/** * handles an api call * @param array $parameters */ public static function call($parameters) { $request = \OC::$server->getRequest(); $method = $request->getMethod(); // Prepare the request variables if ($method === 'PUT') { $parameters['_put'] = $request->getParams(); } else { if ($method === 'DELETE') { $parameters['_delete'] = $request->getParams(); } } $name = $parameters['_route']; // Foreach registered action $responses = array(); foreach (self::$actions[$name] as $action) { // Check authentication and availability if (!self::isAuthorised($action)) { $responses[] = array('app' => $action['app'], 'response' => new OC_OCS_Result(null, API::RESPOND_UNAUTHORISED, 'Unauthorised'), 'shipped' => OC_App::isShipped($action['app'])); continue; } if (!is_callable($action['action'])) { $responses[] = array('app' => $action['app'], 'response' => new OC_OCS_Result(null, API::RESPOND_NOT_FOUND, 'Api method not found'), 'shipped' => OC_App::isShipped($action['app'])); continue; } // Run the action $responses[] = array('app' => $action['app'], 'response' => call_user_func($action['action'], $parameters), 'shipped' => OC_App::isShipped($action['app'])); } $response = self::mergeResponses($responses); $format = self::requestedFormat(); if (self::$logoutRequired) { OC_User::logout(); } self::respond($response, $format); }
if (sizeof($users) !== 1) { // User not found header('HTTP/1.0 404 Not Found'); exit; } // Token found login as that user \OC_User::setUserId(array_shift($users)); $forceUserLogout = true; } // check if the user has the right permissions. \OCP\User::checkLoggedIn(); // rss is of content type text/xml if (isset($_SERVER['HTTP_ACCEPT']) && stristr($_SERVER['HTTP_ACCEPT'], 'application/rss+xml')) { header('Content-Type: application/rss+xml'); } else { header('Content-Type: text/xml; charset=UTF-8'); } // generate and show the rss feed $l = \OCP\Util::getL10N('activity'); $data = new \OCA\Activity\Data(\OC::$server->getActivityManager()); $groupHelper = new \OCA\Activity\GroupHelper(\OC::$server->getActivityManager(), new \OCA\Activity\DataHelper(\OC::$server->getActivityManager(), new \OCA\Activity\ParameterHelper(new \OC\Files\View(''), $l), $l), false); $tmpl = new \OCP\Template('activity', 'rss'); $tmpl->assign('rssLang', \OC_Preferences::getValue(\OCP\User::getUser(), 'core', 'lang')); $tmpl->assign('rssLink', \OCP\Util::linkToAbsolute('activity', 'rss.php')); $tmpl->assign('rssPubDate', date('r')); $tmpl->assign('user', \OCP\User::getUser()); $tmpl->assign('activities', $data->read($groupHelper, 0, 30, 'all')); $tmpl->printPage(); if ($forceUserLogout) { \OC_User::logout(); }
/** * Handle the request */ public static function handleRequest() { \OC::$server->getEventLogger()->start('handle_request', 'Handle request'); $systemConfig = \OC::$server->getSystemConfig(); // load all the classpaths from the enabled apps so they are available // in the routing files of each app OC::loadAppClassPaths(); // Check if ownCloud is installed or in maintenance (update) mode if (!$systemConfig->getValue('installed', false)) { \OC::$server->getSession()->clear(); $setupHelper = new OC\Setup(\OC::$server->getConfig(), \OC::$server->getIniWrapper(), \OC::$server->getL10N('lib'), new \OC_Defaults(), \OC::$server->getLogger(), \OC::$server->getSecureRandom()); $controller = new OC\Core\Setup\Controller($setupHelper); $controller->run($_POST); exit; } $request = \OC::$server->getRequest()->getPathInfo(); if (substr($request, -3) !== '.js') { // we need these files during the upgrade self::checkMaintenanceMode(); self::checkUpgrade(); } // Always load authentication apps OC_App::loadApps(['authentication']); // Load minimum set of apps if (!self::checkUpgrade(false) && !$systemConfig->getValue('maintenance', false) && !\OCP\Util::needUpgrade()) { // For logged-in users: Load everything if (OC_User::isLoggedIn()) { OC_App::loadApps(); } else { // For guests: Load only filesystem and logging OC_App::loadApps(array('filesystem', 'logging')); \OC_User::tryBasicAuthLogin(); } } if (!self::$CLI and (!isset($_GET["logout"]) or $_GET["logout"] !== 'true')) { try { if (!$systemConfig->getValue('maintenance', false) && !\OCP\Util::needUpgrade()) { OC_App::loadApps(array('filesystem', 'logging')); OC_App::loadApps(); } self::checkSingleUserMode(); OC_Util::setupFS(); OC::$server->getRouter()->match(\OC::$server->getRequest()->getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) { OC_Response::setStatus(405); return; } } // Handle redirect URL for logged in users if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { header('Location: ' . $location); return; } } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { // not allowed any more to prevent people // mounting this root directly. // Users need to mount remote.php/webdav instead. header('HTTP/1.1 405 Method Not Allowed'); header('Status: 405 Method Not Allowed'); return; } // Redirect to index if the logout link is accessed without valid session // this is needed to prevent "Token expired" messages while login if a session is expired // @see https://github.com/owncloud/core/pull/8443#issuecomment-42425583 if (isset($_GET['logout']) && !OC_User::isLoggedIn()) { header("Location: " . OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); return; } // Someone is logged in if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); OC_Util::setupFS(); if (isset($_GET["logout"]) and $_GET["logout"]) { OC_JSON::callCheck(); if (isset($_COOKIE['oc_token'])) { \OC::$server->getConfig()->deleteUserValue(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']); } OC_User::logout(); // redirect to webroot and add slash if webroot is empty header("Location: " . OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); } else { // Redirect to default application OC_Util::redirectToDefaultPage(); } } else { // Not handled and not logged in self::handleLogin(); } }
/** * Logs the user out including all the session data * Logout, destroys session */ public static function logout() { \OC_User::logout(); }
/** * @brief Handle the request */ public static function handleRequest() { // load all the classpaths from the enabled apps so they are available // in the routing files of each app OC::loadAppClassPaths(); // Check if ownCloud is installed or in maintenance (update) mode if (!OC_Config::getValue('installed', false)) { require_once 'core/setup.php'; exit; } $request = OC_Request::getPathInfo(); if (substr($request, -3) !== '.js') { // we need these files during the upgrade self::checkMaintenanceMode(); self::checkUpgrade(); } if (!self::$CLI) { try { if (!OC_Config::getValue('maintenance', false)) { OC_App::loadApps(); } OC::getRouter()->match(OC_Request::getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) { OC_Response::setStatus(405); return; } } $app = OC::$REQUESTEDAPP; $file = OC::$REQUESTEDFILE; $param = array('app' => $app, 'file' => $file); // Handle app css files if (substr($file, -3) == 'css') { self::loadCSSFile($param); return; } // Handle redirect URL for logged in users if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === FALSE) { header('Location: ' . $location); return; } } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { header('location: ' . OC_Helper::linkToRemote('webdav')); return; } // Someone is logged in : if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); if (isset($_GET["logout"]) and $_GET["logout"]) { if (isset($_COOKIE['oc_token'])) { OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']); } OC_User::logout(); header("Location: " . OC::$WEBROOT . '/'); } else { if (is_null($file)) { $param['file'] = 'index.php'; } $file_ext = substr($param['file'], -3); if ($file_ext != 'php' || !self::loadAppScriptFile($param)) { header('HTTP/1.0 404 Not Found'); } } return; } // Not handled and not logged in self::handleLogin(); }
public static function post_login($parameters) { $uid = $parameters['uid']; $wuid = $uid; $casBackend = new OC_USER_CAS(); $userDB = new OC_User_Database(); /* * Récupération des données du fichier config général /config/config.php */ $serveur_Search = OCP\Config::getSystemValue('serveur_Search', 'error'); $port = OCP\Config::getSystemValue('port', 'error'); $racineAMU = OCP\Config::getSystemValue('racineAMU', 'error'); $racineAMUGRP = OCP\Config::getSystemValue('racineAMUGRP', 'error'); $AMU_nuage_dn = OCP\Config::getSystemValue('AMU_nuage_dn', 'error'); $AMU_nuage_pw = OCP\Config::getSystemValue('AMU_nuage_pw', 'error'); $PQuota = OCP\Config::getSystemValue('PQuota', 'unManaged'); $EQuota = OCP\Config::getSystemValue('EQuota', 'unManaged'); $LDAP = new LDAP_Infos($serveur_Search, $AMU_nuage_dn, $AMU_nuage_pw, $racineAMUGRP, $racineAMUGRP); $restrictGrp = array("cn", "member"); /* * Récupération tableau Groupes * Si le tableau 'groupMapping' est vide pas de contrôle sur les groupes */ $AccesCloud = 0; OCP\Util::writeLog('user_cas', "Authentification (Mapping groups=" . $casBackend->groupMapping . ")", OCP\Util::DEBUG); if ($casBackend->groupMapping) { $wTabGrp = str_replace(array('<br>', '<br />', "\n", "\r"), array('@', '', '@', ''), $casBackend->groupMapping); $tabGRP = explode("@", $wTabGrp); $i = 0; $mesGroupes = array(); foreach ($tabGRP as $key => $value) { $ListeMembre = $LDAP->getMembersOfGroup($value, $restrictGrp); if (in_array($uid, $ListeMembre)) { $AccesCloudAMU = 1; } } } else { $AccesCloud = 1; } /* * Si pas d'acces, alors déconnexion */ if ($AccesCloud == 0) { /* * On vérifie si le compte utilisé est un compte local */ if (!$userDB->userExists($uid)) { OCP\Util::writeLog('user_cas', "Aucun droit d'accès pour l'utilisateur " . $uid, OCP\Util::ERROR); \OC_User::logout(); } else { OCP\Util::writeLog('user_cas', "Authentification locale pour l'utilisateur " . $uid, OCP\Util::DEBUG); OC::$REQUESTEDAPP = ''; OC_Util::redirectToDefaultPage(); exit(0); } } /** * Récupère les groupes liés à l'utilisateur avec la racine définie dans le formulaire 'cas_group_root' * Si 'cas_group_root' n'est pas renseingé => pas de récupération de groupes */ $mesGroupes = array(); OCP\Util::writeLog('user_cas', "Authentification (Racine Groupes LDAP=" . $casBackend->groupRoot . ")", OCP\Util::DEBUG); if ($casBackend->groupRoot) { $i = 0; $ListeGRP = $LDAP->getMemberOf($uid); $a = sizeof($ListeGRP); OCP\Util::writeLog('user_cas', "Taille=" . $a . " UID=" . $uid, OCP\Util::ERROR); OCP\Util::writeLog('user_cas', "Racine Groupe=" . $casBackend->groupRoot, OCP\Util::ERROR); foreach ($ListeGRP as $key => $value) { if (strstr($value, $casBackend->groupRoot)) { $mesGroupes[$i] = strtoupper(str_replace(':', '_', substr($value, 8))); OCP\Util::writeLog('user_cas', "Groupe[{$i}]=" . $mesGroupes[$i], OCP\Util::ERROR); $i++; } } } if (phpCAS::checkAuthentication()) { //$attributes = phpCAS::getAttributes(); $cas_uid = phpCAS::getUser(); if ($cas_uid == $uid) { /* * Récupération des information utilisateur (LDAP) */ $tabLdapUser = $LDAP->getUserInfo($uid); if ($tabLdapUser) { $DisplayName = $tabLdapUser['displayName']; } if (!$userDB->userExists($uid)) { if (preg_match('/[^a-zA-Z0-9 _\\.@\\-]/', $uid)) { OCP\Util::writeLog('cas', 'Utilisateur invalide "' . $uid . '", caracteres autorises "a-zA-Z0-9" and "_.@-" ', OCP\Util::DEBUG); return false; } else { /* * Dans le cas d'une création */ $random_password = \OC_Util::generateRandomBytes(20); $userDB->createUser($uid, $tabLdapUser['userpassword']); $userDB->setDisplayName($uid, $DisplayName); /* * Mise à jour du quota si gestion dans fichier de configuration */ if ($EQuota != "unManaged" && $tabLdapUser['eduPersonPrimaryAffiliation'] == 'student') { update_quota($uid, $EQuota); } if ($PQuota != "unManaged" && $tabLdapUser['eduPersonPrimaryAffiliation'] != 'student') { update_quota($uid, $PQuota); } } } /* * Mise à jour des groupes associés */ if (sizeof($mesGroupes) > 0) { $cas_groups = $mesGroupes; update_groups($uid, $cas_groups, $casBackend->protectedGroups, true); } /* * Mise à jour du mail */ update_mail($uid, $tabLdapUser['Mail']); /* * Mise à jour du display name */ $userDB->setDisplayName($uid, $DisplayName); return true; } } return false; }
public function process() { $ssoUrl = $this->config->getValue("sso_login_url"); $userInfo = RequestManager::getRequest(ISingleSignOnRequest::INFO); $authInfo = AuthInfo::get(); $userInfo->setup(array("action" => "webLogin")); if ($this->unnecessaryAuth($this->request->getRequestUri())) { $uri = substr($this->request->getRequestUri(), -1 * strlen($this->config->getValue("sso_admin_login_uri"))); if ($uri === $this->config->getValue("sso_admin_login_uri") && $this->visitPort != $this->config->getValue("sso_admin_login_port")) { Util::redirect($this->defaultPageUrl); } return; } if (isset($_GET["logout"]) && $_GET["logout"] == "true") { if ($this->config->getValue("sso_global_logout")) { RequestManager::send(ISingleSignOnRequest::INVALIDTOKEN, $authInfo); } \OC_User::logout(); $template = new \OC_Template("singlesignon", "logout", "guest"); $template->printPage(); die; } if (\OC_User::isLoggedIn() && $this->config->getValue("sso_one_time_password")) { return; } if (\OC_User::isLoggedIn() && !$authInfo) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "unauthorizedActions", "guest"); $template->printPage(); die; } if (\OC_User::isLoggedIn() && (!RequestManager::send(ISingleSignOnRequest::VALIDTOKEN, $authInfo) && !$this->config->getValue("sso_one_time_password"))) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "tokenExpired", "guest"); $template->printPage(); die; } if (!$authInfo || !RequestManager::send(ISingleSignOnRequest::VALIDTOKEN, $authInfo) && !$this->config->getValue("sso_one_time_password")) { $url = $this->redirectUrl ? $ssoUrl . $this->config->getValue("sso_return_url_key") . $this->redirectUrl : $ssoUrl; Util::redirect($url); } if (\OC_User::isLoggedIn()) { return; } if (empty($ssoUrl) || !$userInfo->send($authInfo) || !$userInfo->hasPermission()) { header("HTTP/1.1 " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("Status: " . \OCP\AppFramework\Http::STATUS_UNAUTHORIZED); header("WWW-Authenticate: "); header("Retry-After: 120"); $template = new \OC_Template("singlesignon", "verificationFailure", "guest"); $template->printPage(); if ($userInfo->hasErrorMsg()) { \OCP\Util::writeLog("Single Sign-On", $userInfo->getErrorMsg(), \OCP\Util::ERROR); } die; } if ($this->config->getValue("sso_multiple_region")) { Util::redirectRegion($userInfo, $this->config->getValue("sso_regions"), $this->config->getValue("sso_owncloud_url")); } if (!\OC_User::userExists($userInfo->getUserId())) { Util::firstLogin($userInfo, $authInfo); if ($this->request->getHeader("ORIGIN")) { return; } Util::redirect($this->defaultPageUrl); } else { Util::login($userInfo, $authInfo); if ($this->request->getHeader("ORIGIN")) { return; } Util::redirect($this->defaultPageUrl); } }
/** * @brief Handle the request */ public static function handleRequest() { if (!OC_Config::getValue('installed', false)) { // Check for autosetup: $autosetup_file = OC::$SERVERROOT . "/config/autoconfig.php"; if (file_exists($autosetup_file)) { OC_Log::write('core', 'Autoconfig file found, setting up owncloud...', OC_Log::INFO); include $autosetup_file; $_POST['install'] = 'true'; $_POST = array_merge($_POST, $AUTOCONFIG); unlink($autosetup_file); } OC_Util::addScript('setup'); require_once 'setup.php'; exit; } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { header('location: ' . OC_Helper::linkToRemote('webdav')); return; } // Handle app css files if (substr(OC::$REQUESTEDFILE, -3) == 'css') { self::loadCSSFile(); return; } // Someone is logged in : if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); if (isset($_GET["logout"]) and $_GET["logout"]) { OC_User::logout(); header("Location: " . OC::$WEBROOT . '/'); } else { $app = OC::$REQUESTEDAPP; $file = OC::$REQUESTEDFILE; if (is_null($file)) { $file = 'index.php'; } $file_ext = substr($file, -3); if ($file_ext != 'php' || !self::loadAppScriptFile($app, $file)) { header('HTTP/1.0 404 Not Found'); } } return; } // Not handled and not logged in self::handleLogin(); }
/** * @brief Handle the request */ public static function handleRequest() { // load all the classpaths from the enabled apps so they are available // in the routing files of each app OC::loadAppClassPaths(); // Check if ownCloud is installed or in maintenance (update) mode if (!OC_Config::getValue('installed', false)) { require_once 'core/setup.php'; exit; } $host = OC_Request::insecureServerHost(); // if the host passed in headers isn't trusted if (!OC::$CLI && OC_Request::getOverwriteHost() === null && !OC_Request::isTrustedDomain($host)) { header('HTTP/1.1 400 Bad Request'); header('Status: 400 Bad Request'); OC_Template::printErrorPage('You are accessing the server from an untrusted domain.', 'Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domain" setting in config/config.php. An example configuration is provided in config/config.sample.php.'); return; } $request = OC_Request::getPathInfo(); if (substr($request, -3) !== '.js') { // we need these files during the upgrade self::checkMaintenanceMode(); self::checkUpgrade(); } // Test it the user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP OC::tryBasicAuthLogin(); if (!self::$CLI and (!isset($_GET["logout"]) or $_GET["logout"] !== 'true')) { try { if (!OC_Config::getValue('maintenance', false)) { OC_App::loadApps(); } self::checkSingleUserMode(); OC::getRouter()->match(OC_Request::getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) { OC_Response::setStatus(405); return; } } $app = OC::$REQUESTEDAPP; $file = OC::$REQUESTEDFILE; $param = array('app' => $app, 'file' => $file); // Handle app css files if (substr($file, -3) == 'css') { self::loadCSSFile($param); return; } // Handle redirect URL for logged in users if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { header('Location: ' . $location); return; } } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { // not allowed any more to prevent people // mounting this root directly. // Users need to mount remote.php/webdav instead. header('HTTP/1.1 405 Method Not Allowed'); header('Status: 405 Method Not Allowed'); return; } // Someone is logged in : if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); if (isset($_GET["logout"]) and $_GET["logout"]) { if (isset($_COOKIE['oc_token'])) { OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']); } OC_User::logout(); header("Location: " . OC::$WEBROOT . '/'); } else { if (is_null($file)) { $param['file'] = 'index.php'; } $file_ext = substr($param['file'], -3); if ($file_ext != 'php' || !self::loadAppScriptFile($param)) { header('HTTP/1.0 404 Not Found'); } } return; } // Not handled and not logged in self::handleLogin(); }
/** * Handle the request */ public static function handleRequest() { $l = \OC_L10N::get('lib'); // load all the classpaths from the enabled apps so they are available // in the routing files of each app OC::loadAppClassPaths(); // Check if ownCloud is installed or in maintenance (update) mode if (!OC_Config::getValue('installed', false)) { $controller = new OC\Core\Setup\Controller(); $controller->run($_POST); exit; } $host = OC_Request::insecureServerHost(); // if the host passed in headers isn't trusted if (!OC::$CLI && OC_Request::getOverwriteHost() === null && !OC_Request::isTrustedDomain($host)) { header('HTTP/1.1 400 Bad Request'); header('Status: 400 Bad Request'); OC_Template::printErrorPage($l->t('You are accessing the server from an untrusted domain.'), $l->t('Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domain" setting in config/config.php. An example configuration is provided in config/config.sample.php.')); return; } $request = OC_Request::getPathInfo(); if (substr($request, -3) !== '.js') { // we need these files during the upgrade self::checkMaintenanceMode(); self::checkUpgrade(); } if (!OC_User::isLoggedIn()) { // Test it the user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP OC::tryBasicAuthLogin(); } if (!self::$CLI and (!isset($_GET["logout"]) or $_GET["logout"] !== 'true')) { try { if (!OC_Config::getValue('maintenance', false) && !\OCP\Util::needUpgrade()) { OC_App::loadApps(array('authentication')); OC_App::loadApps(array('filesystem', 'logging')); OC_App::loadApps(); } self::checkSingleUserMode(); OC::$server->getRouter()->match(OC_Request::getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) { OC_Response::setStatus(405); return; } } // Load minimum set of apps if (!self::checkUpgrade(false)) { // For logged-in users: Load everything if (OC_User::isLoggedIn()) { OC_App::loadApps(); } else { // For guests: Load only authentication, filesystem and logging OC_App::loadApps(array('authentication')); OC_App::loadApps(array('filesystem', 'logging')); } } // Handle redirect URL for logged in users if (isset($_REQUEST['redirect_url']) && OC_User::isLoggedIn()) { $location = OC_Helper::makeURLAbsolute(urldecode($_REQUEST['redirect_url'])); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { header('Location: ' . $location); return; } } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { // not allowed any more to prevent people // mounting this root directly. // Users need to mount remote.php/webdav instead. header('HTTP/1.1 405 Method Not Allowed'); header('Status: 405 Method Not Allowed'); return; } // Redirect to index if the logout link is accessed without valid session // this is needed to prevent "Token expired" messages while login if a session is expired // @see https://github.com/owncloud/core/pull/8443#issuecomment-42425583 if (isset($_GET['logout']) && !OC_User::isLoggedIn()) { header("Location: " . OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); return; } // Someone is logged in if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); if (isset($_GET["logout"]) and $_GET["logout"]) { OC_JSON::callCheck(); if (isset($_COOKIE['oc_token'])) { OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']); } if (isset($_SERVER['PHP_AUTH_USER'])) { if (isset($_COOKIE['oc_ignore_php_auth_user'])) { // Ignore HTTP Authentication for 5 more mintues. setcookie('oc_ignore_php_auth_user', $_SERVER['PHP_AUTH_USER'], time() + 300, OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); } elseif ($_SERVER['PHP_AUTH_USER'] === self::$session->get('loginname')) { // Ignore HTTP Authentication to allow a different user to log in. setcookie('oc_ignore_php_auth_user', $_SERVER['PHP_AUTH_USER'], 0, OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); } } OC_User::logout(); // redirect to webroot and add slash if webroot is empty header("Location: " . OC::$WEBROOT . (empty(OC::$WEBROOT) ? '/' : '')); } else { // Redirect to default application OC_Util::redirectToDefaultPage(); } } else { // Not handled and not logged in self::handleLogin(); } }
/** * handles an api call * @param array $parameters */ public static function call($parameters) { // Prepare the request variables if ($_SERVER['REQUEST_METHOD'] == 'PUT') { parse_str(file_get_contents("php://input"), $parameters['_put']); } else { if ($_SERVER['REQUEST_METHOD'] == 'DELETE') { parse_str(file_get_contents("php://input"), $parameters['_delete']); } } $name = $parameters['_route']; // Foreach registered action $responses = array(); foreach (self::$actions[$name] as $action) { // Check authentication and availability if (!self::isAuthorised($action)) { $responses[] = array('app' => $action['app'], 'response' => new OC_OCS_Result(null, OC_API::RESPOND_UNAUTHORISED, 'Unauthorised')); continue; } if (!is_callable($action['action'])) { $responses[] = array('app' => $action['app'], 'response' => new OC_OCS_Result(null, OC_API::RESPOND_NOT_FOUND, 'Api method not found')); continue; } // Run the action $responses[] = array('app' => $action['app'], 'response' => call_user_func($action['action'], $parameters)); } $response = self::mergeResponses($responses); $formats = array('json', 'xml'); $format = !empty($_GET['format']) && in_array($_GET['format'], $formats) ? $_GET['format'] : 'xml'; OC_User::logout(); self::respond($response, $format); }
public static function init() { // register autoloader spl_autoload_register(array('OC', 'autoload')); setlocale(LC_ALL, 'en_US.UTF-8'); // set some stuff //ob_start(); error_reporting(E_ALL | E_STRICT); if (defined('DEBUG') && DEBUG) { ini_set('display_errors', 1); } date_default_timezone_set('UTC'); ini_set('arg_separator.output', '&'); // try to switch magic quotes off. if (function_exists('set_magic_quotes_runtime')) { @set_magic_quotes_runtime(false); } //try to configure php to enable big file uploads. //this doesn´t work always depending on the webserver and php configuration. //Let´s try to overwrite some defaults anyways //try to set the maximum execution time to 60min @set_time_limit(3600); @ini_set('max_execution_time', 3600); @ini_set('max_input_time', 3600); //try to set the maximum filesize to 10G @ini_set('upload_max_filesize', '10G'); @ini_set('post_max_size', '10G'); @ini_set('file_uploads', '50'); //try to set the session lifetime to 60min @ini_set('gc_maxlifetime', '3600'); //set http auth headers for apache+php-cgi work around if (isset($_SERVER['HTTP_AUTHORIZATION']) && preg_match('/Basic\\s+(.*)$/i', $_SERVER['HTTP_AUTHORIZATION'], $matches)) { list($name, $password) = explode(':', base64_decode($matches[1]), 2); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } //set http auth headers for apache+php-cgi work around if variable gets renamed by apache if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) && preg_match('/Basic\\s+(.*)$/i', $_SERVER['REDIRECT_HTTP_AUTHORIZATION'], $matches)) { list($name, $password) = explode(':', base64_decode($matches[1]), 2); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } self::initPaths(); // register the stream wrappers require_once 'streamwrappers.php'; stream_wrapper_register("fakedir", "OC_FakeDirStream"); stream_wrapper_register('static', 'OC_StaticStreamWrapper'); stream_wrapper_register('close', 'OC_CloseStreamWrapper'); self::checkInstalled(); self::checkSSL(); // CSRF protection if (isset($_SERVER['HTTP_REFERER'])) { $referer = $_SERVER['HTTP_REFERER']; } else { $referer = ''; } $refererhost = parse_url($referer); if (isset($refererhost['host'])) { $refererhost = $refererhost['host']; } else { $refererhost = ''; } $server = OC_Helper::serverHost(); $serverhost = explode(':', $server); $serverhost = $serverhost['0']; if ($_SERVER['REQUEST_METHOD'] == 'POST' and $refererhost != $serverhost) { $url = OC_Helper::serverProtocol() . '://' . $server . OC::$WEBROOT . '/index.php'; header("Location: {$url}"); exit; } self::initSession(); self::initTemplateEngine(); self::checkUpgrade(); $errors = OC_Util::checkServer(); if (count($errors) > 0) { OC_Template::printGuestPage('', 'error', array('errors' => $errors)); exit; } // TODO: we should get rid of this one, too // WARNING: to make everything even more confusing, // DATADIRECTORY is a var that changes and DATADIRECTORY_ROOT // stays the same, but is set by "datadirectory". // Any questions? OC::$CONFIG_DATADIRECTORY = OC_Config::getValue("datadirectory", OC::$SERVERROOT . "/data"); // User and Groups if (!OC_Config::getValue("installed", false)) { $_SESSION['user_id'] = ''; } OC_User::useBackend(OC_Config::getValue("userbackend", "database")); OC_Group::useBackend(new OC_Group_Database()); if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SESSION['user_id']) && $_SERVER['PHP_AUTH_USER'] != $_SESSION['user_id']) { OC_User::logout(); } // Set up file system unless forbidden global $RUNTIME_NOSETUPFS; if (!$RUNTIME_NOSETUPFS) { OC_Util::setupFS(); } // Load Apps // This includes plugins for users and filesystems as well global $RUNTIME_NOAPPS; global $RUNTIME_APPTYPES; if (!$RUNTIME_NOAPPS) { if ($RUNTIME_APPTYPES) { OC_App::loadApps($RUNTIME_APPTYPES); } else { OC_App::loadApps(); } } // Check for blacklisted files OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted'); OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted'); //make sure temporary files are cleaned up register_shutdown_function(array('OC_Helper', 'cleanTmp')); //parse the given parameters self::$REQUESTEDAPP = isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app']) ? str_replace(array('\\0', '/', '\\', '..'), '', strip_tags($_GET['app'])) : OC_Config::getValue('defaultapp', 'files'); if (substr_count(self::$REQUESTEDAPP, '?') != 0) { $app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?')); $param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1); parse_str($param, $get); $_GET = array_merge($_GET, $get); self::$REQUESTEDAPP = $app; $_GET['app'] = $app; } self::$REQUESTEDFILE = isset($_GET['getfile']) ? $_GET['getfile'] : null; if (substr_count(self::$REQUESTEDFILE, '?') != 0) { $file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?')); $param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1); parse_str($param, $get); $_GET = array_merge($_GET, $get); self::$REQUESTEDFILE = $file; $_GET['getfile'] = $file; } if (!is_null(self::$REQUESTEDFILE)) { $subdir = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE; $parent = OC::$APPSROOT . '/apps/' . self::$REQUESTEDAPP; if (!OC_Helper::issubdirectory($subdir, $parent)) { self::$REQUESTEDFILE = null; header('HTTP/1.0 404 Not Found'); exit; } } }
/** * @brief Handle the request */ public static function handleRequest() { if (!OC_Config::getValue('installed', false)) { require_once 'core/setup.php'; exit; } // Handle WebDAV if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { header('location: ' . OC_Helper::linkToRemote('webdav')); return; } try { OC_App::loadApps(); OC::getRouter()->match(OC_Request::getPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { //header('HTTP/1.0 404 Not Found'); } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) { OC_Response::setStatus(405); return; } $app = OC::$REQUESTEDAPP; $file = OC::$REQUESTEDFILE; $param = array('app' => $app, 'file' => $file); // Handle app css files if (substr($file, -3) == 'css') { self::loadCSSFile($param); return; } // Someone is logged in : if (OC_User::isLoggedIn()) { OC_App::loadApps(); OC_User::setupBackends(); if (isset($_GET["logout"]) and $_GET["logout"]) { OC_Preferences::deleteKey(OC_User::getUser(), 'login_token', $_COOKIE['oc_token']); OC_User::logout(); header("Location: " . OC::$WEBROOT . '/'); } else { if (is_null($file)) { $param['file'] = 'index.php'; } $file_ext = substr($param['file'], -3); if ($file_ext != 'php' || !self::loadAppScriptFile($param)) { header('HTTP/1.0 404 Not Found'); } } return; } // Not handled and not logged in self::handleLogin(); }