/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { \OCP\Util::addscript('core', 'tags'); \OCP\Util::addStyle($this->appName, 'style'); \OCP\Util::addStyle($this->appName, 'jquery.Jcrop'); \OCP\Util::addStyle($this->appName, '3rdparty/fontello/css/animation'); \OCP\Util::addStyle($this->appName, '3rdparty/fontello/css/fontello'); \OCP\Util::addStyle($this->appName, '3rdparty/jquery.webui-popover'); \OCP\Util::addscript($this->appName, 'app'); \OCP\Util::addscript($this->appName, '3rdparty/jquery.webui-popover'); \OCP\Util::addscript($this->appName, 'settings'); \OCP\Util::addscript($this->appName, 'loader'); \OCP\Util::addscript($this->appName, 'jquery.scrollTo.min'); \OCP\Util::addscript($this->appName, 'jquery.nicescroll.min'); \OCP\Util::addscript('files', 'jquery.fileupload'); \OCP\Util::addscript($this->appName, 'jquery.Jcrop'); $iosSupport = $this->configInfo->getUserValue($this->userId, $this->appName, 'iossupport'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize('/'); $addressbooks = Addressbook::all($this->userId); if (count($addressbooks) == 0) { Addressbook::addDefault($this->userId); $addressbooks = Addressbook::all($this->userId); } //ContactsApp::addingDummyContacts(50); $params = ['uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'iossupport' => $iosSupport, 'addressbooks' => $addressbooks]; $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $csp->addAllowedFrameDomain('*'); $response = new TemplateResponse($this->appName, 'index'); $response->setContentSecurityPolicy($csp); $response->setParams($params); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $status = $this->statusService->getStatus(); $response = new TemplateResponse($this->appName, 'index', ['cronWarning' => $status['warnings']['improperlyConfiguredCron']]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*')->addAllowedMediaDomain('*')->addAllowedConnectDomain('*')->addAllowedFrameDomain('https://youtube.com')->addAllowedFrameDomain('https://www.youtube.com')->addAllowedFrameDomain('https://player.vimeo.com')->addAllowedFrameDomain('https://www.player.vimeo.com'); $response->setContentSecurityPolicy($csp); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response = new TemplateResponse('ownnote', 'main', $params); $response->setContentSecurityPolicy($csp); return $response; }
public function testShowPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $expectedResponse = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $expectedResponse->setContentSecurityPolicy($policy); $this->assertEquals($expectedResponse, $this->controller->showPdfViewer()); }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showPdfViewer() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('\'self\''); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $bookmarkleturl = $this->urlgenerator->getAbsoluteURL('index.php/apps/bookmarks/bookmarklet'); $params = array('user' => $this->userId, 'bookmarkleturl' => $bookmarkleturl); $policy = new ContentSecurityPolicy(); $policy->addAllowedFrameDomain("'self'"); $response = new TemplateResponse('bookmarks', 'main', $params); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function webRTC() { $params = []; $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params); // Allow to embed iframes $csp = new ContentSecurityPolicy(); //$csp->addAllowedFrameDomain('*'); $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains())); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoCSRFRequired * @return TemplateResponse */ public function viewApps() { $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
/** * @NoAdminRequired * @NoCSRFRequired * @PublicPage */ public function webRTC() { $params = ['is_guest' => $this->userid === null]; $response = new TemplateResponse(Settings::APP_ID, 'webrtc', $params, $this->userid === null ? 'empty' : 'user'); // Allow to embed iframes $csp = new ContentSecurityPolicy(); //$csp->addAllowedFrameDomain('*'); $csp->addAllowedFrameDomain(implode(' ', Security::getAllowedIframeDomains())); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired */ public function cropPhoto() { $id = $this->params('id'); $tmpkey = $this->params('tmpkey'); $params = array('tmpkey' => $tmpkey, 'id' => $id); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response = new TemplateResponse($this->appName, 'part.cropphoto', $params, ''); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * * @return TemplateResponse renders the index page */ public function index() { $response = new TemplateResponse($this->appName, 'index', []); // set csp rules for ownCloud 8.1 if (class_exists('OCP\\AppFramework\\Http\\ContentSecurityPolicy')) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $response->setContentSecurityPolicy($csp); } return $response; }
public function testIndex() { $expected = new TemplateResponse($this->appName, 'index', []); // set csp rules for ownCloud 8.1 if (class_exists('OCP\\AppFramework\\Http\\ContentSecurityPolicy')) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $expected->setContentSecurityPolicy($csp); } $response = $this->controller->index(); $this->assertEquals($expected, $response); }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId); $response = new TemplateResponse('ownmnote', 'main', $params); $ocVersion = \OCP\Util::getVersion(); if ($ocVersion[0] > 8 || $ocVersion[0] == 8 && $ocVersion[1] >= 1) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); } return $response; }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showReader() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'reader', $params, 'blank'); $csp = new ContentSecurityPolicy(); $csp->addAllowedChildSrcDomain('\'self\''); $csp->addAllowedFrameDomain('\'self\''); $csp->addAllowedStyleDomain('blob:'); $csp->addAllowedImageDomain('blob:'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { if (\OC::$server->getAppManager()->isEnabledForUser('calendarplus')) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain(':data'); $config = \OC::$server->getConfig(); $response = new TemplateResponse($this->appName, 'index'); $response->setParams(array('allowShareWithLink' => $config->getAppValue('core', 'shareapi_allow_links', 'yes'), 'mailNotificationEnabled' => $config->getAppValue('core', 'shareapi_allow_mail_notification', 'no'), 'mailPublicNotificationEnabled' => $config->getAppValue('core', 'shareapi_allow_public_notification', 'no'), 'appname' => TasksApp::$appname, 'calappname' => CalendarApp::$appname)); $response->setContentSecurityPolicy($csp); } else { \OCP\Util::addStyle($this->appName, 'style'); $response = new TemplateResponse($this->appName, 'no-calendar-app'); } return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * * @return TemplateResponse */ public function index() { $lastViewedNote = (int) $this->settings->getUserValue($this->userId, $this->appName, 'notesLastViewedNote'); // check if note exists try { $this->notesService->get($lastViewedNote, $this->userId); } catch (NoteDoesNotExistException $ex) { $lastViewedNote = 0; } $response = new TemplateResponse($this->appName, 'main', ['lastViewedNote' => $lastViewedNote]); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $response->setContentSecurityPolicy($csp); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { if (substr(\OC_Util::getHumanVersion(), 0, 3) != '8.0') { // OC >= 8.1 $response = new TemplateResponse('passwords', 'main'); $csp = new ContentSecurityPolicy(); $csp->addAllowedImageDomain('https://icons.duckduckgo.com'); $csp->addAllowedImageDomain('https://www.google.com'); $response->setContentSecurityPolicy($csp); return $response; } else { // OC =< 8.0.4 return new TemplateResponse('passwords', 'main'); } }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { \OC::$server->getNavigationManager()->setActiveEntry('documents_index'); $maxUploadFilesize = \OCP\Util::maxUploadFilesize("/"); $response = new TemplateResponse('documents', 'documents', ['enable_previews' => $this->settings->getSystemValue('enable_previews', true), 'useUnstable' => $this->settings->getAppValue('documents', 'unstable', 'false'), 'savePath' => $this->settings->getUserValue($this->uid, 'documents', 'save_path', '/'), 'uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'allowShareWithLink' => $this->settings->getAppValue('core', 'shareapi_allow_links', 'yes')]); $policy = new ContentSecurityPolicy(); //$policy->addAllowedChildSrcDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedScriptDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedFrameDomain('\'self\' http://ajax.googleapis.com/ajax/libs/jquery/2.1.0/jquery.min.js http://cdnjs.cloudflare.com/ajax/libs/jquery-mousewheel/3.1.12/jquery.mousewheel.min.js \'unsafe-eval\''); $policy->addAllowedConnectDomain('ws://' . $_SERVER['SERVER_NAME'] . ':9980'); $policy->addAllowedImageDomain('*'); $policy->allowInlineScript(true); $policy->addAllowedFontDomain('data:'); $response->setContentSecurityPolicy($policy); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $params = array('user' => $this->userId, 'devices' => $this->deviceMapper->findAll($this->userId)); $response = new TemplateResponse('maps', 'main', $params); if (class_exists('OCP\\AppFramework\\Http\\ContentSecurityPolicy')) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); // map tiles $csp->addAllowedImageDomain('http://*.mqcdn.com'); // marker icons $csp->addAllowedImageDomain('https://api.tiles.mapbox.com'); // inline images $csp->addAllowedScriptDomain('data:'); $response->setContentSecurityPolicy($csp); } return $response; // templates/main.php }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showLibreOnline() { $params = ['urlGenerator' => $this->urlGenerator]; $response = new TemplateResponse($this->appName, 'online', $params, 'blank'); $policy = new ContentSecurityPolicy(); $policy->addAllowedChildSrcDomain('*'); $policy->addAllowedScriptDomain("*"); $policy->addAllowedConnectDomain("*"); $policy->addAllowedStyleDomain("*"); $policy->addAllowedMediaDomain("*"); $policy->addAllowedFontDomain('*'); $policy->addAllowedImageDomain('*'); $policy->addAllowedFrameDomain('*'); $policy->addAllowedObjectDomain('*'); $policy->allowInlineScript(True); $policy->allowInlineStyle(True); $policy->allowEvalScript(True); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $status = $this->statusService->getStatus(); $response = new TemplateResponse($this->appName, 'index', [ 'cronWarning' => $status['warnings']['improperlyConfiguredCron'] ]); // set csp rules for ownCloud 8.1 if (class_exists('OCP\AppFramework\Http\ContentSecurityPolicy')) { $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $csp->addAllowedMediaDomain('*'); $csp->addAllowedFrameDomain('https://youtube.com'); $csp->addAllowedFrameDomain('https://www.youtube.com'); $csp->addAllowedFrameDomain('https://player.vimeo.com'); $csp->addAllowedFrameDomain('https://www.player.vimeo.com'); $response->setContentSecurityPolicy($csp); } return $response; }
/** * @NoAdminRequired * @NoCSRFRequired */ public function index() { $iosSupport = $this->configInfo->getUserValue($this->userId, $this->appName, 'iossupport'); $activeView = $this->configInfo->getUserValue($this->userId, $this->appName, 'view', 'listview'); $lastSelectedBook = $this->configInfo->getUserValue($this->userId, $this->appName, 'currentbook', 0); $maxUploadFilesize = \OCP\Util::maxUploadFilesize('/'); $addressbooks = Addressbook::all($this->userId); if (count($addressbooks) == 0) { Addressbook::addDefault($this->userId); $addressbooks = Addressbook::all($this->userId); } //ContactsApp::addingDummyContacts(1000); $params = ['uploadMaxFilesize' => $maxUploadFilesize, 'uploadMaxHumanFilesize' => \OCP\Util::humanFileSize($maxUploadFilesize), 'iossupport' => $iosSupport, 'addressbooks' => $addressbooks, 'activeView' => $activeView, 'lastSelectedBook' => $lastSelectedBook]; $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedImageDomain('*'); $csp->addAllowedFrameDomain('*'); $response = new TemplateResponse($this->appName, 'index'); $response->setContentSecurityPolicy($csp); $response->setParams($params); return $response; }
/** * CAUTION: the @Stuff turn off security checks, for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $conf = \OCP\CONFIG::getUserValue(\OCP\User::getUser(), 'firstpassmanrun', 'show', 1); $params = array('user' => $this->userId); $conf = $this->userId === 'test' ? 1 : $conf; if ($conf == 1) { \OCP\Util::addscript('passman', 'firstrun'); $exampleItems = array(); $exampleItems[0] = array('label' => 'Item 1', 'tags' => array(array('text' => 'Example tag'), array('text' => 'Example tag 2'))); $exampleItems[1] = array('label' => 'Item 2', 'tags' => array(array('text' => 'Example tag 2'), array('text' => 'Example tag 3'))); foreach ($exampleItems as $key => $val) { $this->itemAPI->create('', '', '', '', '', $val['label'], '', '', '', '', $val['tags'], array()); } } $response = new TemplateResponse('passman', 'main', $params); $csp = new ContentSecurityPolicy(); $csp->addAllowedObjectDomain('\'self\''); $csp->addAllowedImageDomain('data:'); $response->setContentSecurityPolicy($csp); return $response; // templates/main.php }
/** * @PublicPage * @NoCSRFRequired * * @return TemplateResponse */ public function showPad($file, $dir) { /* Retrieve file content to find pad’s URL */ $content = \OC\Files\Filesystem::file_get_contents($dir . "/" . $file); preg_match('/URL=(.*)$/', $content, $matches); $url = $matches[1]; $title = $file; /* Not totally sure that this is the right way to proceed… * * First we decode the URL (to avoid double encode), then we * replace spaces with underscore (as they are converted as * such by Etherpad), then we encode the URL properly (and we * avoid to urlencode() the protocol scheme). * * Magic urlencode() function was stolen from this answer on * StackOverflow: <http://stackoverflow.com/a/7974253>. */ $url = urldecode($url); $url = str_replace(' ', '_', $url); $url = preg_replace_callback('#://([^/]+)/([^?]+)#', function ($match) { return '://' . $match[1] . '/' . join('/', array_map('rawurlencode', explode('/', $match[2]))); }, $url); $params = ['urlGenerator' => $this->urlGenerator, 'url' => $url, 'title' => $title]; $response = new TemplateResponse($this->appName, 'viewer', $params, 'blank'); /* Allow Etherpad and Ethercalc domains to the * Content-Security-frame- list. * * This feature was introduced in ownCloud 8.1. */ $policy = new ContentSecurityPolicy(); $appConfig = \OC::$server->getAppConfig(); $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_etherpad_host', '')); $policy->addAllowedFrameDomain($appConfig->getValue('ownpad', 'ownpad_ethercalc_host', '')); $response->setContentSecurityPolicy($policy); return $response; }
/** * @NoCSRFRequired * @param string $category * @return TemplateResponse */ public function viewApps($category = '') { $categoryId = $this->getCategory($category); if ($categoryId === self::CAT_ENABLED) { // Do not use an arbitrary input string, because we put the category in html $category = 'enabled'; } $params = []; $params['experimentalEnabled'] = $this->config->getSystemValue('appstore.experimental.enabled', false); $params['category'] = $category; $params['appstoreEnabled'] = $this->config->getSystemValue('appstoreenabled', true) === true; $this->navigationManager->setActiveEntry('core_apps'); $templateResponse = new TemplateResponse($this->appName, 'apps', $params, 'user'); $policy = new ContentSecurityPolicy(); $policy->addAllowedImageDomain('https://apps.owncloud.com'); $templateResponse->setContentSecurityPolicy($policy); return $templateResponse; }
public function testShowShare() { $owner = $this->getMock('OCP\\IUser'); $owner->method('getDisplayName')->willReturn('ownerDisplay'); $owner->method('getUID')->willReturn('ownerUID'); $file = $this->getMock('OCP\\Files\\File'); $file->method('getName')->willReturn('file1.txt'); $file->method('getMimetype')->willReturn('text/plain'); $file->method('getSize')->willReturn(33); $file->method('isReadable')->willReturn(true); $file->method('isShareable')->willReturn(true); $share = \OC::$server->getShareManager()->newShare(); $share->setId(42); $share->setPassword('password')->setShareOwner('ownerUID')->setNode($file)->setTarget('/file1.txt'); $this->session->method('exists')->with('public_link_authenticated')->willReturn(true); $this->session->method('get')->with('public_link_authenticated')->willReturn('42'); $this->previewManager->method('isMimeSupported')->with('text/plain')->willReturn(true); $this->config->method('getSystemValue')->willReturnMap([['max_filesize_animated_gifs_public_sharing', 10, 10], ['enable_previews', true, true]]); $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10); $shareTmpl['previewEnabled'] = $this->config->getSystemValue('enable_previews', true); $this->shareManager->expects($this->once())->method('getShareByToken')->with('token')->willReturn($share); $this->userManager->method('get')->with('ownerUID')->willReturn($owner); $response = $this->shareController->showShare('token'); $sharedTmplParams = array('displayName' => 'ownerDisplay', 'owner' => 'ownerUID', 'filename' => 'file1.txt', 'directory_path' => '/file1.txt', 'mimetype' => 'text/plain', 'dirToken' => 'token', 'sharingToken' => 'token', 'server2serversharing' => true, 'protected' => 'true', 'dir' => '', 'downloadURL' => null, 'fileSize' => '33 B', 'nonHumanFileSize' => 33, 'maxSizeAnimateGif' => 10, 'previewSupported' => true, 'previewEnabled' => true); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $expectedResponse = new TemplateResponse($this->appName, 'public', $sharedTmplParams, 'base'); $expectedResponse->setContentSecurityPolicy($csp); $this->assertEquals($expectedResponse, $response); }
public function testShowShare() { $this->container['UserManager']->expects($this->exactly(2))->method('userExists')->with($this->user)->will($this->returnValue(true)); // Test without a not existing token $response = $this->shareController->showShare('ThisTokenShouldHopefullyNeverExistSoThatTheUnitTestWillAlwaysPass :)'); $expectedResponse = new NotFoundResponse(); $this->assertEquals($expectedResponse, $response); // Test with a password protected share and no authentication $response = $this->shareController->showShare($this->token); $expectedResponse = new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $this->token))); $this->assertEquals($expectedResponse, $response); // Test with password protected share and authentication $linkItem = Share::getShareByToken($this->token, false); \OC::$server->getSession()->set('public_link_authenticated', $linkItem['id']); $response = $this->shareController->showShare($this->token); $sharedTmplParams = array('displayName' => $this->user, 'filename' => 'file1.txt', 'directory_path' => '/file1.txt', 'mimetype' => 'text/plain', 'dirToken' => $this->token, 'sharingToken' => $this->token, 'server2serversharing' => true, 'protected' => 'true', 'dir' => '', 'downloadURL' => null, 'fileSize' => '33 B', 'nonHumanFileSize' => 33, 'maxSizeAnimateGif' => 10, 'previewSupported' => true, 'previewEnabled' => true); $csp = new \OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $expectedResponse = new TemplateResponse($this->container['AppName'], 'public', $sharedTmplParams, 'base'); $expectedResponse->setContentSecurityPolicy($csp); $this->assertEquals($expectedResponse, $response); }
/** * Adds the domain "data:" to the allowed image domains * this function is called by reference * * @param TemplateResponse $response */ private function addContentSecurityToResponse($response) { $csp = new Http\ContentSecurityPolicy(); $csp->addAllowedFontDomain("data:"); $response->setContentSecurityPolicy($csp); }
/** * CAUTION: the @Stuff turns off security checks; for this page no admin is * required and no CSRF check. If you don't know what CSRF is, read * it up in the docs or you might create a security hole. This is * basically the only required method to add this exemption, don't * add it to any other method if you don't exactly know what it does * * @NoAdminRequired * @NoCSRFRequired */ public function index() { $uploadLimit = Util::uploadLimit(); $params = ['user' => $this->userId, 'uploadLimit' => $uploadLimit]; /** @var ContentSecurityPolicy $csp */ $csp = new ContentSecurityPolicy(); $csp->addAllowedConnectDomain('*'); /** @var TemplateResponse $response */ if (isset($_SESSION['targetType']) && $_SESSION['targetType'] == TargetType::PROJECT) { $response = new TemplateResponse('pkdrive', 'container', $params); } else { $response = new TemplateResponse('pkdrive', 'target', $params); } $response->setContentSecurityPolicy($csp); return $response; }
/** * @PublicPage * @NoCSRFRequired * * @param string $token * @param string $path * @return TemplateResponse|RedirectResponse */ public function showShare($token, $path = '') { \OC_User::setIncognitoMode(true); // Check whether share exists $linkItem = Share::getShareByToken($token, false); if ($linkItem === false) { return new NotFoundResponse(); } $shareOwner = $linkItem['uid_owner']; $originalSharePath = $this->getPath($token); // Share is password protected - check whether the user is permitted to access the share if (isset($linkItem['share_with']) && !Helper::authenticate($linkItem)) { return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', array('token' => $token))); } if (Filesystem::isReadable($originalSharePath . $path)) { $getPath = Filesystem::normalizePath($path); $originalSharePath .= $path; } else { throw new OCP\Files\NotFoundException(); } $file = basename($originalSharePath); $shareTmpl = []; $shareTmpl['displayName'] = User::getDisplayName($shareOwner); $shareTmpl['filename'] = $file; $shareTmpl['directory_path'] = $linkItem['file_target']; $shareTmpl['mimetype'] = Filesystem::getMimeType($originalSharePath); $shareTmpl['previewSupported'] = \OC::$server->getPreviewManager()->isMimeSupported($shareTmpl['mimetype']); $shareTmpl['dirToken'] = $linkItem['token']; $shareTmpl['sharingToken'] = $token; $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled(); $shareTmpl['protected'] = isset($linkItem['share_with']) ? 'true' : 'false'; $shareTmpl['dir'] = ''; $nonHumanFileSize = \OC\Files\Filesystem::filesize($originalSharePath); $shareTmpl['nonHumanFileSize'] = $nonHumanFileSize; $shareTmpl['fileSize'] = \OCP\Util::humanFileSize($nonHumanFileSize); // Show file list if (Filesystem::is_dir($originalSharePath)) { $shareTmpl['dir'] = $getPath; $maxUploadFilesize = Util::maxUploadFilesize($originalSharePath); $freeSpace = Util::freeSpace($originalSharePath); $uploadLimit = Util::uploadLimit(); $folder = new Template('files', 'list', ''); $folder->assign('dir', $getPath); $folder->assign('dirToken', $linkItem['token']); $folder->assign('permissions', \OCP\Constants::PERMISSION_READ); $folder->assign('isPublic', true); $folder->assign('publicUploadEnabled', 'no'); $folder->assign('uploadMaxFilesize', $maxUploadFilesize); $folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize)); $folder->assign('freeSpace', $freeSpace); $folder->assign('uploadLimit', $uploadLimit); // PHP upload limit $folder->assign('usedSpacePercent', 0); $folder->assign('trash', false); $shareTmpl['folder'] = $folder->fetchPage(); } $shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token)); $shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10); $csp = new OCP\AppFramework\Http\ContentSecurityPolicy(); $csp->addAllowedFrameDomain('\'self\''); $response = new TemplateResponse($this->appName, 'public', $shareTmpl, 'base'); $response->setContentSecurityPolicy($csp); return $response; }