Example #1
0
 public function testGetCsp()
 {
     $policy = new Http\ContentSecurityPolicy();
     $policy->allowInlineScript(true);
     $this->childResponse->setContentSecurityPolicy($policy);
     $this->assertEquals($policy, $this->childResponse->getContentSecurityPolicy());
 }
Example #2
0
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $status = $this->statusService->getStatus();
     $response = new TemplateResponse($this->appName, 'index', ['cronWarning' => $status['warnings']['improperlyConfiguredCron']]);
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedImageDomain('*')->addAllowedMediaDomain('*')->addAllowedConnectDomain('*')->addAllowedFrameDomain('https://youtube.com')->addAllowedFrameDomain('https://www.youtube.com')->addAllowedFrameDomain('https://player.vimeo.com')->addAllowedFrameDomain('https://www.player.vimeo.com');
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
Example #3
0
 /**
  * CAUTION: the @Stuff turn off security checks, for this page no admin is
  *          required and no CSRF check. If you don't know what CSRF is, read
  *          it up in the docs or you might create a security hole. This is
  *          basically the only required method to add this exemption, don't
  *          add it to any other method if you don't exactly know what it does
  *
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $params = array('user' => $this->userId);
     $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
     $csp->addAllowedImageDomain('data:');
     $response = new TemplateResponse('ownnote', 'main', $params);
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $bookmarkleturl = $this->urlgenerator->getAbsoluteURL('index.php/apps/bookmarks/bookmarklet');
     $params = array('user' => $this->userId, 'bookmarkleturl' => $bookmarkleturl);
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedFrameDomain("'self'");
     $response = new TemplateResponse('bookmarks', 'main', $params);
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
 public function testShowPdfViewer()
 {
     $params = ['urlGenerator' => $this->urlGenerator];
     $expectedResponse = new TemplateResponse($this->appName, 'viewer', $params, 'blank');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedChildSrcDomain('\'self\'');
     $policy->addAllowedFontDomain('data:');
     $expectedResponse->setContentSecurityPolicy($policy);
     $this->assertEquals($expectedResponse, $this->controller->showPdfViewer());
 }
Example #6
0
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function showPdfViewer()
 {
     $params = ['urlGenerator' => $this->urlGenerator];
     $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedChildSrcDomain('\'self\'');
     $policy->addAllowedFontDomain('data:');
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
 /**
  * @NoCSRFRequired
  * @return TemplateResponse
  */
 public function viewApps()
 {
     $params = [];
     $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false);
     $this->navigationManager->setActiveEntry('core_apps');
     $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedImageDomain('https://apps.owncloud.com');
     $templateResponse->setContentSecurityPolicy($policy);
     return $templateResponse;
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function webRTC()
 {
     $params = [];
     $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params);
     // Allow to embed iframes
     $csp = new ContentSecurityPolicy();
     //$csp->addAllowedFrameDomain('*');
     $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains()));
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  * @PublicPage
  */
 public function webRTC()
 {
     $params = ['is_guest' => $this->userid === null];
     $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params, $this->userid === null ? 'empty' : 'user');
     // Allow to embed iframes
     $csp = new ContentSecurityPolicy();
     //$csp->addAllowedFrameDomain('*');
     $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains()));
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
Example #10
0
 /**
  * CAUTION: the @Stuff turn off security checks, for this page no admin is
  *          required and no CSRF check. If you don't know what CSRF is, read
  *          it up in the docs or you might create a security hole. This is
  *          basically the only required method to add this exemption, don't
  *          add it to any other method if you don't exactly know what it does
  *
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $params = array('user' => $this->userId);
     $response = new TemplateResponse('ownmnote', 'main', $params);
     $ocVersion = \OCP\Util::getVersion();
     if ($ocVersion[0] > 8 || $ocVersion[0] == 8 && $ocVersion[1] >= 1) {
         $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy();
         $csp->addAllowedImageDomain('data:');
         $response->setContentSecurityPolicy($csp);
     }
     return $response;
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     if (substr(\OC_Util::getHumanVersion(), 0, 3) != '8.0') {
         // OC >= 8.1
         $response = new TemplateResponse('passwords', 'main');
         $csp = new ContentSecurityPolicy();
         $csp->addAllowedImageDomain('https://icons.duckduckgo.com');
         $csp->addAllowedImageDomain('https://www.google.com');
         $response->setContentSecurityPolicy($csp);
         return $response;
     } else {
         // OC =< 8.0.4
         return new TemplateResponse('passwords', 'main');
     }
 }
Example #12
0
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function index()
 {
     $lastViewedNote = (int) $this->settings->getUserValue($this->userId, $this->appName, 'notesLastViewedNote');
     // check if note exists
     try {
         $this->notesService->get($lastViewedNote, $this->userId);
     } catch (NoteDoesNotExistException $ex) {
         $lastViewedNote = 0;
     }
     $response = new TemplateResponse($this->appName, 'main', ['lastViewedNote' => $lastViewedNote]);
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedImageDomain('*');
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 public function testGetPolicyDisallowChildSrcDomainMultipleStakes()
 {
     $expectedPolicy = "default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'";
     $this->contentSecurityPolicy->addAllowedChildSrcDomain('www.owncloud.com');
     $this->contentSecurityPolicy->disallowChildSrcDomain('www.owncloud.org')->disallowChildSrcDomain('www.owncloud.com');
     $this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
 }
Example #14
0
 /**
  * CAUTION: the @Stuff turn off security checks, for this page no admin is
  *          required and no CSRF check. If you don't know what CSRF is, read
  *          it up in the docs or you might create a security hole. This is
  *          basically the only required method to add this exemption, don't
  *          add it to any other method if you don't exactly know what it does
  *
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1);
     $params = array('user' => $this->userId);
     $conf = $this->userId === 'test' ? 1 : $conf;
     if ($conf == 1) {
         \OCP\Util::addscript('passman', 'firstrun');
         $exampleItems = array();
         $exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2')));
         $exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3')));
         foreach ($exampleItems as $key => $val) {
             $this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array());
         }
     }
     $response = new TemplateResponse('passman', 'main', $params);
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedObjectDomain('\'self\'');
     $csp->addAllowedImageDomain('data:');
     $response->setContentSecurityPolicy($csp);
     return $response;
     // templates/main.php
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     \OC::$server->getNavigationManager()->setActiveEntry('documents_index');
     $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/");
     $response = new TemplateResponse('documents', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'useUnstable' => $this->settings->getAppValue('documents', 'unstable', 'false'), 'savePath' => $this->settings->getUserValue($this->uid, 'documents', 'save_path', '/'), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes')]);
     $policy = new ContentSecurityPolicy();
     //$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
     $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
     $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\'');
     $policy->addAllowedConnectDomain('ws://' . $_SERVER['SERVER_NAME'] . ':9980');
     $policy->addAllowedImageDomain('*');
     $policy->allowInlineScript(true);
     $policy->addAllowedFontDomain('data:');
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
Example #16
0
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function showPad($file, $dir)
 {
     /* Retrieve file content to find pad’s URL */
     $content = \OC\Files\Filesystem::file_get_contents($dir . "/" . $file);
     preg_match('/URL=(.*)$/', $content, $matches);
     $url = $matches[1];
     $title = $file;
     /* Not totally sure that this is the right way to proceed…
      *
      * First we decode the URL (to avoid double encode), then we
      * replace spaces with underscore (as they are converted as
      * such by Etherpad), then we encode the URL properly (and we
      * avoid to urlencode() the protocol scheme).
      *
      * Magic urlencode() function was stolen from this answer on
      * StackOverflow: <http://stackoverflow.com/a/7974253>.
      */
     $url = urldecode($url);
     $url = str_replace(' ', '_', $url);
     $url = preg_replace_callback('#://([^/]+)/([^?]+)#', function ($match) {
         return '://' . $match[1] . '/' . join('/', array_map('rawurlencode', explode('/', $match[2])));
     }, $url);
     $params = ['urlGenerator' => $this->urlGenerator, 'url' => $url, 'title' => $title];
     $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank');
     /* Allow Etherpad and Ethercalc domains to the
      * Content-Security-frame- list.
      *
      * This feature was introduced in ownCloud 8.1.
      */
     $policy = new ContentSecurityPolicy();
     $appConfig = \OC::$server->getAppConfig();
     $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_etherpad_host', ''));
     $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_ethercalc_host', ''));
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
	public function testConfigureStacked() {
		$expectedPolicy = "default-src 'none';script-src 'self' script.owncloud.org;style-src 'self' style.owncloud.org;img-src 'self' img.owncloud.org;font-src 'self' font.owncloud.org;connect-src 'self' connect.owncloud.org;media-src 'self' media.owncloud.org;object-src objects.owncloud.org;frame-src frame.owncloud.org;child-src child.owncloud.org";

		$this->contentSecurityPolicy->allowInlineStyle(false)
			->allowEvalScript(false)
			->addAllowedScriptDomain('script.owncloud.org')
			->addAllowedStyleDomain('style.owncloud.org')
			->addAllowedFontDomain('font.owncloud.org')
			->addAllowedImageDomain('img.owncloud.org')
			->addAllowedConnectDomain('connect.owncloud.org')
			->addAllowedMediaDomain('media.owncloud.org')
			->addAllowedObjectDomain('objects.owncloud.org')
			->addAllowedChildSrcDomain('child.owncloud.org')
			->addAllowedFrameDomain('frame.owncloud.org');
		$this->assertSame($expectedPolicy, $this->contentSecurityPolicy->buildPolicy());
	}
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function showReader()
 {
     $params = ['urlGenerator' => $this->urlGenerator];
     $response = new TemplateResponse($this->appName, 'reader', $params, 'blank');
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedChildSrcDomain('\'self\'');
     $csp->addAllowedFrameDomain('\'self\'');
     $csp->addAllowedStyleDomain('blob:');
     $csp->addAllowedImageDomain('blob:');
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
Example #19
0
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  *
  * @param int $accountId
  * @param string $folderId
  * @param string $messageId
  * @return \OCA\Mail\Http\HtmlResponse
  */
 public function getHtmlBody($accountId, $folderId, $messageId)
 {
     try {
         $mailBox = $this->getFolder($accountId, $folderId);
         $m = $mailBox->getMessage($messageId, true);
         $html = $m->getHtmlBody($accountId, $folderId, $messageId, function ($cid) use($m) {
             $match = array_filter($m->attachments, function ($a) use($cid) {
                 return $a['cid'] === $cid;
             });
             $match = array_shift($match);
             if (is_null($match)) {
                 return null;
             }
             return $match['id'];
         });
         $htmlResponse = new HtmlResponse($html);
         // Harden the default security policy
         // FIXME: Remove once ownCloud 8.1 is a requirement for the mail app
         if (class_exists('\\OCP\\AppFramework\\Http\\ContentSecurityPolicy')) {
             $policy = new ContentSecurityPolicy();
             $policy->allowEvalScript(false);
             $policy->disallowScriptDomain('\'self\'');
             $policy->disallowConnectDomain('\'self\'');
             $policy->disallowFontDomain('\'self\'');
             $policy->disallowMediaDomain('\'self\'');
             $htmlResponse->setContentSecurityPolicy($policy);
         }
         // Enable caching
         $htmlResponse->cacheFor(60 * 60);
         $htmlResponse->addHeader('Pragma', 'cache');
         return $htmlResponse;
     } catch (\Exception $ex) {
         return new TemplateResponse($this->appName, 'error', ['message' => $ex->getMessage()], 'none');
     }
 }
 /**
  * Adds the domain "data:" to the allowed image domains
  * this function is called by reference
  *
  * @param TemplateResponse $response
  */
 private function addContentSecurityToResponse($response)
 {
     $csp = new Http\ContentSecurityPolicy();
     $csp->addAllowedFontDomain("data:");
     $response->setContentSecurityPolicy($csp);
 }
Example #21
0
 /**
  * CAUTION: the @Stuff turns off security checks; for this page no admin is
  *          required and no CSRF check. If you don't know what CSRF is, read
  *          it up in the docs or you might create a security hole. This is
  *          basically the only required method to add this exemption, don't
  *          add it to any other method if you don't exactly know what it does
  *
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $uploadLimit = Util::uploadLimit();
     $params = ['user' => $this->userId, 'uploadLimit' => $uploadLimit];
     /** @var ContentSecurityPolicy $csp */
     $csp = new ContentSecurityPolicy();
     $csp->addAllowedConnectDomain('*');
     /** @var TemplateResponse $response */
     if (isset($_SESSION['targetType']) && $_SESSION['targetType'] == TargetType::PROJECT) {
         $response = new TemplateResponse('pkdrive', 'container', $params);
     } else {
         $response = new TemplateResponse('pkdrive', 'target', $params);
     }
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 /**
  * @NoAdminRequired
  * @NoCSRFRequired
  */
 public function index()
 {
     $wopiRemote = $this->appConfig->getAppValue('wopi_url');
     if (($parts = parse_url($wopiRemote)) && isset($parts['scheme']) && isset($parts['host'])) {
         $webSocketProtocol = "ws://";
         if ($parts['scheme'] == "https") {
             $webSocketProtocol = "wss://";
         }
         $webSocket = sprintf("%s%s%s", $webSocketProtocol, $parts['host'], isset($parts['port']) ? ":" . $parts['port'] : "");
     } else {
         return $this->responseError($this->l10n->t('Collabora Online: Invalid URL "%s".', array($wopiRemote)), $this->l10n->t('Please ask your administrator to check the Collabora Online server setting.'));
     }
     \OC::$server->getNavigationManager()->setActiveEntry('richdocuments_index');
     $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/");
     $response = new TemplateResponse('richdocuments', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes'), 'wopi_url' => $webSocket]);
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
     /* frame-src is deprecated on Firefox, but Safari wants it! */
     $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
     $policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\' ' . $wopiRemote);
     $policy->addAllowedConnectDomain($webSocket);
     $policy->addAllowedImageDomain('*');
     $policy->allowInlineScript(true);
     $policy->addAllowedFontDomain('data:');
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @param string $token
  * @param string $path
  * @return TemplateResponse|RedirectResponse
  */
 public function showShare($token, $path = '')
 {
     \OC_User::setIncognitoMode(true);
     // Check whether share exists
     $linkItem = Share::getShareByToken($token, false);
     if ($linkItem === false) {
         return new NotFoundResponse();
     }
     $shareOwner = $linkItem['uid_owner'];
     $originalSharePath = $this->getPath($token);
     // Share is password protected - check whether the user is permitted to access the share
     if (isset($linkItem['share_with']) && !Helper::authenticate($linkItem)) {
         return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $token)));
     }
     if (Filesystem::isReadable($originalSharePath . $path)) {
         $getPath = Filesystem::normalizePath($path);
         $originalSharePath .= $path;
     } else {
         throw new OCP\Files\NotFoundException();
     }
     $file = basename($originalSharePath);
     $shareTmpl = [];
     $shareTmpl['displayName'] = User::getDisplayName($shareOwner);
     $shareTmpl['filename'] = $file;
     $shareTmpl['directory_path'] = $linkItem['file_target'];
     $shareTmpl['mimetype'] = Filesystem::getMimeType($originalSharePath);
     $shareTmpl['previewSupported'] = \OC::$server->getPreviewManager()->isMimeSupported($shareTmpl['mimetype']);
     $shareTmpl['dirToken'] = $linkItem['token'];
     $shareTmpl['sharingToken'] = $token;
     $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled();
     $shareTmpl['protected'] = isset($linkItem['share_with']) ? 'true' : 'false';
     $shareTmpl['dir'] = '';
     $nonHumanFileSize = \OC\Files\Filesystem::filesize($originalSharePath);
     $shareTmpl['nonHumanFileSize'] = $nonHumanFileSize;
     $shareTmpl['fileSize'] = \OCP\Util::humanFileSize($nonHumanFileSize);
     // Show file list
     if (Filesystem::is_dir($originalSharePath)) {
         $shareTmpl['dir'] = $getPath;
         $maxUploadFilesize = Util::maxUploadFilesize($originalSharePath);
         $freeSpace = Util::freeSpace($originalSharePath);
         $uploadLimit = Util::uploadLimit();
         $folder = new Template('files', 'list', '');
         $folder->assign('dir', $getPath);
         $folder->assign('dirToken', $linkItem['token']);
         $folder->assign('permissions', \OCP\Constants::PERMISSION_READ);
         $folder->assign('isPublic', true);
         $folder->assign('publicUploadEnabled', 'no');
         $folder->assign('uploadMaxFilesize', $maxUploadFilesize);
         $folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize));
         $folder->assign('freeSpace', $freeSpace);
         $folder->assign('uploadLimit', $uploadLimit);
         // PHP upload limit
         $folder->assign('usedSpacePercent', 0);
         $folder->assign('trash', false);
         $shareTmpl['folder'] = $folder->fetchPage();
     }
     $shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token));
     $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10);
     $csp = new OCP\AppFramework\Http\ContentSecurityPolicy();
     $csp->addAllowedFrameDomain('\'self\'');
     $response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base');
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @return TemplateResponse
  */
 public function showLibreOnline()
 {
     $params = ['urlGenerator' => $this->urlGenerator];
     $response = new TemplateResponse($this->appName, 'online', $params, 'blank');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedChildSrcDomain('*');
     $policy->addAllowedScriptDomain("*");
     $policy->addAllowedConnectDomain("*");
     $policy->addAllowedStyleDomain("*");
     $policy->addAllowedMediaDomain("*");
     $policy->addAllowedFontDomain('*');
     $policy->addAllowedImageDomain('*');
     $policy->addAllowedFrameDomain('*');
     $policy->addAllowedObjectDomain('*');
     $policy->allowInlineScript(True);
     $policy->allowInlineStyle(True);
     $policy->allowEvalScript(True);
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
Example #25
0
 public function testIndexWithRegularBrowser()
 {
     $this->request->expects($this->once())->method('isUserAgent')->with(['/MSIE 8.0/'])->will($this->returnValue(false));
     $this->viewController->expects($this->once())->method('getStorageInfo')->will($this->returnValue(['relative' => 123, 'owner' => 'MyName', 'ownerDisplayName' => 'MyDisplayName']));
     $this->config->expects($this->any())->method('getAppValue')->will($this->returnArgument(2));
     $nav = new Template('files', 'appnavigation');
     $nav->assign('navigationItems', [0 => ['id' => 'files', 'appname' => 'files', 'script' => 'list.php', 'order' => 0, 'name' => new \OC_L10N_String(new \OC_L10N('files'), 'All files', []), 'active' => false, 'icon' => ''], 1 => ['id' => 'favorites', 'appname' => 'files', 'script' => 'simplelist.php', 'order' => 5, 'name' => null, 'active' => false, 'icon' => ''], 2 => ['id' => 'sharingin', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 10, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared with you', []), 'active' => false, 'icon' => ''], 3 => ['id' => 'sharingout', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 15, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared with others', []), 'active' => false, 'icon' => ''], 4 => ['id' => 'sharinglinks', 'appname' => 'files_sharing', 'script' => 'list.php', 'order' => 20, 'name' => new \OC_L10N_String(new \OC_L10N('files_sharing'), 'Shared by link', []), 'active' => false, 'icon' => ''], 5 => ['id' => 'trashbin', 'appname' => 'files_trashbin', 'script' => 'list.php', 'order' => 50, 'name' => new \OC_L10N_String(new \OC_L10N('files_trashbin'), 'Deleted files', []), 'active' => false, 'icon' => '']]);
     $expected = new Http\TemplateResponse('files', 'index', ['usedSpacePercent' => 123, 'owner' => 'MyName', 'ownerDisplayName' => 'MyDisplayName', 'isPublic' => false, 'mailNotificationEnabled' => 'no', 'mailPublicNotificationEnabled' => 'no', 'allowShareWithLink' => 'yes', 'appNavigation' => $nav, 'appContents' => [0 => ['id' => 'files', 'content' => null], 1 => ['id' => 'favorites', 'content' => null], 2 => ['id' => 'sharingin', 'content' => null], 3 => ['id' => 'sharingout', 'content' => null], 4 => ['id' => 'sharinglinks', 'content' => null], 5 => ['id' => 'trashbin', 'content' => null]]]);
     $policy = new Http\ContentSecurityPolicy();
     $policy->addAllowedFrameDomain('\'self\'');
     $expected->setContentSecurityPolicy($policy);
     $this->assertEquals($expected, $this->viewController->index('MyDir', 'MyView'));
 }
Example #26
0
 /**
  * @NoCSRFRequired
  * @NoAdminRequired
  *
  * @param string $dir
  * @param string $view
  * @return TemplateResponse
  * @throws \OCP\Files\NotFoundException
  */
 public function index($dir = '', $view = '')
 {
     $nav = new \OCP\Template('files', 'appnavigation', '');
     // Load the files we need
     \OCP\Util::addStyle('files', 'files');
     \OCP\Util::addStyle('files', 'upload');
     \OCP\Util::addStyle('files', 'mobile');
     \OCP\Util::addscript('files', 'app');
     \OCP\Util::addscript('files', 'file-upload');
     \OCP\Util::addscript('files', 'newfilemenu');
     \OCP\Util::addscript('files', 'jquery.iframe-transport');
     \OCP\Util::addscript('files', 'jquery.fileupload');
     \OCP\Util::addscript('files', 'jquery-visibility');
     \OCP\Util::addscript('files', 'fileinfomodel');
     \OCP\Util::addscript('files', 'filesummary');
     \OCP\Util::addscript('files', 'breadcrumb');
     \OCP\Util::addscript('files', 'filelist');
     \OCP\Util::addscript('files', 'search');
     \OCP\Util::addScript('files', 'favoritesfilelist');
     \OCP\Util::addScript('files', 'tagsplugin');
     \OCP\Util::addScript('files', 'favoritesplugin');
     \OCP\Util::addScript('files', 'detailfileinfoview');
     \OCP\Util::addScript('files', 'detailtabview');
     \OCP\Util::addScript('files', 'mainfileinfodetailview');
     \OCP\Util::addScript('files', 'detailsview');
     \OCP\Util::addStyle('files', 'detailsView');
     \OC_Util::addVendorScript('core', 'handlebars/handlebars');
     \OCP\Util::addscript('files', 'fileactions');
     \OCP\Util::addscript('files', 'fileactionsmenu');
     \OCP\Util::addscript('files', 'files');
     \OCP\Util::addscript('files', 'keyboardshortcuts');
     \OCP\Util::addscript('files', 'navigation');
     // if IE8 and "?dir=path&view=someview" was specified, reformat the URL to use a hash like "#?dir=path&view=someview"
     $isIE8 = $this->request->isUserAgent([Request::USER_AGENT_IE_8]);
     if ($isIE8 && ($dir !== '' || $view !== '')) {
         $dir = !empty($dir) ? $dir : '/';
         $view = !empty($view) ? $view : 'files';
         $hash = '#?dir=' . \OCP\Util::encodePath($dir);
         if ($view !== 'files') {
             $hash .= '&view=' . urlencode($view);
         }
         return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index') . $hash);
     }
     // mostly for the home storage's free space
     // FIXME: Make non static
     $storageInfo = $this->getStorageInfo();
     \OCA\Files\App::getNavigationManager()->add(['id' => 'favorites', 'appname' => 'files', 'script' => 'simplelist.php', 'order' => 5, 'name' => $this->l10n->t('Favorites')]);
     $navItems = \OCA\Files\App::getNavigationManager()->getAll();
     usort($navItems, function ($item1, $item2) {
         return $item1['order'] - $item2['order'];
     });
     $nav->assign('navigationItems', $navItems);
     $contentItems = [];
     // render the container content for every navigation item
     foreach ($navItems as $item) {
         $content = '';
         if (isset($item['script'])) {
             $content = $this->renderScript($item['appname'], $item['script']);
         }
         $contentItem = [];
         $contentItem['id'] = $item['id'];
         $contentItem['content'] = $content;
         $contentItems[] = $contentItem;
     }
     $this->eventDispatcher->dispatch('OCA\\Files::loadAdditionalScripts');
     $params = [];
     $params['usedSpacePercent'] = (int) $storageInfo['relative'];
     $params['owner'] = $storageInfo['owner'];
     $params['ownerDisplayName'] = $storageInfo['ownerDisplayName'];
     $params['isPublic'] = false;
     $params['mailNotificationEnabled'] = $this->config->getAppValue('core', 'shareapi_allow_mail_notification', 'no');
     $params['mailPublicNotificationEnabled'] = $this->config->getAppValue('core', 'shareapi_allow_public_notification', 'no');
     $params['allowShareWithLink'] = $this->config->getAppValue('core', 'shareapi_allow_links', 'yes');
     $params['appNavigation'] = $nav;
     $params['appContents'] = $contentItems;
     $this->navigationManager->setActiveEntry('files_index');
     $response = new TemplateResponse($this->appName, 'index', $params);
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedFrameDomain('\'self\'');
     $response->setContentSecurityPolicy($policy);
     return $response;
 }
Example #27
0
 /**
  * @PublicPage
  * @NoCSRFRequired
  *
  * @param string $token
  * @param string $path
  * @return TemplateResponse|RedirectResponse
  * @throws NotFoundException
  */
 public function showShare($token, $path = '')
 {
     \OC_User::setIncognitoMode(true);
     // Check whether share exists
     try {
         $share = $this->shareManager->getShareByToken($token);
     } catch (\OC\Share20\Exception\ShareNotFound $e) {
         return new NotFoundResponse();
     }
     // Share is password protected - check whether the user is permitted to access the share
     if ($share->getPassword() !== null && !$this->linkShareAuth($share)) {
         return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $token)));
     }
     // We can't get the path of a file share
     if ($share->getNode() instanceof \OCP\Files\File && $path !== '') {
         throw new NotFoundException();
     }
     $rootFolder = null;
     if ($share->getNode() instanceof \OCP\Files\Folder) {
         /** @var \OCP\Files\Folder $rootFolder */
         $rootFolder = $share->getNode();
         try {
             $path = $rootFolder->get($path);
         } catch (\OCP\Files\NotFoundException $e) {
             throw new NotFoundException();
         }
     }
     $shareTmpl = [];
     $shareTmpl['displayName'] = $share->getShareOwner()->getDisplayName();
     $shareTmpl['owner'] = $share->getShareOwner()->getUID();
     $shareTmpl['filename'] = $share->getNode()->getName();
     $shareTmpl['directory_path'] = $share->getTarget();
     $shareTmpl['mimetype'] = $share->getNode()->getMimetype();
     $shareTmpl['previewSupported'] = $this->previewManager->isMimeSupported($share->getNode()->getMimetype());
     $shareTmpl['dirToken'] = $token;
     $shareTmpl['sharingToken'] = $token;
     $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled();
     $shareTmpl['protected'] = $share->getPassword() !== null ? 'true' : 'false';
     $shareTmpl['dir'] = '';
     $shareTmpl['nonHumanFileSize'] = $share->getNode()->getSize();
     $shareTmpl['fileSize'] = \OCP\Util::humanFileSize($share->getNode()->getSize());
     // Show file list
     if ($share->getNode() instanceof \OCP\Files\Folder) {
         $shareTmpl['dir'] = $rootFolder->getRelativePath($path->getPath());
         /*
          * The OC_Util methods require a view. This just uses the node API
          */
         $freeSpace = $share->getNode()->getStorage()->free_space($share->getNode()->getInternalPath());
         if ($freeSpace !== \OCP\Files\FileInfo::SPACE_UNKNOWN) {
             $freeSpace = max($freeSpace, 0);
         } else {
             $freeSpace = INF > 0 ? INF : PHP_INT_MAX;
             // work around https://bugs.php.net/bug.php?id=69188
         }
         $uploadLimit = Util::uploadLimit();
         $maxUploadFilesize = min($freeSpace, $uploadLimit);
         $folder = new Template('files', 'list', '');
         $folder->assign('dir', $rootFolder->getRelativePath($path->getPath()));
         $folder->assign('dirToken', $token);
         $folder->assign('permissions', \OCP\Constants::PERMISSION_READ);
         $folder->assign('isPublic', true);
         $folder->assign('publicUploadEnabled', 'no');
         $folder->assign('uploadMaxFilesize', $maxUploadFilesize);
         $folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize));
         $folder->assign('freeSpace', $freeSpace);
         $folder->assign('uploadLimit', $uploadLimit);
         // PHP upload limit
         $folder->assign('usedSpacePercent', 0);
         $folder->assign('trash', false);
         $shareTmpl['folder'] = $folder->fetchPage();
     }
     $shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token));
     $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10);
     $shareTmpl['previewEnabled'] = $this->config->getSystemValue('enable_previews', true);
     $csp = new OCP\AppFramework\Http\ContentSecurityPolicy();
     $csp->addAllowedFrameDomain('\'self\'');
     $response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base');
     $response->setContentSecurityPolicy($csp);
     return $response;
 }
 /**
  * @NoCSRFRequired
  * @param string $category
  * @return TemplateResponse
  */
 public function viewApps($category = '')
 {
     $categoryId = $this->getCategory($category);
     if ($categoryId === self::CAT_ENABLED) {
         // Do not use an arbitrary input string, because we put the category in html
         $category = 'enabled';
     }
     $params = [];
     $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false);
     $params['category'] = $category;
     $params['appstoreEnabled'] = $this->config->getSystemValue('appstoreenabled', true) === true;
     $this->navigationManager->setActiveEntry('core_apps');
     $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user');
     $policy = new ContentSecurityPolicy();
     $policy->addAllowedImageDomain('https://apps.owncloud.com');
     $templateResponse->setContentSecurityPolicy($policy);
     return $templateResponse;
 }
	public function testViewApps() {
		$this->config
			->expects($this->once())
			->method('getSystemValue')
			->with('appstore.experimental.enabled', false);
		$this->navigationManager
			->expects($this->once())
			->method('setActiveEntry')
			->with('core_apps');

		$policy = new ContentSecurityPolicy();
		$policy->addAllowedImageDomain('https://apps.owncloud.com');

		$expected = new TemplateResponse('settings', 'apps', ['experimentalEnabled' => false], 'user');
		$expected->setContentSecurityPolicy($policy);

		$this->assertEquals($expected, $this->appSettingsController->viewApps());
	}