Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
57112 Commits
598 Branches
1160 Tags
4.1 GiB
Tree: 44b567d0a1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '44b567d0a1'
${ noResults }
nextcloud-server/core/js/setupchecks.js

734 lines
32 KiB
Raw Normal View History

Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Allow setupchecks to specify a warning level
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
All setup messages are now properly types
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
All setup messages are now properly types
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Set content type for propfind request Without the request is sent as application/x-www-form-urlencoded; charset=UTF-8 and might be blocked by some application firewalls because content and content type do not match. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Add handler for global ajax errors
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Add config switch to disable the .well-known URL check
10 years ago
Make setup check also pass with a 501 status Signed-off-by: Julius Härtl <jus@bitgrid.net>
7 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add well known handlers API Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
5 years ago
Make possible to set the expected status of the well known URL check The check is based on the HTTP status returned by the URL, and different URLs may return different status (for example, DAV returns 207, while a service like WebFinger would return 200), so the expected status needs to be set depending on the URL. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
7 years ago
Make setup check also pass with a 501 status Signed-off-by: Julius Härtl <jus@bitgrid.net>
7 years ago
Make possible to set the expected status of the well known URL check The check is based on the HTTP status returned by the URL, and different URLs may return different status (for example, DAV returns 207, while a service like WebFinger would return 200), so the expected status needs to be set depending on the URL. Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
7 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add config switch to disable the .well-known URL check
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add well known handlers API Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
5 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Show the well-known URL check as info instead of error * ref https://github.com/owncloud/core/pull/21562#issuecomment-170344549
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add well known handlers API Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
5 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Don't reload page in case of auth errors during setup checks If an error occurs during setup checks, do not let the global ajax error handler reload the page.
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
add setup check for ocm-provider route Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
add setup check for ocm-provider route Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Add unit tests and provide better message Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
add setup check for ocm-provider route Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Add unit tests and provide better message Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
add setup check for ocm-provider route Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
7 years ago
Add check for missing .woff2 rule in Nginx via setup check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Add check for missing .woff2 rule in Nginx via setup check Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a config for default region of phone numbers Signed-off-by: Joas Schilling <coding@schilljs.com>
5 years ago
Improve hints for default_phone_region Signed-off-by: Joas Schilling <coding@schilljs.com>
5 years ago
Add a config for default region of phone numbers Signed-off-by: Joas Schilling <coding@schilljs.com>
5 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Do not show a internet connectivity warning if internet access is disabled Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
All setup messages are now properly types
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
All setup messages are now properly types
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Allow setupchecks to specify a warning level
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
All setup messages are now properly types
10 years ago
Allow setupchecks to specify a warning level
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Change check if secure randomness is possible. Signed-off-by: Timo Förster <tfoerster@webfoersterei.de>
7 years ago
All setup messages are now properly types
10 years ago
Change check if secure randomness is possible. Signed-off-by: Timo Förster <tfoerster@webfoersterei.de>
7 years ago
All setup messages are now properly types
10 years ago
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
10 years ago
All setup messages are now properly types
10 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
10 years ago
Update check for outdated php version. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Move remaining setupchecks to new fomat
10 years ago
Update check for outdated php version. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Move remaining setupchecks to new fomat
10 years ago
Update check for outdated php version. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Display warning in security & setup warnings if php version is EOL
10 years ago
Update check for outdated php version. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Show hint that PHP 5.6 will not be supported in Nextcloud 14 anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Clarify PHP warning in admin settings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Show hint that PHP 5.6 will not be supported in Nextcloud 14 anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Update check for outdated php version. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Show hint that PHP 5.6 will not be supported in Nextcloud 14 anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add setup check for reverse proxy header configuration
10 years ago
Move remaining setupchecks to new fomat
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Move remaining setupchecks to new fomat
10 years ago
Add setup check for reverse proxy header configuration
10 years ago
[admin] check for correct PHP memcached module
10 years ago
Prevent XSS in links which open a new browser window
8 years ago
[admin] check for correct PHP memcached module
10 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
opcache module check Improved the speed of isOpcacheProperlySetup() (instant return instead of continuing when we're already failed), added a check for the opcache extension itself. Potentially fixes #9410 Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Remove recommendation for opcache on CLI Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Add warning on admin screen when set_time_limit is unavailable
9 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add warning on admin screen when set_time_limit is unavailable
9 years ago
Add warning regarding freetype support Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Spelling: FreeType
8 years ago
Add warning regarding freetype support Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Create primary keys on all tables and add a command to create the afterwards Signed-off-by: Joas Schilling <coding@schilljs.com>
5 years ago
Add optional column oc_comments.reference_id Signed-off-by: Joas Schilling <coding@schilljs.com>
6 years ago
Add setup check for recommended PHP modules (i.e. Imagick, intl) Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Add SVG support check to setup check Signed-off-by: nhirokinet <nhirokinet@nhiroki.net>
5 years ago
Update core/js/setupchecks.js Co-authored-by: John Molakvoæ <skjnldsv@users.noreply.github.com>
5 years ago
Add SVG support check to setup check Signed-off-by: nhirokinet <nhirokinet@nhiroki.net>
5 years ago
Add setup check for pending bigint conversion Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Add setup check for pending bigint conversion Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Merge tips & tricks section into setup checks Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Adds a memory limit warning for console commands if the limit is below the recommended value Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Adds a setup check for the memory limit Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
promoted bad memory_limit setting to error as it may break updater Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
5 years ago
Adds a setup check for the memory limit Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Adds a setup check for app directory permissions. Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Adds license to files. Updates the branch. Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Adds a setup check for app directory permissions. Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Add setup check for missing UTF8MB4 on mysql Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Add setup check for missing UTF8MB4 on mysql Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Show a setup warning in case S3 object storage is used as primary storage * checks for at least 50 GB of free space Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Fix unneeded doc link to unrelated resource Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Show a setup warning in case S3 object storage is used as primary storage * checks for at least 50 GB of free space Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Add basic reverseproxy misconfig detection to setupchecks Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
6 years ago
Show a setup warning in case S3 object storage is used as primary storage * checks for at least 50 GB of free space Signed-off-by: Morris Jobke <hey@morrisjobke.de>
7 years ago
Adds a setup check for app directory permissions. Signed-off-by: Michael Weimann <mail@michael-weimann.eu>
7 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Add setup check that links to the migration documentation Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add a background job that checks for potential user imported SSL certificates and shows a warning in the admin settings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Bump doctrine/dbal from 2.12.0 to 3.0.0 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
5 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
All setup messages are now properly types
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Add handler for global ajax errors
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Add setup check that links to the migration documentation Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Change const/let to var for PhantomJS Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Add setup check that links to the migration documentation Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add a background job that checks for potential user imported SSL certificates and shows a warning in the admin settings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add setup check that links to the migration documentation Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Add setup check that links to the migration documentation Signed-off-by: Morris Jobke <hey@morrisjobke.de>
5 years ago
Add setup checks for php default charset and output buffering. Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
5 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Add handler for global ajax errors
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Move data protection check to javascript fixes #20199
10 years ago
Properly check the data dir * fixes #1364 Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Move data protection check to javascript fixes #20199
10 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Move data protection check to javascript fixes #20199
10 years ago
Properly check the data dir * fixes #1364 Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Don't reload page in case of auth errors during setup checks If an error occurs during setup checks, do not let the global ajax error handler reload the page.
10 years ago
Move data protection check to javascript fixes #20199
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Improve warning for X-Frame-Options header DENY (#3808) Signed-off-by: Oliver Hanraths <olli@coderkun.de>
9 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Improve warning for X-Frame-Options header DENY (#3808) Signed-off-by: Oliver Hanraths <olli@coderkun.de>
9 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Improve warning for X-Frame-Options header DENY (#3808) Signed-off-by: Oliver Hanraths <olli@coderkun.de>
9 years ago
No "to equal to" "We" or "Our", properly Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Improve warning for X-Frame-Options header DENY (#3808) Signed-off-by: Oliver Hanraths <olli@coderkun.de>
9 years ago
All setup messages are now properly types
10 years ago
Improve warning for X-Frame-Options header DENY (#3808) Signed-off-by: Oliver Hanraths <olli@coderkun.de>
9 years ago
All setup messages are now properly types
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Add referrer policy setup check Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Remove arrow function Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
7 years ago
Check if the X-XSS-Protection header contains the required fields Signed-off-by: Daniel Peukert <dan.peukert@gmail.com>
7 years ago
Don't show referrer policy warning if fallback policy set. Test-Set: no-referrer-when-downgrade no-referrer strict-origin-when-cross-origin same-origin no-referrer, strict-origin-when-cross-origin strict-origin- unsafe-raw, same-origin strict-origin-when-downgrade Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Add referrer policy setup check Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Allow "same-origin" as "Referrer-Policy" Fixes #11531 Although "same-origin" is more strict than e.g. strict-origin it showed up a warning in setupcheck Based on https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Signed-off-by: Moritz Beck <git@birkenstab.de>
7 years ago
Add referrer policy setup check Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Allow "same-origin" as "Referrer-Policy" Fixes #11531 Although "same-origin" is more strict than e.g. strict-origin it showed up a warning in setupcheck Based on https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Signed-off-by: Moritz Beck <git@birkenstab.de>
7 years ago
Add referrer policy setup check Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Don't show referrer policy warning if fallback policy set. Test-Set: no-referrer-when-downgrade no-referrer strict-origin-when-cross-origin same-origin no-referrer, strict-origin-when-cross-origin strict-origin- unsafe-raw, same-origin strict-origin-when-downgrade Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
6 years ago
Add referrer policy setup check Fixes #9122 Based on https://www.w3.org/TR/referrer-policy/ and https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Setting a sane Referrer-Policy will tell the browser if/when to send referrer headers when accessing a link from Nextcloud. When configured properly this results in less tracking and less leaking of (possibly) sensitive urls * Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Move OC.theme to the bundle and deprecate oc_defaults Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Use 6 months as SSL STS header threshold * this uses 6 months (6 * 30 * 24 * 60 * 60 = 15552000) * old value was half a year (365 / 2 * 24 * 60 * 60 = 15768000) * fixes #23957
10 years ago
Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
11 years ago
All setup messages are now properly types
10 years ago
Merge tips & tricks section into setup checks Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
All setup messages are now properly types
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
10 years ago
adviced should be advised Signed-off-by: Victor Goff <keeperotphones@gmail.com>
6 years ago
All setup messages are now properly types
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
  1. /*
  2. * Copyright (c) 2014
  3. *
  4. * This file is licensed under the Affero General Public License version 3
  5. * or later.
  6. *
  7. * See the COPYING-README file.
  8. *
  9. */
  11. (function() {
  12. OC.SetupChecks = {
  14. /* Message types */
  15. MESSAGE_TYPE_INFO:0,
  16. MESSAGE_TYPE_WARNING:1,
  17. MESSAGE_TYPE_ERROR:2,
  18. /**
  19. * Check whether the WebDAV connection works.
  20. *
  21. * @return $.Deferred object resolved with an array of error messages
  22. */
  23. checkWebDAV: function() {
  24. var deferred = $.Deferred();
  25. var afterCall = function(xhr) {
  26. var messages = [];
  27. if (xhr.status !== 207 && xhr.status !== 401) {
  28. messages.push({
  29. msg: t('core', 'Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken.'),
  30. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  31. });
  32. }
  33. deferred.resolve(messages);
  34. };
  36. $.ajax({
  37. type: 'PROPFIND',
  38. url: OC.linkToRemoteBase('webdav'),
  39. data: '<?xml version="1.0"?>' +
  40. '<d:propfind xmlns:d="DAV:">' +
  41. '<d:prop><d:resourcetype/></d:prop>' +
  42. '</d:propfind>',
  43. contentType: 'application/xml; charset=utf-8',
  44. complete: afterCall,
  45. allowAuthErrors: true
  46. });
  47. return deferred.promise();
  48. },
  50. /**
  51. * Check whether the .well-known URLs works.
  52. *
  53. * @param url the URL to test
  54. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  55. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  56. * @param {int|int[]} expectedStatus the expected HTTP status to be returned by the URL, 207 by default
  57. * @return $.Deferred object resolved with an array of error messages
  58. */
  59. checkWellKnownUrl: function(verb, url, placeholderUrl, runCheck, expectedStatus, checkCustomHeader) {
  60. if (expectedStatus === undefined) {
  61. expectedStatus = [207];
  62. }
  64. if (!Array.isArray(expectedStatus)) {
  65. expectedStatus = [expectedStatus];
  66. }
  68. var deferred = $.Deferred();
  70. if(runCheck === false) {
  71. deferred.resolve([]);
  72. return deferred.promise();
  73. }
  74. var afterCall = function(xhr) {
  75. var messages = [];
  76. var customWellKnown = xhr.getResponseHeader('X-NEXTCLOUD-WELL-KNOWN')
  77. if (expectedStatus.indexOf(xhr.status) === -1 || (checkCustomHeader && !customWellKnown)) {
  78. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL');
  79. messages.push({
  80. msg: t('core', 'Your web server is not properly set up to resolve "{url}". Further information can be found in the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }),
  81. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  82. });
  83. }
  84. deferred.resolve(messages);
  85. };
  87. $.ajax({
  88. type: verb,
  89. url: url,
  90. complete: afterCall,
  91. allowAuthErrors: true
  92. });
  93. return deferred.promise();
  94. },
  97. /**
  98. * Check whether the .well-known URLs works.
  99. *
  100. * @param url the URL to test
  101. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  102. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  103. *
  104. * @return $.Deferred object resolved with an array of error messages
  105. */
  106. checkProviderUrl: function(url, placeholderUrl, runCheck) {
  107. var expectedStatus = [200];
  108. var deferred = $.Deferred();
  110. if(runCheck === false) {
  111. deferred.resolve([]);
  112. return deferred.promise();
  113. }
  114. var afterCall = function(xhr) {
  115. var messages = [];
  116. if (expectedStatus.indexOf(xhr.status) === -1) {
  117. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-nginx');
  118. messages.push({
  119. msg: t('core', 'Your web server is not properly set up to resolve "{url}". This is most likely related to a web server configuration that was not updated to deliver this folder directly. Please compare your configuration against the shipped rewrite rules in ".htaccess" for Apache or the provided one in the documentation for Nginx at it\'s <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation page</a>. On Nginx those are typically the lines starting with "location ~" that need an update.', { docLink: docUrl, url: url }),
  120. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  121. });
  122. }
  123. deferred.resolve(messages);
  124. };
  126. $.ajax({
  127. type: 'GET',
  128. url: url,
  129. complete: afterCall,
  130. allowAuthErrors: true
  131. });
  132. return deferred.promise();
  133. },
  136. /**
  137. * Check whether the WOFF2 URLs works.
  138. *
  139. * @param url the URL to test
  140. * @param placeholderUrl the placeholder URL - can be found at OC.theme.docPlaceholderUrl
  141. * @return $.Deferred object resolved with an array of error messages
  142. */
  143. checkWOFF2Loading: function(url, placeholderUrl) {
  144. var deferred = $.Deferred();
  146. var afterCall = function(xhr) {
  147. var messages = [];
  148. if (xhr.status !== 200) {
  149. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-nginx');
  150. messages.push({
  151. msg: t('core', 'Your web server is not properly set up to deliver .woff2 files. This is typically an issue with the Nginx configuration. For Nextcloud 15 it needs an adjustement to also deliver .woff2 files. Compare your Nginx configuration to the recommended configuration in our <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }),
  152. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  153. });
  154. }
  155. deferred.resolve(messages);
  156. };
  158. $.ajax({
  159. type: 'GET',
  160. url: url,
  161. complete: afterCall,
  162. allowAuthErrors: true
  163. });
  164. return deferred.promise();
  165. },
  167. /**
  168. * Runs setup checks on the server side
  169. *
  170. * @return $.Deferred object resolved with an array of error messages
  171. */
  172. checkSetup: function() {
  173. var deferred = $.Deferred();
  174. var afterCall = function(data, statusText, xhr) {
  175. var messages = [];
  176. if (xhr.status === 200 && data) {
  177. if (!data.isGetenvServerWorking) {
  178. messages.push({
  179. msg: t('core', 'PHP does not seem to be setup properly to query system environment variables. The test with getenv("PATH") only returns an empty response.') + ' ' +
  180. t(
  181. 'core',
  182. 'Please check the <a target="_blank" rel="noreferrer noopener" href="{docLink}">installation documentation ↗</a> for PHP configuration notes and the PHP configuration of your server, especially when using php-fpm.',
  183. {
  184. docLink: OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-php-fpm')
  185. }
  186. ),
  187. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  188. });
  189. }
  190. if (data.isReadOnlyConfig) {
  191. messages.push({
  192. msg: t('core', 'The read-only config has been enabled. This prevents setting some configurations via the web-interface. Furthermore, the file needs to be made writable manually for every update.'),
  193. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  194. });
  195. }
  196. if (!data.hasValidTransactionIsolationLevel) {
  197. messages.push({
  198. msg: t('core', 'Your database does not run with "READ COMMITTED" transaction isolation level. This can cause problems when multiple actions are executed in parallel.'),
  199. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  200. });
  201. }
  202. if(!data.hasFileinfoInstalled) {
  203. messages.push({
  204. msg: t('core', 'The PHP module "fileinfo" is missing. It is strongly recommended to enable this module to get the best results with MIME type detection.'),
  205. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  206. });
  207. }
  208. if(!data.hasWorkingFileLocking) {
  209. messages.push({
  210. msg: t('core', 'Transactional file locking is disabled, this might lead to issues with race conditions. Enable "filelocking.enabled" in config.php to avoid these problems. See the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation ↗</a> for more information.', {docLink: OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-transactional-locking')}),
  211. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  212. });
  213. }
  214. if (data.suggestedOverwriteCliURL !== '') {
  215. messages.push({
  216. msg: t('core', 'If your installation is not installed at the root of the domain and uses system cron, there can be issues with the URL generation. To avoid these problems, please set the "overwrite.cli.url" option in your config.php file to the webroot path of your installation (suggestion: "{suggestedOverwriteCliURL}")', {suggestedOverwriteCliURL: data.suggestedOverwriteCliURL}),
  217. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  218. });
  219. }
  220. if (!data.isDefaultPhoneRegionSet) {
  221. messages.push({
  222. msg: t('core', 'Your installation has no default phone region set. This is required to validate phone numbers in the profile settings without a country code. To allow numbers without a country code, please add "default_phone_region" with the respective {linkstart}ISO 3166-1 code ↗{linkend} of the region to your config file.')
  223. .replace('{linkstart}', '<a target="_blank" rel="noreferrer noopener" class="external" href="https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements">')
  224. .replace('{linkend}', '</a>'),
  225. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  226. });
  227. }
  228. if (data.cronErrors.length > 0) {
  229. var listOfCronErrors = "";
  230. data.cronErrors.forEach(function(element){
  231. listOfCronErrors += "<li>";
  232. listOfCronErrors += element.error;
  233. listOfCronErrors += ' ';
  234. listOfCronErrors += element.hint;
  235. listOfCronErrors += "</li>";
  236. });
  237. messages.push({
  238. msg: t(
  239. 'core',
  240. 'It was not possible to execute the cron job via CLI. The following technical errors have appeared:'
  241. ) + "<ul>" + listOfCronErrors + "</ul>",
  242. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  243. })
  244. }
  245. if (data.cronInfo.diffInSeconds > 3600) {
  246. messages.push({
  247. msg: t('core', 'Last background job execution ran {relativeTime}. Something seems wrong.', {relativeTime: data.cronInfo.relativeTime}) +
  248. ' <a href="' + data.cronInfo.backgroundJobsUrl + '">' + t('core', 'Check the background job settings') + '</a>',
  249. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  250. });
  251. }
  252. if (data.serverHasInternetConnectionProblems) {
  253. messages.push({
  254. msg: t('core', 'This server has no working Internet connection: Multiple endpoints could not be reached. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. Establish a connection from this server to the Internet to enjoy all features.'),
  255. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  256. });
  257. }
  258. if(!data.isMemcacheConfigured) {
  259. messages.push({
  260. msg: t('core', 'No memory cache has been configured. To enhance performance, please configure a memcache, if available. Further information can be found in the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),
  261. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  262. });
  263. }
  264. if(!data.isRandomnessSecure) {
  265. messages.push({
  266. msg: t('core', 'No suitable source for randomness found by PHP which is highly discouraged for security reasons. Further information can be found in the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),
  267. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  268. });
  269. }
  270. if(data.isUsedTlsLibOutdated) {
  271. messages.push({
  272. msg: data.isUsedTlsLibOutdated,
  273. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  274. });
  275. }
  276. if (data.phpSupported && data.phpSupported.eol) {
  277. messages.push({
  278. msg: t('core', 'You are currently running PHP {version}. Upgrade your PHP version to take advantage of <a target="_blank" rel="noreferrer noopener" href="{phpLink}">performance and security updates provided by the PHP Group</a> as soon as your distribution supports it.', { version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php' }),
  279. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  280. })
  281. }
  282. if (data.phpSupported && data.phpSupported.version.substr(0, 3) === '7.2') {
  283. messages.push({
  284. msg: t('core', 'Nextcloud 20 is the last release supporting PHP 7.2. Nextcloud 21 requires at least PHP 7.3.'),
  285. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  286. })
  287. }
  288. if(!data.forwardedForHeadersWorking) {
  289. messages.push({
  290. msg: t('core', 'The reverse proxy header configuration is incorrect, or you are accessing Nextcloud from a trusted proxy. If not, this is a security issue and can allow an attacker to spoof their IP address as visible to the Nextcloud. Further information can be found in the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),
  291. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  292. });
  293. }
  294. if(!data.isCorrectMemcachedPHPModuleInstalled) {
  295. messages.push({
  296. msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" rel="noreferrer noopener" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}),
  297. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  298. });
  299. }
  300. if(!data.hasPassedCodeIntegrityCheck) {
  301. messages.push({
  302. msg: t(
  303. 'core',
  304. 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)',
  305. {
  306. docLink: data.codeIntegrityCheckerDocumentation,
  307. codeIntegrityDownloadEndpoint: OC.generateUrl('/settings/integrity/failed'),
  308. rescanEndpoint: OC.generateUrl('/settings/integrity/rescan?requesttoken={requesttoken}', {'requesttoken': OC.requestToken})
  309. }
  310. ),
  311. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  312. });
  313. }
  314. if(!data.hasOpcacheLoaded) {
  315. messages.push({
  316. msg: t(
  317. 'core',
  318. 'The PHP OPcache module is not loaded. <a target="_blank" rel="noreferrer noopener" href="{docLink}">For better performance it is recommended</a> to load it into your PHP installation.',
  319. {
  320. docLink: data.phpOpcacheDocumentation,
  321. }
  322. ),
  323. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  324. });
  325. } else if(!data.isOpcacheProperlySetup) {
  326. messages.push({
  327. msg: t(
  328. 'core',
  329. 'The PHP OPcache is not properly configured. <a target="_blank" rel="noreferrer noopener" href="{docLink}">For better performance it is recommended</a> to use the following settings in the <code>php.ini</code>:',
  330. {
  331. docLink: data.phpOpcacheDocumentation,
  332. }
  333. ) + "<pre><code>opcache.enable=1\nopcache.interned_strings_buffer=8\nopcache.max_accelerated_files=10000\nopcache.memory_consumption=128\nopcache.save_comments=1\nopcache.revalidate_freq=1</code></pre>",
  334. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  335. });
  336. }
  337. if(!data.isSettimelimitAvailable) {
  338. messages.push({
  339. msg: t(
  340. 'core',
  341. 'The PHP function "set_time_limit" is not available. This could result in scripts being halted mid-execution, breaking your installation. Enabling this function is strongly recommended.'),
  342. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  343. });
  344. }
  345. if (!data.hasFreeTypeSupport) {
  346. messages.push({
  347. msg: t(
  348. 'core',
  349. 'Your PHP does not have FreeType support, resulting in breakage of profile pictures and the settings interface.'
  350. ),
  351. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  352. })
  353. }
  354. if (data.missingIndexes.length > 0) {
  355. var listOfMissingIndexes = "";
  356. data.missingIndexes.forEach(function(element){
  357. listOfMissingIndexes += "<li>";
  358. listOfMissingIndexes += t('core', 'Missing index "{indexName}" in table "{tableName}".', element);
  359. listOfMissingIndexes += "</li>";
  360. });
  361. messages.push({
  362. msg: t(
  363. 'core',
  364. 'The database is missing some indexes. Due to the fact that adding indexes on big tables could take some time they were not added automatically. By running "occ db:add-missing-indices" those missing indexes could be added manually while the instance keeps running. Once the indexes are added queries to those tables are usually much faster.'
  365. ) + "<ul>" + listOfMissingIndexes + "</ul>",
  366. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  367. })
  368. }
  369. if (data.missingPrimaryKeys.length > 0) {
  370. var listOfMissingPrimaryKeys = "";
  371. data.missingPrimaryKeys.forEach(function(element){
  372. listOfMissingPrimaryKeys += "<li>";
  373. listOfMissingPrimaryKeys += t('core', 'Missing primary key on table "{tableName}".', element);
  374. listOfMissingPrimaryKeys += "</li>";
  375. });
  376. messages.push({
  377. msg: t(
  378. 'core',
  379. 'The database is missing some primary keys. Due to the fact that adding primary keys on big tables could take some time they were not added automatically. By running "occ db:add-missing-primary-keys" those missing primary keys could be added manually while the instance keeps running.'
  380. ) + "<ul>" + listOfMissingPrimaryKeys + "</ul>",
  381. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  382. })
  383. }
  384. if (data.missingColumns.length > 0) {
  385. var listOfMissingColumns = "";
  386. data.missingColumns.forEach(function(element){
  387. listOfMissingColumns += "<li>";
  388. listOfMissingColumns += t('core', 'Missing optional column "{columnName}" in table "{tableName}".', element);
  389. listOfMissingColumns += "</li>";
  390. });
  391. messages.push({
  392. msg: t(
  393. 'core',
  394. 'The database is missing some optional columns. Due to the fact that adding columns on big tables could take some time they were not added automatically when they can be optional. By running "occ db:add-missing-columns" those missing columns could be added manually while the instance keeps running. Once the columns are added some features might improve responsiveness or usability.'
  395. ) + "<ul>" + listOfMissingColumns + "</ul>",
  396. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  397. })
  398. }
  399. if (data.recommendedPHPModules.length > 0) {
  400. var listOfRecommendedPHPModules = "";
  401. data.recommendedPHPModules.forEach(function(element){
  402. listOfRecommendedPHPModules += "<li>" + element + "</li>";
  403. });
  404. messages.push({
  405. msg: t(
  406. 'core',
  407. 'This instance is missing some recommended PHP modules. For improved performance and better compatibility it is highly recommended to install them.'
  408. ) + "<ul><code>" + listOfRecommendedPHPModules + "</code></ul>",
  409. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  410. })
  411. }
  412. if (data.imageMagickLacksSVGSupport) {
  413. messages.push({
  414. msg: t(
  415. 'core',
  416. 'Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it.'
  417. ),
  418. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  419. })
  420. }
  421. if (data.pendingBigIntConversionColumns.length > 0) {
  422. var listOfPendingBigIntConversionColumns = "";
  423. data.pendingBigIntConversionColumns.forEach(function(element){
  424. listOfPendingBigIntConversionColumns += "<li>" + element + "</li>";
  425. });
  426. messages.push({
  427. msg: t(
  428. 'core',
  429. 'Some columns in the database are missing a conversion to big int. Due to the fact that changing column types on big tables could take some time they were not changed automatically. By running \'occ db:convert-filecache-bigint\' those pending changes could be applied manually. This operation needs to be made while the instance is offline. For further details read <a target="_blank" rel="noreferrer noopener" href="{docLink}">the documentation page about this</a>.',
  430. {
  431. docLink: OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-bigint-conversion'),
  432. }
  433. ) + "<ul>" + listOfPendingBigIntConversionColumns + "</ul>",
  434. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  435. })
  436. }
  437. if (data.isSqliteUsed) {
  438. messages.push({
  439. msg: t(
  440. 'core',
  441. 'SQLite is currently being used as the backend database. For larger installations we recommend that you switch to a different database backend.'
  442. ) + ' ' + t('core', 'This is particularly recommended when using the desktop client for file synchronisation.') + ' ' +
  443. t(
  444. 'core',
  445. 'To migrate to another database use the command line tool: \'occ db:convert-type\', or see the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation ↗</a>.',
  446. {
  447. docLink: data.databaseConversionDocumentation,
  448. }
  449. ),
  450. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  451. })
  452. }
  453. if (!data.isMemoryLimitSufficient) {
  454. messages.push({
  455. msg: t(
  456. 'core',
  457. 'The PHP memory limit is below the recommended value of 512MB.'
  458. ),
  459. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  460. })
  461. }
  463. if(data.appDirsWithDifferentOwner && data.appDirsWithDifferentOwner.length > 0) {
  464. var appDirsWithDifferentOwner = data.appDirsWithDifferentOwner.reduce(
  465. function(appDirsWithDifferentOwner, directory) {
  466. return appDirsWithDifferentOwner + '<li>' + directory + '</li>';
  467. },
  468. ''
  469. );
  470. messages.push({
  471. msg: t('core', 'Some app directories are owned by a different user than the web server one. ' +
  472. 'This may be the case if apps have been installed manually. ' +
  473. 'Check the permissions of the following app directories:')
  474. + '<ul>' + appDirsWithDifferentOwner + '</ul>',
  475. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  476. });
  477. }
  478. if (data.isMysqlUsedWithoutUTF8MB4) {
  479. messages.push({
  480. msg: t(
  481. 'core',
  482. 'MySQL is used as database but does not support 4-byte characters. To be able to handle 4-byte characters (like emojis) without issues in filenames or comments for example it is recommended to enable the 4-byte support in MySQL. For further details read <a target="_blank" rel="noreferrer noopener" href="{docLink}">the documentation page about this</a>.',
  483. {
  484. docLink: OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-mysql-utf8mb4'),
  485. }
  486. ),
  487. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  488. })
  489. }
  490. if (!data.isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed) {
  491. messages.push({
  492. msg: t(
  493. 'core',
  494. 'This instance uses an S3 based object store as primary storage. The uploaded files are stored temporarily on the server and thus it is recommended to have 50 GB of free space available in the temp directory of PHP. Check the logs for full details about the path and the available space. To improve this please change the temporary directory in the php.ini or make more space available in that path.'
  495. ),
  496. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  497. })
  498. }
  499. if (window.location.protocol === 'http:' && data.reverseProxyGeneratedURL.split('/')[0] !== 'https:') {
  500. messages.push({
  501. msg: t(
  502. 'core',
  503. 'You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly. Please read <a target="_blank" rel="noreferrer noopener" href="{docLink}">the documentation page about this</a>.',
  504. {
  505. docLink: data.reverseProxyDocs
  506. }
  507. ),
  508. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  509. })
  510. }
  512. OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\PhpDefaultCharset', messages)
  513. OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\PhpOutputBuffering', messages)
  514. OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\LegacySSEKeyFormat', messages)
  515. OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\CheckUserCertificates', messages)
  516. OC.SetupChecks.addGenericSetupCheck(data, 'OCA\\Settings\\SetupChecks\\SupportedDatabase', messages)
  518. } else {
  519. messages.push({
  520. msg: t('core', 'Error occurred while checking server setup'),
  521. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  522. });
  523. }
  524. deferred.resolve(messages);
  525. };
  527. $.ajax({
  528. type: 'GET',
  529. url: OC.generateUrl('settings/ajax/checksetup'),
  530. allowAuthErrors: true
  531. }).then(afterCall, afterCall);
  532. return deferred.promise();
  533. },
  535. addGenericSetupCheck: function(data, check, messages) {
  536. var setupCheck = data[check] || { pass: true, description: '', severity: 'info', linkToDocumentation: null}
  538. var type = OC.SetupChecks.MESSAGE_TYPE_INFO
  539. if (setupCheck.severity === 'warning') {
  540. type = OC.SetupChecks.MESSAGE_TYPE_WARNING
  541. } else if (setupCheck.severity === 'error') {
  542. type = OC.SetupChecks.MESSAGE_TYPE_ERROR
  543. }
  545. var message = setupCheck.description;
  546. if (setupCheck.linkToDocumentation) {
  547. message += ' ' + t('core', 'For more details see the <a target="_blank" rel="noreferrer noopener" href="{docLink}">documentation</a>.', {docLink: setupCheck.linkToDocumentation});
  548. }
  549. if (setupCheck.elements) {
  550. message += '<br><ul>'
  551. setupCheck.elements.forEach(function(element){
  552. message += '<li>';
  553. message += element
  554. message += '</li>';
  555. });
  556. message += '</ul>'
  557. }
  559. if (!setupCheck.pass) {
  560. messages.push({
  561. msg: message,
  562. type: type,
  563. })
  564. }
  565. },
  567. /**
  568. * Runs generic checks on the server side, the difference to dedicated
  569. * methods is that we use the same XHR object for all checks to save
  570. * requests.
  571. *
  572. * @return $.Deferred object resolved with an array of error messages
  573. */
  574. checkGeneric: function() {
  575. var self = this;
  576. var deferred = $.Deferred();
  577. var afterCall = function(data, statusText, xhr) {
  578. var messages = [];
  579. messages = messages.concat(self._checkSecurityHeaders(xhr));
  580. messages = messages.concat(self._checkSSL(xhr));
  581. deferred.resolve(messages);
  582. };
  584. $.ajax({
  585. type: 'GET',
  586. url: OC.generateUrl('heartbeat'),
  587. allowAuthErrors: true
  588. }).then(afterCall, afterCall);
  590. return deferred.promise();
  591. },
  593. checkDataProtected: function() {
  594. var deferred = $.Deferred();
  595. if(oc_dataURL === false){
  596. return deferred.resolve([]);
  597. }
  598. var afterCall = function(xhr) {
  599. var messages = [];
  600. // .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
  601. if (xhr.status === 200 && xhr.responseText === '') {
  602. messages.push({
  603. msg: t('core', 'Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.'),
  604. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  605. });
  606. }
  607. deferred.resolve(messages);
  608. };
  610. $.ajax({
  611. type: 'GET',
  612. url: OC.linkTo('', oc_dataURL+'/.ocdata?t=' + (new Date()).getTime()),
  613. complete: afterCall,
  614. allowAuthErrors: true
  615. });
  616. return deferred.promise();
  617. },
  619. /**
  620. * Runs check for some generic security headers on the server side
  621. *
  622. * @param {Object} xhr
  623. * @return {Array} Array with error messages
  624. */
  625. _checkSecurityHeaders: function(xhr) {
  626. var messages = [];
  628. if (xhr.status === 200) {
  629. var securityHeaders = {
  630. 'X-Content-Type-Options': ['nosniff'],
  631. 'X-Robots-Tag': ['none'],
  632. 'X-Frame-Options': ['SAMEORIGIN', 'DENY'],
  633. 'X-Download-Options': ['noopen'],
  634. 'X-Permitted-Cross-Domain-Policies': ['none'],
  635. };
  636. for (var header in securityHeaders) {
  637. var option = securityHeaders[header][0];
  638. if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== option.toLowerCase()) {
  639. var msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  640. if(xhr.getResponseHeader(header) && securityHeaders[header].length > 1 && xhr.getResponseHeader(header).toLowerCase() === securityHeaders[header][1].toLowerCase()) {
  641. msg = t('core', 'The "{header}" HTTP header is not set to "{expected}". Some features might not work correctly, as it is recommended to adjust this setting accordingly.', {header: header, expected: option});
  642. }
  643. messages.push({
  644. msg: msg,
  645. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  646. });
  647. }
  648. }
  650. var xssfields = xhr.getResponseHeader('X-XSS-Protection') ? xhr.getResponseHeader('X-XSS-Protection').split(';').map(function(item) { return item.trim(); }) : [];
  651. if (xssfields.length === 0 || xssfields.indexOf('1') === -1 || xssfields.indexOf('mode=block') === -1) {
  652. messages.push({
  653. msg: t('core', 'The "{header}" HTTP header doesn\'t contain "{expected}". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.',
  654. {
  655. header: 'X-XSS-Protection',
  656. expected: '1; mode=block'
  657. }),
  658. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  659. });
  660. }
  662. const referrerPolicy = xhr.getResponseHeader('Referrer-Policy')
  663. if (referrerPolicy === null || !/(no-referrer(-when-downgrade)?|strict-origin(-when-cross-origin)?|same-origin)(,|$)/.test(referrerPolicy)) {
  664. messages.push({
  665. msg: t('core', 'The "{header}" HTTP header is not set to "{val1}", "{val2}", "{val3}", "{val4}" or "{val5}". This can leak referer information. See the <a target="_blank" rel="noreferrer noopener" href="{link}">W3C Recommendation ↗</a>.',
  666. {
  667. header: 'Referrer-Policy',
  668. val1: 'no-referrer',
  669. val2: 'no-referrer-when-downgrade',
  670. val3: 'strict-origin',
  671. val4: 'strict-origin-when-cross-origin',
  672. val5: 'same-origin',
  673. link: 'https://www.w3.org/TR/referrer-policy/'
  674. }),
  675. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  676. })
  677. }
  678. } else {
  679. messages.push({
  680. msg: t('core', 'Error occurred while checking server setup'),
  681. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  682. });
  683. }
  685. return messages;
  686. },
  688. /**
  689. * Runs check for some SSL configuration issues on the server side
  690. *
  691. * @param {Object} xhr
  692. * @return {Array} Array with error messages
  693. */
  694. _checkSSL: function(xhr) {
  695. var messages = [];
  697. if (xhr.status === 200) {
  698. var tipsUrl = OC.theme.docPlaceholderUrl.replace('PLACEHOLDER', 'admin-security');
  699. if(OC.getProtocol() === 'https') {
  700. // Extract the value of 'Strict-Transport-Security'
  701. var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
  702. if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
  703. var firstComma = transportSecurityValidity.indexOf(";");
  704. if(firstComma !== -1) {
  705. transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
  706. } else {
  707. transportSecurityValidity = transportSecurityValidity.substring(8);
  708. }
  709. }
  711. var minimumSeconds = 15552000;
  712. if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
  713. messages.push({
  714. msg: t('core', 'The "Strict-Transport-Security" HTTP header is not set to at least "{seconds}" seconds. For enhanced security, it is recommended to enable HSTS as described in the <a href="{docUrl}" rel="noreferrer noopener">security tips ↗</a>.', {'seconds': minimumSeconds, docUrl: tipsUrl}),
  715. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  716. });
  717. }
  718. } else {
  719. messages.push({
  720. msg: t('core', 'Accessing site insecurely via HTTP. You are strongly advised to set up your server to require HTTPS instead, as described in the <a href="{docUrl}">security tips ↗</a>.', {docUrl: tipsUrl}),
  721. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  722. });
  723. }
  724. } else {
  725. messages.push({
  726. msg: t('core', 'Error occurred while checking server setup'),
  727. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  728. });
  729. }
  731. return messages;
  732. }
  733. };
  734. })();