/** * @NoAdminRequired * @NoCSRFRequired * * @return JSONResponse */ public function get() { // When there are no apps registered that use the notifications // We stop polling for them. if (!$this->manager->hasNotifiers()) { $response = new Response(); $response->setStatus(Http::STATUS_NO_CONTENT); return $response; } $filter = $this->manager->createNotification(); $filter->setUser($this->user); $language = $this->config->getUserValue($this->user, 'core', 'lang', null); $notifications = $this->handler->get($filter); $data = []; $notificationIds = []; foreach ($notifications as $notificationId => $notification) { try { $notification = $this->manager->prepare($notification, $language); } catch (\InvalidArgumentException $e) { // The app was disabled, skip the notification continue; } $notificationIds[] = $notificationId; $data[] = $this->notificationToArray($notificationId, $notification); } $response = new JSONResponse($data); $response->setETag($this->generateEtag($notificationIds)); return $response; }
/** * Shortcut for testing expected headers of a response * @param array $expected an array with the expected headers * @param Response $response the response which we want to test for headers */ protected function assertHeaders(array $expected = array(), Response $response) { $headers = $response->getHeaders(); foreach ($expected as $header) { $this->assertTrue(in_array($header, $headers)); } }
/** * @CORS * @expectedException \OC\AppFramework\Middleware\Security\SecurityException */ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $request = new Request(['server' => ['HTTP_ORIGIN' => 'test']], $this->getMock('\\OCP\\Security\\ISecureRandom'), $this->getMock('\\OCP\\IConfig')); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $middleware->afterController($this, __FUNCTION__, $response); }
/** * @CORS * @expectedException \OC\AppFramework\Middleware\Security\SecurityException */ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $request = new Request(array('server' => array('HTTP_ORIGIN' => 'test'))); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $response = $middleware->afterController($this, __FUNCTION__, $response); }
/** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @param Response $response the generated response from the controller * @return Response a Response object */ public function afterController($controller, $methodName, Response $response) { $annotationReader = new MethodAnnotationReader($controller, $methodName); // only react if its an API request and if the request sends origin if (isset($this->request->server['HTTP_ORIGIN']) && $annotationReader->hasAnnotation('API')) { $origin = $this->request->server['HTTP_ORIGIN']; $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Credentials', 'false'); } return $response; }
/** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @param Response $response the generated response from the controller * @return Response a Response object */ public function afterController($controller, $methodName, Response $response) { // only react if its a CORS request and if the request sends origin and if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) { // allow credentials headers must not be true or CSRF is possible // otherwise foreach ($response->getHeaders() as $header => $value) { if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') { $msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF'; throw new SecurityException($msg); } } $origin = $this->request->server['HTTP_ORIGIN']; $response->addHeader('Access-Control-Allow-Origin', $origin); } return $response; }
public function testChainability() { $lastModified = new \DateTime(null, new \DateTimeZone('GMT')); $lastModified->setTimestamp(1); $this->childResponse->setEtag('hi')->setStatus(Http::STATUS_NOT_FOUND)->setLastModified($lastModified)->cacheFor(33)->addHeader('hello', 'world'); $headers = $this->childResponse->getHeaders(); $this->assertEquals('world', $headers['hello']); $this->assertEquals(Http::STATUS_NOT_FOUND, $this->childResponse->getStatus()); $this->assertEquals('hi', $this->childResponse->getEtag()); $this->assertEquals('Thu, 01 Jan 1970 00:00:01 +0000', $headers['Last-Modified']); $this->assertEquals('max-age=33, must-revalidate', $headers['Cache-Control']); }
public function render() { if (parent::getStatus() === Http::STATUS_NOT_FOUND) { return ''; } $info = $this->view->getFileInfo($this->path); $this->ETag = $info['etag']; $content = $this->view->file_get_contents($this->path); $data = \OCA\Documents\Filter::read($content, $info['mimetype']); $size = strlen($data['content']); if (isset($this->request->server['HTTP_RANGE']) && !is_null($this->request->server['HTTP_RANGE'])) { $isValidRange = preg_match('/^bytes=\\d*-\\d*(,\\d*-\\d*)*$/', $this->request->server['HTTP_RANGE']); if (!$isValidRange) { return $this->sendRangeNotSatisfiable($size); } $ranges = explode(',', substr($this->request->server['HTTP_RANGE'], 6)); foreach ($ranges as $range) { $parts = explode('-', $range); if ($parts[0] === '' && $parts[1] == '') { $this->sendNotSatisfiable($size); } if ($parts[0] === '') { $start = $size - $parts[1]; $end = $size - 1; } else { $start = $parts[0]; $end = $parts[1] === '' ? $size - 1 : $parts[1]; } if ($start > $end) { $this->sendNotSatisfiable($size); } $buffer = substr($data['content'], $start, $end - $start); $md5Sum = md5($buffer); // send the headers and data $this->addHeader('Content-Length', $end - $start); $this->addHeader('Content-md5', $md5Sum); $this->addHeader('Accept-Ranges', 'bytes'); $this->addHeader('Content-Range', 'bytes ' . $start . '-' . $end . '/' . $size); $this->addHeader('Connection', 'close'); $this->addHeader('Content-Type', $data['mimetype']); $this->addContentDispositionHeader(); return $buffer; } } $this->addHeader('Content-Type', $data['mimetype']); $this->addContentDispositionHeader(); $this->addHeader('Content-Length', $size); return $data['content']; }
/** * This method implements a preflighted cors response for you that you can * link to for the options request * * @NoAdminRequired * @NoCSRFRequired * @PublicPage * @since 7.0.0 */ public function preflightedCors() { if (isset($this->request->server['HTTP_ORIGIN'])) { $origin = $this->request->server['HTTP_ORIGIN']; } else { $origin = '*'; } $response = new Response(); $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods); $response->addHeader('Access-Control-Max-Age', $this->corsMaxAge); $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders); $response->addHeader('Access-Control-Allow-Credentials', 'false'); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * @PublicPage */ public function cors() { // needed for webapps access due to cross origin request policy if (isset($this->request->server['HTTP_ORIGIN'])) { $origin = $this->request->server['HTTP_ORIGIN']; } else { $origin = '*'; } $response = new Response(); $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE'); $response->addHeader('Access-Control-Allow-Credentials', 'false'); $response->addHeader('Access-Control-Max-Age', '1728000'); $response->addHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type'); return $response; }
/** * Change the default sort mode * * @NoAdminRequired * * @param string $mode * @param string $direction * @return Response */ public function updateFileSorting($mode, $direction) { $allowedMode = ['name', 'size', 'mtime']; $allowedDirection = ['asc', 'desc']; if (!in_array($mode, $allowedMode) || !in_array($direction, $allowedDirection)) { $response = new Response(); $response->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY); return $response; } $this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'file_sorting', $mode); $this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'file_sorting_direction', $direction); return new Response(); }
/** * @NoAdminRequired * @NoCSRFRequired */ public function imageproxy($hash) { $url = base64_decode($hash); if (filter_var($url, FILTER_VALIDATE_URL) === false) { die('Not a valid URL'); } $fileInfo = getimagesize($url); $imageType = $fileInfo['mime']; preg_match('/image\\/(.*)/', $imageType, $match); $response = new Response(); $response->setStatus(304); $response->cacheFor(60 * 60 * 24 * 90); if ($match) { $response->addHeader('Content-Type', $match[0]); $f = $this->getURL($url); if (extension_loaded('imagick') || class_exists("Imagick")) { $name = tempnam('/tmp', "imageProxy"); file_put_contents($name, $f); try { $isIcon = strpos($url, '.ico') !== false ? 'ico:' : ''; $image = new \Imagick($isIcon . $name); if ($image->valid()) { $image->setImageFormat('jpg'); } } catch (exception $e) { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; echo $f; } } else { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; } } else { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; } echo $f; return $response; // // /*if (extension_loaded('imagick') || class_exists("Imagick")) { try { $isIcon = (strpos($url, '.ico') !== false) ? 'ico:' : ''; $image = new \Imagick($isIcon . $name); if ($image->valid()) { $image->setImageFormat('jpg'); } } catch (exception $e) { header("HTTP/1.1 200 OK"); echo "test"; die(); } return die(); } else { if ($f) { $image_mime = image_type_to_mime_type(exif_imagetype($f)); if ($image_mime) { header("Content-Type:" . $image_mime); header('Cache-Control: max-age=86400, public'); header('Cache-Control: max-age=86400, public'); echo $f; return die(); } } }*/ }
/** * @NoAdminRequired * @NoCSRFRequired */ public function cover() { // we no longer need the session to be kept open session_write_close(); $albumId = $this->getIdFromSlug($this->params('albumIdOrSlug')); $album = $this->albumBusinessLayer->find($albumId, $this->userId); $nodes = $this->userFolder->getById($album->getCoverFileId()); if (count($nodes) > 0) { // get the first valid node $node = $nodes[0]; $mime = $node->getMimeType(); $content = $node->getContent(); return new FileResponse(array('mimetype' => $mime, 'content' => $content)); } $r = new Response(); $r->setStatus(Http::STATUS_NOT_FOUND); return $r; }
/** * @dataProvider invalidSortingModeData */ public function testUpdateInvalidFileSorting($mode, $direction) { $this->config->expects($this->never())->method('setUserValue'); $expected = new Http\Response(null); $expected->setStatus(Http::STATUS_UNPROCESSABLE_ENTITY); $result = $this->apiController->updateFileSorting($mode, $direction); $this->assertEquals($expected, $result); }
/** * @NoAdminRequired */ public function update() { $response = new Response(); $response->setStatus(Http::STATUS_NOT_IMPLEMENTED); return $response; }
/** * Performs the default CSP modifications that may be injected by other * applications * * @param Controller $controller * @param string $methodName * @param Response $response * @return Response */ public function afterController($controller, $methodName, Response $response) { $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->getDefaultPolicy(); $defaultPolicy = $this->contentSecurityPolicyManager->mergePolicies($defaultPolicy, $policy); $response->setContentSecurityPolicy($defaultPolicy); return $response; }