded)
+     * @throws \Exception
+     * @return string|false Path info or false when not found
+     */
+    public function getPathInfo(): string|false {
+        $pathInfo = $this->getRawPathInfo();
+        return \Sabre\HTTP\decodePath($pathInfo);
+    }
+
+    /**
+     * Returns the script name, even if the website uses one or more
+     * reverse proxies
+     * @return string the script name
+     */
+    public function getScriptName(): string {
+        $name = $this->server['SCRIPT_NAME'];
+        $overwriteWebRoot = $this->config->getSystemValueString('overwritewebroot');
+        if ($overwriteWebRoot !== '' && $this->isOverwriteCondition()) {
+            // FIXME: This code is untestable due to __DIR__, also that hardcoded path is really dangerous
+            $serverRoot = str_replace('\\', '/', substr(__DIR__, 0, -\strlen('lib/private/appframework/http/')));
+            $suburi = str_replace('\\', '/', substr(realpath($this->server['SCRIPT_FILENAME']), \strlen($serverRoot)));
+            $name = '/' . ltrim($overwriteWebRoot . $suburi, '/');
+        }
+        return $name;
+    }
+
+    /**
+     * Checks whether the user agent matches a given regex
+     * @param array $agent array of agent names
+     * @return bool true if at least one of the given agent matches, false otherwise
+     */
+    public function isUserAgent(array $agent): bool {
+        if (!isset($this->server['HTTP_USER_AGENT'])) {
+            return false;
+        }
+        foreach ($agent as $regex) {
+            if (preg_match($regex, $this->server['HTTP_USER_AGENT'])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Returns the unverified server host from the headers without checking
+     * whether it is a trusted domain
+     * @return string Server host
+     */
+    public function getInsecureServerHost(): string {
+        if ($this->fromTrustedProxy() && $this->getOverwriteHost() !== null) {
+            return $this->getOverwriteHost();
+        }
+
+        $host = 'localhost';
+        if ($this->fromTrustedProxy() && isset($this->server['HTTP_X_FORWARDED_HOST'])) {
+            if (str_contains($this->server['HTTP_X_FORWARDED_HOST'], ',')) {
+                $parts = explode(',', $this->server['HTTP_X_FORWARDED_HOST']);
+                $host = trim(current($parts));
+            } else {
+                $host = $this->server['HTTP_X_FORWARDED_HOST'];
+            }
+        } else {
+            if (isset($this->server['HTTP_HOST'])) {
+                $host = $this->server['HTTP_HOST'];
+            } elseif (isset($this->server['SERVER_NAME'])) {
+                $host = $this->server['SERVER_NAME'];
+            }
+        }
+
+        return $host;
+    }
+
+
+    /**
+     * Returns the server host from the headers, or the first configured
+     * trusted domain if the host isn't in the trusted list
+     * @return string Server host
+     */
+    public function getServerHost(): string {
+        // overwritehost is always trusted
+        $host = $this->getOverwriteHost();
+        if ($host !== null) {
+            return $host;
+        }
+
+        // get the host from the headers
+        $host = $this->getInsecureServerHost();
+
+        // Verify that the host is a trusted domain if the trusted domains
+        // are defined
+        // If no trusted domain is provided the first trusted domain is returned
+        $trustedDomainHelper = new TrustedDomainHelper($this->config);
+        if ($trustedDomainHelper->isTrustedDomain($host)) {
+            return $host;
+        }
+
+        $trustedList = (array)$this->config->getSystemValue('trusted_domains', []);
+        if (count($trustedList) > 0) {
+            return reset($trustedList);
+        }
+
+        return '';
+    }
+
+    /**
+     * Returns the overwritehost setting from the config if set and
+     * if the overwrite condition is met
+     * @return string|null overwritehost value or null if not defined or the defined condition
+     *                     isn't met
+     */
+    private function getOverwriteHost() {
+        if ($this->config->getSystemValueString('overwritehost') !== '' && $this->isOverwriteCondition()) {
+            return $this->config->getSystemValueString('overwritehost');
+        }
+        return null;
+    }
+
+    private function fromTrustedProxy(): bool {
+        $remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
+        $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
+
+        return \is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress);
+    }
+
+    public function getFormat(): ?string {
+        $format = $this->getParam('format');
+        if ($format !== null) {
+            return $format;
+        }
+
+        $prefix = 'application/';
+        $headers = explode(',', $this->getHeader('Accept'));
+        foreach ($headers as $header) {
+            $header = strtolower(trim($header));
+
+            if (str_starts_with($header, $prefix)) {
+                return substr($header, strlen($prefix));
+            }
+        }
+
+        return null;
+    }
 }

lib/private/AppFramework/Http/Dispatcher.php

Indentation +213 added lines, -213 removed lines

@@ -26,217 +26,217 @@
  * Class to dispatch the request to the middleware dispatcher
  */
 class Dispatcher {
-	/** @var MiddlewareDispatcher */
-	private $middlewareDispatcher;
-
-	/** @var Http */
-	private $protocol;
-
-	/** @var ControllerMethodReflector */
-	private $reflector;
-
-	/** @var IRequest */
-	private $request;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var ConnectionAdapter */
-	private $connection;
-
-	/** @var LoggerInterface */
-	private $logger;
-
-	/** @var IEventLogger */
-	private $eventLogger;
-
-	private ContainerInterface $appContainer;
-
-	/**
-	 * @param Http $protocol the http protocol with contains all status headers
-	 * @param MiddlewareDispatcher $middlewareDispatcher the dispatcher which
-	 *                                                   runs the middleware
-	 * @param ControllerMethodReflector $reflector the reflector that is used to inject
-	 *                                             the arguments for the controller
-	 * @param IRequest $request the incoming request
-	 * @param IConfig $config
-	 * @param ConnectionAdapter $connection
-	 * @param LoggerInterface $logger
-	 * @param IEventLogger $eventLogger
-	 */
-	public function __construct(
-		Http $protocol,
-		MiddlewareDispatcher $middlewareDispatcher,
-		ControllerMethodReflector $reflector,
-		IRequest $request,
-		IConfig $config,
-		ConnectionAdapter $connection,
-		LoggerInterface $logger,
-		IEventLogger $eventLogger,
-		ContainerInterface $appContainer,
-	) {
-		$this->protocol = $protocol;
-		$this->middlewareDispatcher = $middlewareDispatcher;
-		$this->reflector = $reflector;
-		$this->request = $request;
-		$this->config = $config;
-		$this->connection = $connection;
-		$this->logger = $logger;
-		$this->eventLogger = $eventLogger;
-		$this->appContainer = $appContainer;
-	}
-
-
-	/**
-	 * Handles a request and calls the dispatcher on the controller
-	 * @param Controller $controller the controller which will be called
-	 * @param string $methodName the method name which will be called on
-	 *                           the controller
-	 * @return array $array[0] contains the http status header as a string,
-	 *               $array[1] contains response headers as an array,
-	 *               $array[2] contains response cookies as an array,
-	 *               $array[3] contains the response output as a string,
-	 *               $array[4] contains the response object
-	 * @throws \Exception
-	 */
-	public function dispatch(Controller $controller, string $methodName): array {
-		$out = [null, [], null];
-
-		try {
-			// prefill reflector with everything that's needed for the
-			// middlewares
-			$this->reflector->reflect($controller, $methodName);
-
-			$this->middlewareDispatcher->beforeController($controller,
-				$methodName);
-
-			$databaseStatsBefore = [];
-			if ($this->config->getSystemValueBool('debug', false)) {
-				$databaseStatsBefore = $this->connection->getInner()->getStats();
-			}
-
-			$response = $this->executeController($controller, $methodName);
-
-			if (!empty($databaseStatsBefore)) {
-				$databaseStatsAfter = $this->connection->getInner()->getStats();
-				$numBuilt = $databaseStatsAfter['built'] - $databaseStatsBefore['built'];
-				$numExecuted = $databaseStatsAfter['executed'] - $databaseStatsBefore['executed'];
-
-				if ($numBuilt > 50) {
-					$this->logger->debug('Controller {class}::{method} created {count} QueryBuilder objects, please check if they are created inside a loop by accident.', [
-						'class' => get_class($controller),
-						'method' => $methodName,
-						'count' => $numBuilt,
-					]);
-				}
-
-				if ($numExecuted > 100) {
-					$this->logger->warning('Controller {class}::{method} executed {count} queries.', [
-						'class' => get_class($controller),
-						'method' => $methodName,
-						'count' => $numExecuted,
-					]);
-				}
-			}
-
-			// if an exception appears, the middleware checks if it can handle the
-			// exception and creates a response. If no response is created, it is
-			// assumed that there's no middleware who can handle it and the error is
-			// thrown again
-		} catch (\Exception $exception) {
-			$response = $this->middlewareDispatcher->afterException(
-				$controller, $methodName, $exception);
-		} catch (\Throwable $throwable) {
-			$exception = new \Exception($throwable->getMessage() . ' in file \'' . $throwable->getFile() . '\' line ' . $throwable->getLine(), $throwable->getCode(), $throwable);
-			$response = $this->middlewareDispatcher->afterException(
-				$controller, $methodName, $exception);
-		}
-
-		$response = $this->middlewareDispatcher->afterController(
-			$controller, $methodName, $response);
-
-		// depending on the cache object the headers need to be changed
-		$out[0] = $this->protocol->getStatusHeader($response->getStatus());
-		$out[1] = array_merge($response->getHeaders());
-		$out[2] = $response->getCookies();
-		$out[3] = $this->middlewareDispatcher->beforeOutput(
-			$controller, $methodName, $response->render()
-		);
-		$out[4] = $response;
-
-		return $out;
-	}
-
-
-	/**
-	 * Uses the reflected parameters, types and request parameters to execute
-	 * the controller
-	 * @param Controller $controller the controller to be executed
-	 * @param string $methodName the method on the controller that should be executed
-	 * @return Response
-	 */
-	private function executeController(Controller $controller, string $methodName): Response {
-		$arguments = [];
-
-		// valid types that will be cast
-		$types = ['int', 'integer', 'bool', 'boolean', 'float', 'double'];
-
-		foreach ($this->reflector->getParameters() as $param => $default) {
-			// try to get the parameter from the request object and cast
-			// it to the type annotated in the @param annotation
-			$value = $this->request->getParam($param, $default);
-			$type = $this->reflector->getType($param);
-
-			// Converted the string `'false'` to false when the controller wants a boolean
-			if ($value === 'false' && ($type === 'bool' || $type === 'boolean')) {
-				$value = false;
-			} elseif ($value !== null && \in_array($type, $types, true)) {
-				settype($value, $type);
-				$this->ensureParameterValueSatisfiesRange($param, $value);
-			} elseif ($value === null && $type !== null && $this->appContainer->has($type)) {
-				$value = $this->appContainer->get($type);
-			}
-
-			$arguments[] = $value;
-		}
-
-		$this->eventLogger->start('controller:' . get_class($controller) . '::' . $methodName, 'App framework controller execution');
-		$response = \call_user_func_array([$controller, $methodName], $arguments);
-		$this->eventLogger->end('controller:' . get_class($controller) . '::' . $methodName);
-
-		if (!($response instanceof Response)) {
-			$this->logger->debug($controller::class . '::' . $methodName . ' returned raw data. Please wrap it in a Response or one of it\'s inheritors.');
-		}
-
-		// format response
-		if ($response instanceof DataResponse || !($response instanceof Response)) {
-			$format = $this->request->getFormat();
-
-			if ($format !== null) {
-				$response = $controller->buildResponse($response, $format);
-			} else {
-				$response = $controller->buildResponse($response);
-			}
-		}
-
-		return $response;
-	}
-
-	/**
-	 * @psalm-param mixed $value
-	 * @throws ParameterOutOfRangeException
-	 */
-	private function ensureParameterValueSatisfiesRange(string $param, $value): void {
-		$rangeInfo = $this->reflector->getRange($param);
-		if ($rangeInfo) {
-			if ($value < $rangeInfo['min'] || $value > $rangeInfo['max']) {
-				throw new ParameterOutOfRangeException(
-					$param,
-					$value,
-					$rangeInfo['min'],
-					$rangeInfo['max'],
-				);
-			}
-		}
-	}
+    /** @var MiddlewareDispatcher */
+    private $middlewareDispatcher;
+
+    /** @var Http */
+    private $protocol;
+
+    /** @var ControllerMethodReflector */
+    private $reflector;
+
+    /** @var IRequest */
+    private $request;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var ConnectionAdapter */
+    private $connection;
+
+    /** @var LoggerInterface */
+    private $logger;
+
+    /** @var IEventLogger */
+    private $eventLogger;
+
+    private ContainerInterface $appContainer;
+
+    /**
+     * @param Http $protocol the http protocol with contains all status headers
+     * @param MiddlewareDispatcher $middlewareDispatcher the dispatcher which
+     *                                                   runs the middleware
+     * @param ControllerMethodReflector $reflector the reflector that is used to inject
+     *                                             the arguments for the controller
+     * @param IRequest $request the incoming request
+     * @param IConfig $config
+     * @param ConnectionAdapter $connection
+     * @param LoggerInterface $logger
+     * @param IEventLogger $eventLogger
+     */
+    public function __construct(
+        Http $protocol,
+        MiddlewareDispatcher $middlewareDispatcher,
+        ControllerMethodReflector $reflector,
+        IRequest $request,
+        IConfig $config,
+        ConnectionAdapter $connection,
+        LoggerInterface $logger,
+        IEventLogger $eventLogger,
+        ContainerInterface $appContainer,
+    ) {
+        $this->protocol = $protocol;
+        $this->middlewareDispatcher = $middlewareDispatcher;
+        $this->reflector = $reflector;
+        $this->request = $request;
+        $this->config = $config;
+        $this->connection = $connection;
+        $this->logger = $logger;
+        $this->eventLogger = $eventLogger;
+        $this->appContainer = $appContainer;
+    }
+
+
+    /**
+     * Handles a request and calls the dispatcher on the controller
+     * @param Controller $controller the controller which will be called
+     * @param string $methodName the method name which will be called on
+     *                           the controller
+     * @return array $array[0] contains the http status header as a string,
+     *               $array[1] contains response headers as an array,
+     *               $array[2] contains response cookies as an array,
+     *               $array[3] contains the response output as a string,
+     *               $array[4] contains the response object
+     * @throws \Exception
+     */
+    public function dispatch(Controller $controller, string $methodName): array {
+        $out = [null, [], null];
+
+        try {
+            // prefill reflector with everything that's needed for the
+            // middlewares
+            $this->reflector->reflect($controller, $methodName);
+
+            $this->middlewareDispatcher->beforeController($controller,
+                $methodName);
+
+            $databaseStatsBefore = [];
+            if ($this->config->getSystemValueBool('debug', false)) {
+                $databaseStatsBefore = $this->connection->getInner()->getStats();
+            }
+
+            $response = $this->executeController($controller, $methodName);
+
+            if (!empty($databaseStatsBefore)) {
+                $databaseStatsAfter = $this->connection->getInner()->getStats();
+                $numBuilt = $databaseStatsAfter['built'] - $databaseStatsBefore['built'];
+                $numExecuted = $databaseStatsAfter['executed'] - $databaseStatsBefore['executed'];
+
+                if ($numBuilt > 50) {
+                    $this->logger->debug('Controller {class}::{method} created {count} QueryBuilder objects, please check if they are created inside a loop by accident.', [
+                        'class' => get_class($controller),
+                        'method' => $methodName,
+                        'count' => $numBuilt,
+                    ]);
+                }
+
+                if ($numExecuted > 100) {
+                    $this->logger->warning('Controller {class}::{method} executed {count} queries.', [
+                        'class' => get_class($controller),
+                        'method' => $methodName,
+                        'count' => $numExecuted,
+                    ]);
+                }
+            }
+
+            // if an exception appears, the middleware checks if it can handle the
+            // exception and creates a response. If no response is created, it is
+            // assumed that there's no middleware who can handle it and the error is
+            // thrown again
+        } catch (\Exception $exception) {
+            $response = $this->middlewareDispatcher->afterException(
+                $controller, $methodName, $exception);
+        } catch (\Throwable $throwable) {
+            $exception = new \Exception($throwable->getMessage() . ' in file \'' . $throwable->getFile() . '\' line ' . $throwable->getLine(), $throwable->getCode(), $throwable);
+            $response = $this->middlewareDispatcher->afterException(
+                $controller, $methodName, $exception);
+        }
+
+        $response = $this->middlewareDispatcher->afterController(
+            $controller, $methodName, $response);
+
+        // depending on the cache object the headers need to be changed
+        $out[0] = $this->protocol->getStatusHeader($response->getStatus());
+        $out[1] = array_merge($response->getHeaders());
+        $out[2] = $response->getCookies();
+        $out[3] = $this->middlewareDispatcher->beforeOutput(
+            $controller, $methodName, $response->render()
+        );
+        $out[4] = $response;
+
+        return $out;
+    }
+
+
+    /**
+     * Uses the reflected parameters, types and request parameters to execute
+     * the controller
+     * @param Controller $controller the controller to be executed
+     * @param string $methodName the method on the controller that should be executed
+     * @return Response
+     */
+    private function executeController(Controller $controller, string $methodName): Response {
+        $arguments = [];
+
+        // valid types that will be cast
+        $types = ['int', 'integer', 'bool', 'boolean', 'float', 'double'];
+
+        foreach ($this->reflector->getParameters() as $param => $default) {
+            // try to get the parameter from the request object and cast
+            // it to the type annotated in the @param annotation
+            $value = $this->request->getParam($param, $default);
+            $type = $this->reflector->getType($param);
+
+            // Converted the string `'false'` to false when the controller wants a boolean
+            if ($value === 'false' && ($type === 'bool' || $type === 'boolean')) {
+                $value = false;
+            } elseif ($value !== null && \in_array($type, $types, true)) {
+                settype($value, $type);
+                $this->ensureParameterValueSatisfiesRange($param, $value);
+            } elseif ($value === null && $type !== null && $this->appContainer->has($type)) {
+                $value = $this->appContainer->get($type);
+            }
+
+            $arguments[] = $value;
+        }
+
+        $this->eventLogger->start('controller:' . get_class($controller) . '::' . $methodName, 'App framework controller execution');
+        $response = \call_user_func_array([$controller, $methodName], $arguments);
+        $this->eventLogger->end('controller:' . get_class($controller) . '::' . $methodName);
+
+        if (!($response instanceof Response)) {
+            $this->logger->debug($controller::class . '::' . $methodName . ' returned raw data. Please wrap it in a Response or one of it\'s inheritors.');
+        }
+
+        // format response
+        if ($response instanceof DataResponse || !($response instanceof Response)) {
+            $format = $this->request->getFormat();
+
+            if ($format !== null) {
+                $response = $controller->buildResponse($response, $format);
+            } else {
+                $response = $controller->buildResponse($response);
+            }
+        }
+
+        return $response;
+    }
+
+    /**
+     * @psalm-param mixed $value
+     * @throws ParameterOutOfRangeException
+     */
+    private function ensureParameterValueSatisfiesRange(string $param, $value): void {
+        $rangeInfo = $this->reflector->getRange($param);
+        if ($rangeInfo) {
+            if ($value < $rangeInfo['min'] || $value > $rangeInfo['max']) {
+                throw new ParameterOutOfRangeException(
+                    $param,
+                    $value,
+                    $rangeInfo['min'],
+                    $rangeInfo['max'],
+                );
+            }
+        }
+    }
 }

lib/private/AppFramework/Middleware/OCSMiddleware.php

Indentation +99 added lines, -99 removed lines

@@ -20,106 +20,106 @@
 use OCP\IRequest;
 
 class OCSMiddleware extends Middleware {
-	/** @var IRequest */
-	private $request;
-
-	/** @var int */
-	private $ocsVersion;
-
-	/**
-	 * @param IRequest $request
-	 */
-	public function __construct(IRequest $request) {
-		$this->request = $request;
-	}
-
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 */
-	public function beforeController($controller, $methodName) {
-		if ($controller instanceof OCSController) {
-			if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) {
-				$this->ocsVersion = 2;
-			} else {
-				$this->ocsVersion = 1;
-			}
-			$controller->setOCSVersion($this->ocsVersion);
-		}
-	}
-
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 * @param \Exception $exception
-	 * @throws \Exception
-	 * @return BaseResponse
-	 */
-	public function afterException($controller, $methodName, \Exception $exception) {
-		if ($controller instanceof OCSController && $exception instanceof OCSException) {
-			$code = $exception->getCode();
-			if ($code === 0) {
-				$code = \OCP\AppFramework\OCSController::RESPOND_UNKNOWN_ERROR;
-			}
-
-			return $this->buildNewResponse($controller, $code, $exception->getMessage());
-		}
-
-		throw $exception;
-	}
-
-	/**
-	 * @param Controller $controller
-	 * @param string $methodName
-	 * @param Response $response
-	 * @return \OCP\AppFramework\Http\Response
-	 */
-	public function afterController($controller, $methodName, Response $response) {
-		/*
+    /** @var IRequest */
+    private $request;
+
+    /** @var int */
+    private $ocsVersion;
+
+    /**
+     * @param IRequest $request
+     */
+    public function __construct(IRequest $request) {
+        $this->request = $request;
+    }
+
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     */
+    public function beforeController($controller, $methodName) {
+        if ($controller instanceof OCSController) {
+            if (substr_compare($this->request->getScriptName(), '/ocs/v2.php', -strlen('/ocs/v2.php')) === 0) {
+                $this->ocsVersion = 2;
+            } else {
+                $this->ocsVersion = 1;
+            }
+            $controller->setOCSVersion($this->ocsVersion);
+        }
+    }
+
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     * @param \Exception $exception
+     * @throws \Exception
+     * @return BaseResponse
+     */
+    public function afterException($controller, $methodName, \Exception $exception) {
+        if ($controller instanceof OCSController && $exception instanceof OCSException) {
+            $code = $exception->getCode();
+            if ($code === 0) {
+                $code = \OCP\AppFramework\OCSController::RESPOND_UNKNOWN_ERROR;
+            }
+
+            return $this->buildNewResponse($controller, $code, $exception->getMessage());
+        }
+
+        throw $exception;
+    }
+
+    /**
+     * @param Controller $controller
+     * @param string $methodName
+     * @param Response $response
+     * @return \OCP\AppFramework\Http\Response
+     */
+    public function afterController($controller, $methodName, Response $response) {
+        /*
 		 * If a different middleware has detected that a request unauthorized or forbidden
 		 * we need to catch the response and convert it to a proper OCS response.
 		 */
-		if ($controller instanceof OCSController && !($response instanceof BaseResponse)) {
-			if ($response->getStatus() === Http::STATUS_UNAUTHORIZED) {
-				$message = '';
-				if ($response instanceof JSONResponse) {
-					/** @var DataResponse $response */
-					$message = $response->getData()['message'];
-				}
-
-				return $this->buildNewResponse($controller, OCSController::RESPOND_UNAUTHORISED, $message);
-			}
-			if ($response->getStatus() === Http::STATUS_FORBIDDEN) {
-				$message = '';
-				if ($response instanceof JSONResponse) {
-					/** @var DataResponse $response */
-					$message = $response->getData()['message'];
-				}
-
-				return $this->buildNewResponse($controller, Http::STATUS_FORBIDDEN, $message);
-			}
-		}
-
-		return $response;
-	}
-
-	/**
-	 * @param Controller $controller
-	 * @param int $code
-	 * @param string $message
-	 * @return V1Response|V2Response
-	 */
-	private function buildNewResponse(Controller $controller, $code, $message) {
-		$format = $this->request->getFormat() ?? 'xml';
-
-		$data = new DataResponse();
-		$data->setStatus($code);
-		if ($this->ocsVersion === 1) {
-			$response = new V1Response($data, $format, $message);
-		} else {
-			$response = new V2Response($data, $format, $message);
-		}
-
-		return $response;
-	}
+        if ($controller instanceof OCSController && !($response instanceof BaseResponse)) {
+            if ($response->getStatus() === Http::STATUS_UNAUTHORIZED) {
+                $message = '';
+                if ($response instanceof JSONResponse) {
+                    /** @var DataResponse $response */
+                    $message = $response->getData()['message'];
+                }
+
+                return $this->buildNewResponse($controller, OCSController::RESPOND_UNAUTHORISED, $message);
+            }
+            if ($response->getStatus() === Http::STATUS_FORBIDDEN) {
+                $message = '';
+                if ($response instanceof JSONResponse) {
+                    /** @var DataResponse $response */
+                    $message = $response->getData()['message'];
+                }
+
+                return $this->buildNewResponse($controller, Http::STATUS_FORBIDDEN, $message);
+            }
+        }
+
+        return $response;
+    }
+
+    /**
+     * @param Controller $controller
+     * @param int $code
+     * @param string $message
+     * @return V1Response|V2Response
+     */
+    private function buildNewResponse(Controller $controller, $code, $message) {
+        $format = $this->request->getFormat() ?? 'xml';
+
+        $data = new DataResponse();
+        $data->setStatus($code);
+        if ($this->ocsVersion === 1) {
+            $response = new V1Response($data, $format, $message);
+        } else {
+            $response = new V2Response($data, $format, $message);
+        }
+
+        return $response;
+    }
 }

lib/public/IRequest.php

Indentation +287 added lines, -287 removed lines

@@ -38,291 +38,291 @@
  * @since 6.0.0
  */
 interface IRequest {
-	/**
-	 * @since 9.1.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_CLIENT_ANDROID = '/^Mozilla\/5\.0 \(Android\) (?:ownCloud|Nextcloud)\-android\/([^ ]*).*$/';
-
-	/**
-	 * @since 13.0.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_TALK_ANDROID = '/^Mozilla\/5\.0 \(Android\) Nextcloud\-Talk v([^ ]*).*$/';
-
-	/**
-	 * @since 9.1.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_CLIENT_DESKTOP = '/^Mozilla\/5\.0 \([A-Za-z ]+\) (?:mirall|csyncoC)\/([^ ]*).*$/';
-
-	/**
-	 * @since 26.0.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_TALK_DESKTOP = '/^Mozilla\/5\.0 \((?!Android|iOS)[A-Za-z ]+\) Nextcloud\-Talk v([^ ]*).*$/';
-
-	/**
-	 * @since 9.1.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_CLIENT_IOS = '/^Mozilla\/5\.0 \(iOS\) (?:ownCloud|Nextcloud)\-iOS\/([^ ]*).*$/';
-
-	/**
-	 * @since 13.0.0
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_TALK_IOS = '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-Talk v([^ ]*).*$/';
-
-	/**
-	 * @since 13.0.1
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_OUTLOOK_ADDON = '/^Mozilla\/5\.0 \([A-Za-z ]+\) Nextcloud\-Outlook v([^ ]*).*$/';
-
-	/**
-	 * @since 13.0.1
-	 * @since 28.0.0 The regex has a group matching the version number
-	 */
-	public const USER_AGENT_THUNDERBIRD_ADDON = '/^Filelink for \*cloud\/([1-9]\d*\.\d+\.\d+)$/';
-
-	/**
-	 * @since 26.0.0
-	 */
-	public const JSON_CONTENT_TYPE_REGEX = '/^application\/(?:[a-z0-9.-]+\+)?json\b/';
-
-	/**
-	 * @param string $name
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @return string
-	 * @since 6.0.0
-	 */
-	public function getHeader(string $name): string;
-
-	/**
-	 * Lets you access post and get parameters by the index
-	 * In case of json requests the encoded json body is accessed
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @param string $key the key which you want to access in the URL Parameter
-	 *                    placeholder, $_POST or $_GET array.
-	 *                    The priority how they're returned is the following:
-	 *                    1. URL parameters
-	 *                    2. POST parameters
-	 *                    3. GET parameters
-	 * @param mixed $default If the key is not found, this value will be returned
-	 * @return mixed the content of the array
-	 * @since 6.0.0
-	 */
-	public function getParam(string $key, $default = null);
-
-
-	/**
-	 * Returns all params that were received, be it from the request
-	 *
-	 * (as GET or POST) or through the URL by the route
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @return array the array with all parameters
-	 * @since 6.0.0
-	 */
-	public function getParams(): array;
-
-	/**
-	 * Returns the method of the request
-	 *
-	 * @return string the method of the request (POST, GET, etc)
-	 * @since 6.0.0
-	 */
-	public function getMethod(): string;
-
-	/**
-	 * Shortcut for accessing an uploaded file through the $_FILES array
-	 *
-	 * @param string $key the key that will be taken from the $_FILES array
-	 * @return array the file in the $_FILES element
-	 * @since 6.0.0
-	 */
-	public function getUploadedFile(string $key);
-
-
-	/**
-	 * Shortcut for getting env variables
-	 *
-	 * @param string $key the key that will be taken from the $_ENV array
-	 * @return array the value in the $_ENV element
-	 * @since 6.0.0
-	 */
-	public function getEnv(string $key);
-
-
-	/**
-	 * Shortcut for getting cookie variables
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @param string $key the key that will be taken from the $_COOKIE array
-	 * @return string|null the value in the $_COOKIE element
-	 * @since 6.0.0
-	 */
-	public function getCookie(string $key);
-
-
-	/**
-	 * Checks if the CSRF check was correct
-	 *
-	 * @return bool true if CSRF check passed
-	 * @since 6.0.0
-	 */
-	public function passesCSRFCheck(): bool;
-
-	/**
-	 * Checks if the strict cookie has been sent with the request if the request
-	 * is including any cookies.
-	 *
-	 * @return bool
-	 * @since 9.0.0
-	 */
-	public function passesStrictCookieCheck(): bool;
-
-	/**
-	 * Checks if the lax cookie has been sent with the request if the request
-	 * is including any cookies.
-	 *
-	 * @return bool
-	 * @since 9.0.0
-	 */
-	public function passesLaxCookieCheck(): bool;
-
-	/**
-	 * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
-	 * If `mod_unique_id` is installed this value will be taken.
-	 *
-	 * @return string
-	 * @since 8.1.0
-	 */
-	public function getId(): string;
-
-	/**
-	 * Returns the remote address, if the connection came from a trusted proxy
-	 * and `forwarded_for_headers` has been configured then the IP address
-	 * specified in this header will be returned instead.
-	 * Do always use this instead of $_SERVER['REMOTE_ADDR']
-	 *
-	 * @return string IP address
-	 * @since 8.1.0
-	 */
-	public function getRemoteAddress(): string;
-
-	/**
-	 * Returns the server protocol. It respects reverse proxy servers and load
-	 * balancers.
-	 *
-	 * @return string Server protocol (http or https)
-	 * @since 8.1.0
-	 */
-	public function getServerProtocol(): string;
-
-	/**
-	 * Returns the used HTTP protocol.
-	 *
-	 * @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
-	 * @since 8.2.0
-	 */
-	public function getHttpProtocol(): string;
-
-	/**
-	 * Returns the request uri, even if the website uses one or more
-	 * reverse proxies
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @return string
-	 * @since 8.1.0
-	 */
-	public function getRequestUri(): string;
-
-	/**
-	 * Get raw PathInfo from request (not urldecoded)
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @throws \Exception
-	 * @return string Path info
-	 * @since 8.1.0
-	 */
-	public function getRawPathInfo(): string;
-
-	/**
-	 * Get PathInfo from request
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @throws \Exception
-	 * @return string|false Path info or false when not found
-	 * @since 8.1.0
-	 */
-	public function getPathInfo();
-
-	/**
-	 * Returns the script name, even if the website uses one or more
-	 * reverse proxies
-	 *
-	 * @return string the script name
-	 * @since 8.1.0
-	 */
-	public function getScriptName(): string;
-
-	/**
-	 * Checks whether the user agent matches a given regex
-	 *
-	 * @param array $agent array of agent names
-	 * @return bool true if at least one of the given agent matches, false otherwise
-	 * @since 8.1.0
-	 */
-	public function isUserAgent(array $agent): bool;
-
-	/**
-	 * Returns the unverified server host from the headers without checking
-	 * whether it is a trusted domain
-	 *
-	 * @psalm-taint-source input
-	 *
-	 * @return string Server host
-	 * @since 8.1.0
-	 */
-	public function getInsecureServerHost(): string;
-
-	/**
-	 * Returns the server host from the headers, or the first configured
-	 * trusted domain if the host isn't in the trusted list
-	 *
-	 * @return string Server host
-	 * @since 8.1.0
-	 */
-	public function getServerHost(): string;
-
-	/**
-	 * If decoding the request content failed, throw an exception.
-	 * Currently only \JsonException for json decoding errors,
-	 * but in the future may throw other exceptions for other decoding issues.
-	 *
-	 * @throws \Exception
-	 * @since 32.0.0
-	 */
-	public function throwDecodingExceptionIfAny(): void;
-
-	/**
-	 * Returns the format of the response to this request.
-	 *
-	 * The `Accept` header and the `format` query parameter control the format.
-	 *
-	 * @return string|null
-	 * @since 33.0.0
-	 */
-	public function getFormat(): ?string;
+    /**
+     * @since 9.1.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_CLIENT_ANDROID = '/^Mozilla\/5\.0 \(Android\) (?:ownCloud|Nextcloud)\-android\/([^ ]*).*$/';
+
+    /**
+     * @since 13.0.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_TALK_ANDROID = '/^Mozilla\/5\.0 \(Android\) Nextcloud\-Talk v([^ ]*).*$/';
+
+    /**
+     * @since 9.1.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_CLIENT_DESKTOP = '/^Mozilla\/5\.0 \([A-Za-z ]+\) (?:mirall|csyncoC)\/([^ ]*).*$/';
+
+    /**
+     * @since 26.0.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_TALK_DESKTOP = '/^Mozilla\/5\.0 \((?!Android|iOS)[A-Za-z ]+\) Nextcloud\-Talk v([^ ]*).*$/';
+
+    /**
+     * @since 9.1.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_CLIENT_IOS = '/^Mozilla\/5\.0 \(iOS\) (?:ownCloud|Nextcloud)\-iOS\/([^ ]*).*$/';
+
+    /**
+     * @since 13.0.0
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_TALK_IOS = '/^Mozilla\/5\.0 \(iOS\) Nextcloud\-Talk v([^ ]*).*$/';
+
+    /**
+     * @since 13.0.1
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_OUTLOOK_ADDON = '/^Mozilla\/5\.0 \([A-Za-z ]+\) Nextcloud\-Outlook v([^ ]*).*$/';
+
+    /**
+     * @since 13.0.1
+     * @since 28.0.0 The regex has a group matching the version number
+     */
+    public const USER_AGENT_THUNDERBIRD_ADDON = '/^Filelink for \*cloud\/([1-9]\d*\.\d+\.\d+)$/';
+
+    /**
+     * @since 26.0.0
+     */
+    public const JSON_CONTENT_TYPE_REGEX = '/^application\/(?:[a-z0-9.-]+\+)?json\b/';
+
+    /**
+     * @param string $name
+     *
+     * @psalm-taint-source input
+     *
+     * @return string
+     * @since 6.0.0
+     */
+    public function getHeader(string $name): string;
+
+    /**
+     * Lets you access post and get parameters by the index
+     * In case of json requests the encoded json body is accessed
+     *
+     * @psalm-taint-source input
+     *
+     * @param string $key the key which you want to access in the URL Parameter
+     *                    placeholder, $_POST or $_GET array.
+     *                    The priority how they're returned is the following:
+     *                    1. URL parameters
+     *                    2. POST parameters
+     *                    3. GET parameters
+     * @param mixed $default If the key is not found, this value will be returned
+     * @return mixed the content of the array
+     * @since 6.0.0
+     */
+    public function getParam(string $key, $default = null);
+
+
+    /**
+     * Returns all params that were received, be it from the request
+     *
+     * (as GET or POST) or through the URL by the route
+     *
+     * @psalm-taint-source input
+     *
+     * @return array the array with all parameters
+     * @since 6.0.0
+     */
+    public function getParams(): array;
+
+    /**
+     * Returns the method of the request
+     *
+     * @return string the method of the request (POST, GET, etc)
+     * @since 6.0.0
+     */
+    public function getMethod(): string;
+
+    /**
+     * Shortcut for accessing an uploaded file through the $_FILES array
+     *
+     * @param string $key the key that will be taken from the $_FILES array
+     * @return array the file in the $_FILES element
+     * @since 6.0.0
+     */
+    public function getUploadedFile(string $key);
+
+
+    /**
+     * Shortcut for getting env variables
+     *
+     * @param string $key the key that will be taken from the $_ENV array
+     * @return array the value in the $_ENV element
+     * @since 6.0.0
+     */
+    public function getEnv(string $key);
+
+
+    /**
+     * Shortcut for getting cookie variables
+     *
+     * @psalm-taint-source input
+     *
+     * @param string $key the key that will be taken from the $_COOKIE array
+     * @return string|null the value in the $_COOKIE element
+     * @since 6.0.0
+     */
+    public function getCookie(string $key);
+
+
+    /**
+     * Checks if the CSRF check was correct
+     *
+     * @return bool true if CSRF check passed
+     * @since 6.0.0
+     */
+    public function passesCSRFCheck(): bool;
+
+    /**
+     * Checks if the strict cookie has been sent with the request if the request
+     * is including any cookies.
+     *
+     * @return bool
+     * @since 9.0.0
+     */
+    public function passesStrictCookieCheck(): bool;
+
+    /**
+     * Checks if the lax cookie has been sent with the request if the request
+     * is including any cookies.
+     *
+     * @return bool
+     * @since 9.0.0
+     */
+    public function passesLaxCookieCheck(): bool;
+
+    /**
+     * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging
+     * If `mod_unique_id` is installed this value will be taken.
+     *
+     * @return string
+     * @since 8.1.0
+     */
+    public function getId(): string;
+
+    /**
+     * Returns the remote address, if the connection came from a trusted proxy
+     * and `forwarded_for_headers` has been configured then the IP address
+     * specified in this header will be returned instead.
+     * Do always use this instead of $_SERVER['REMOTE_ADDR']
+     *
+     * @return string IP address
+     * @since 8.1.0
+     */
+    public function getRemoteAddress(): string;
+
+    /**
+     * Returns the server protocol. It respects reverse proxy servers and load
+     * balancers.
+     *
+     * @return string Server protocol (http or https)
+     * @since 8.1.0
+     */
+    public function getServerProtocol(): string;
+
+    /**
+     * Returns the used HTTP protocol.
+     *
+     * @return string HTTP protocol. HTTP/2, HTTP/1.1 or HTTP/1.0.
+     * @since 8.2.0
+     */
+    public function getHttpProtocol(): string;
+
+    /**
+     * Returns the request uri, even if the website uses one or more
+     * reverse proxies
+     *
+     * @psalm-taint-source input
+     *
+     * @return string
+     * @since 8.1.0
+     */
+    public function getRequestUri(): string;
+
+    /**
+     * Get raw PathInfo from request (not urldecoded)
+     *
+     * @psalm-taint-source input
+     *
+     * @throws \Exception
+     * @return string Path info
+     * @since 8.1.0
+     */
+    public function getRawPathInfo(): string;
+
+    /**
+     * Get PathInfo from request
+     *
+     * @psalm-taint-source input
+     *
+     * @throws \Exception
+     * @return string|false Path info or false when not found
+     * @since 8.1.0
+     */
+    public function getPathInfo();
+
+    /**
+     * Returns the script name, even if the website uses one or more
+     * reverse proxies
+     *
+     * @return string the script name
+     * @since 8.1.0
+     */
+    public function getScriptName(): string;
+
+    /**
+     * Checks whether the user agent matches a given regex
+     *
+     * @param array $agent array of agent names
+     * @return bool true if at least one of the given agent matches, false otherwise
+     * @since 8.1.0
+     */
+    public function isUserAgent(array $agent): bool;
+
+    /**
+     * Returns the unverified server host from the headers without checking
+     * whether it is a trusted domain
+     *
+     * @psalm-taint-source input
+     *
+     * @return string Server host
+     * @since 8.1.0
+     */
+    public function getInsecureServerHost(): string;
+
+    /**
+     * Returns the server host from the headers, or the first configured
+     * trusted domain if the host isn't in the trusted list
+     *
+     * @return string Server host
+     * @since 8.1.0
+     */
+    public function getServerHost(): string;
+
+    /**
+     * If decoding the request content failed, throw an exception.
+     * Currently only \JsonException for json decoding errors,
+     * but in the future may throw other exceptions for other decoding issues.
+     *
+     * @throws \Exception
+     * @since 32.0.0
+     */
+    public function throwDecodingExceptionIfAny(): void;
+
+    /**
+     * Returns the format of the response to this request.
+     *
+     * The `Accept` header and the `format` query parameter control the format.
+     *
+     * @return string|null
+     * @since 33.0.0
+     */
+    public function getFormat(): ?string;
 }

lib/public/AppFramework/Controller.php

Indentation +122 added lines, -122 removed lines

@@ -17,126 +17,126 @@
  * @since 6.0.0
  */
 abstract class Controller {
-	/**
-	 * app name
-	 * @var string
-	 * @since 7.0.0
-	 */
-	protected $appName;
-
-	/**
-	 * current request
-	 * @var \OCP\IRequest
-	 * @since 6.0.0
-	 */
-	protected $request;
-
-	/**
-	 * @var array
-	 * @since 7.0.0
-	 */
-	private $responders;
-
-	/**
-	 * constructor of the controller
-	 * @param string $appName the name of the app
-	 * @param IRequest $request an instance of the request
-	 * @since 6.0.0 - parameter $appName was added in 7.0.0 - parameter $app was removed in 7.0.0
-	 */
-	public function __construct($appName,
-		IRequest $request) {
-		$this->appName = $appName;
-		$this->request = $request;
-
-		// default responders
-		$this->responders = [
-			'json' => function ($data) {
-				if ($data instanceof DataResponse) {
-					$response = new JSONResponse(
-						$data->getData(),
-						$data->getStatus()
-					);
-					$dataHeaders = $data->getHeaders();
-					$headers = $response->getHeaders();
-					// do not overwrite Content-Type if it already exists
-					if (isset($dataHeaders['Content-Type'])) {
-						unset($headers['Content-Type']);
-					}
-					$response->setHeaders(array_merge($dataHeaders, $headers));
-
-					if ($data->getETag() !== null) {
-						$response->setETag($data->getETag());
-					}
-					if ($data->getLastModified() !== null) {
-						$response->setLastModified($data->getLastModified());
-					}
-					if ($data->isThrottled()) {
-						$response->throttle($data->getThrottleMetadata());
-					}
-
-					return $response;
-				}
-				return new JSONResponse($data);
-			}
-		];
-	}
-
-
-	/**
-	 * Parses an HTTP accept header and returns the supported responder type
-	 * @param string $acceptHeader
-	 * @param string $default
-	 * @return string the responder type
-	 * @since 7.0.0
-	 * @since 9.1.0 Added default parameter
-	 * @deprecated 33.0.0 Use {@see \OCP\IRequest::getFormat} instead
-	 */
-	public function getResponderByHTTPHeader($acceptHeader, $default = 'json') {
-		$headers = explode(',', $acceptHeader);
-
-		// return the first matching responder
-		foreach ($headers as $header) {
-			$header = strtolower(trim($header));
-
-			$responder = str_replace('application/', '', $header);
-
-			if (array_key_exists($responder, $this->responders)) {
-				return $responder;
-			}
-		}
-
-		// no matching header return default
-		return $default;
-	}
-
-
-	/**
-	 * Registers a formatter for a type
-	 * @param string $format
-	 * @param \Closure $responder
-	 * @since 7.0.0
-	 */
-	protected function registerResponder($format, \Closure $responder) {
-		$this->responders[$format] = $responder;
-	}
-
-
-	/**
-	 * Serializes and formats a response
-	 * @param mixed $response the value that was returned from a controller and
-	 *                        is not a Response instance
-	 * @param string $format the format for which a formatter has been registered
-	 * @throws \DomainException if format does not match a registered formatter
-	 * @return Response
-	 * @since 7.0.0
-	 */
-	public function buildResponse($response, $format = 'json') {
-		if (array_key_exists($format, $this->responders)) {
-			$responder = $this->responders[$format];
-
-			return $responder($response);
-		}
-		throw new \DomainException('No responder registered for format '
-			. $format . '!');
-	}
+    /**
+     * app name
+     * @var string
+     * @since 7.0.0
+     */
+    protected $appName;
+
+    /**
+     * current request
+     * @var \OCP\IRequest
+     * @since 6.0.0
+     */
+    protected $request;
+
+    /**
+     * @var array
+     * @since 7.0.0
+     */
+    private $responders;
+
+    /**
+     * constructor of the controller
+     * @param string $appName the name of the app
+     * @param IRequest $request an instance of the request
+     * @since 6.0.0 - parameter $appName was added in 7.0.0 - parameter $app was removed in 7.0.0
+     */
+    public function __construct($appName,
+        IRequest $request) {
+        $this->appName = $appName;
+        $this->request = $request;
+
+        // default responders
+        $this->responders = [
+            'json' => function ($data) {
+                if ($data instanceof DataResponse) {
+                    $response = new JSONResponse(
+                        $data->getData(),
+                        $data->getStatus()
+                    );
+                    $dataHeaders = $data->getHeaders();
+                    $headers = $response->getHeaders();
+                    // do not overwrite Content-Type if it already exists
+                    if (isset($dataHeaders['Content-Type'])) {
+                        unset($headers['Content-Type']);
+                    }
+                    $response->setHeaders(array_merge($dataHeaders, $headers));
+
+                    if ($data->getETag() !== null) {
+                        $response->setETag($data->getETag());
+                    }
+                    if ($data->getLastModified() !== null) {
+                        $response->setLastModified($data->getLastModified());
+                    }
+                    if ($data->isThrottled()) {
+                        $response->throttle($data->getThrottleMetadata());
+                    }
+
+                    return $response;
+                }
+                return new JSONResponse($data);
+            }
+        ];
+    }
+
+
+    /**
+     * Parses an HTTP accept header and returns the supported responder type
+     * @param string $acceptHeader
+     * @param string $default
+     * @return string the responder type
+     * @since 7.0.0
+     * @since 9.1.0 Added default parameter
+     * @deprecated 33.0.0 Use {@see \OCP\IRequest::getFormat} instead
+     */
+    public function getResponderByHTTPHeader($acceptHeader, $default = 'json') {
+        $headers = explode(',', $acceptHeader);
+
+        // return the first matching responder
+        foreach ($headers as $header) {
+            $header = strtolower(trim($header));
+
+            $responder = str_replace('application/', '', $header);
+
+            if (array_key_exists($responder, $this->responders)) {
+                return $responder;
+            }
+        }
+
+        // no matching header return default
+        return $default;
+    }
+
+
+    /**
+     * Registers a formatter for a type
+     * @param string $format
+     * @param \Closure $responder
+     * @since 7.0.0
+     */
+    protected function registerResponder($format, \Closure $responder) {
+        $this->responders[$format] = $responder;
+    }
+
+
+    /**
+     * Serializes and formats a response
+     * @param mixed $response the value that was returned from a controller and
+     *                        is not a Response instance
+     * @param string $format the format for which a formatter has been registered
+     * @throws \DomainException if format does not match a registered formatter
+     * @return Response
+     * @since 7.0.0
+     */
+    public function buildResponse($response, $format = 'json') {
+        if (array_key_exists($format, $this->responders)) {
+            $responder = $this->responders[$format];
+
+            return $responder($response);
+        }
+        throw new \DomainException('No responder registered for format '
+            . $format . '!');
+    }
 }