Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30129 Commits
567 Branches
1162 Tags
4.1 GiB
Tree: f9aa5d2971
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f9aa5d2971'
${ noResults }
nextcloud-server/core/js/setupchecks.js

296 lines
11 KiB
Raw Normal View History

Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Allow setupchecks to specify a warning level
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
All setup messages are now properly types
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add config switch to disable the .well-known URL check
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add config switch to disable the .well-known URL check
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Add config switch to disable the .well-known URL check
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Show the well-known URL check as info instead of error * ref https://github.com/owncloud/core/pull/21562#issuecomment-170344549
10 years ago
Add check for .well-known URL in the root of the webservers URL * fixes #20012
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Check for working .htaccess via AJAX Fixes https://github.com/owncloud/core/issues/12650
11 years ago
All setup messages are now properly types
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Allow setupchecks to specify a warning level
11 years ago
add _blank to href
10 years ago
All setup messages are now properly types
11 years ago
Allow setupchecks to specify a warning level
11 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
11 years ago
All setup messages are now properly types
11 years ago
add _blank to href
10 years ago
All setup messages are now properly types
11 years ago
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
All setup messages are now properly types
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Display warning in security & setup warnings if php version is EOL
11 years ago
Move remaining setupchecks to new fomat
10 years ago
add _blank to href
10 years ago
Move remaining setupchecks to new fomat
10 years ago
Display warning in security & setup warnings if php version is EOL
11 years ago
Add setup check for reverse proxy header configuration
11 years ago
Move remaining setupchecks to new fomat
10 years ago
add _blank to href
10 years ago
Move remaining setupchecks to new fomat
10 years ago
Add setup check for reverse proxy header configuration
11 years ago
[admin] check for correct PHP memcached module
10 years ago
add _blank to href
10 years ago
[admin] check for correct PHP memcached module
10 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
add _blank to href
10 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
All setup messages are now properly types
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Move data protection check to javascript fixes #20199
10 years ago
Add check for content The response may be a redirect which is always followed by jQuery. Thus leading to false positives depending on the server configuration (e.g. when it issues a 302) To prevent that there is also a check performed on the response content.
10 years ago
Move data protection check to javascript fixes #20199
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Add X-Download-Options and X-Permitted-Cross-Domain-Policies Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
10 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Add some generic default headers as well via PHP
11 years ago
All setup messages are now properly types
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Align recommended settings This aligns the recommended setting with the max-age of `15768000` as described in our documentation. Furthermore it fixes some logical problems with the code, unit tests has been added as well. Fixes https://github.com/owncloud/core/issues/16673
11 years ago
All setup messages are now properly types
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
All setup messages are now properly types
11 years ago
Let users configure security headers in their Webserver Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
11 years ago
Moved WebDAV and internet checks to client side JS - Added setup checks in JavaScript - Moved isWebDAVWorking to JS using SetupChecks - Moved internet connection checks to an ajax call that goes through the server
12 years ago
  1. /*
  2. * Copyright (c) 2014
  3. *
  4. * This file is licensed under the Affero General Public License version 3
  5. * or later.
  6. *
  7. * See the COPYING-README file.
  8. *
  9. */
  11. (function() {
  12. OC.SetupChecks = {
  14. /* Message types */
  15. MESSAGE_TYPE_INFO:0,
  16. MESSAGE_TYPE_WARNING:1,
  17. MESSAGE_TYPE_ERROR:2,
  18. /**
  19. * Check whether the WebDAV connection works.
  20. *
  21. * @return $.Deferred object resolved with an array of error messages
  22. */
  23. checkWebDAV: function() {
  24. var deferred = $.Deferred();
  25. var afterCall = function(xhr) {
  26. var messages = [];
  27. if (xhr.status !== 207 && xhr.status !== 401) {
  28. messages.push({
  29. msg: t('core', 'Your web server is not yet set up properly to allow file synchronization because the WebDAV interface seems to be broken.'),
  30. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  31. });
  32. }
  33. deferred.resolve(messages);
  34. };
  36. $.ajax({
  37. type: 'PROPFIND',
  38. url: OC.linkToRemoteBase('webdav'),
  39. data: '<?xml version="1.0"?>' +
  40. '<d:propfind xmlns:d="DAV:">' +
  41. '<d:prop><d:resourcetype/></d:prop>' +
  42. '</d:propfind>',
  43. complete: afterCall
  44. });
  45. return deferred.promise();
  46. },
  48. /**
  49. * Check whether the .well-known URLs works.
  50. *
  51. * @param url the URL to test
  52. * @param placeholderUrl the placeholder URL - can be found at oc_defaults.docPlaceholderUrl
  53. * @param {boolean} runCheck if this is set to false the check is skipped and no error is returned
  54. * @return $.Deferred object resolved with an array of error messages
  55. */
  56. checkWellKnownUrl: function(url, placeholderUrl, runCheck) {
  57. var deferred = $.Deferred();
  59. if(runCheck === false) {
  60. deferred.resolve([]);
  61. return deferred.promise();
  62. }
  63. var afterCall = function(xhr) {
  64. var messages = [];
  65. if (xhr.status !== 207) {
  66. var docUrl = placeholderUrl.replace('PLACEHOLDER', 'admin-setup-well-known-URL');
  67. messages.push({
  68. msg: t('core', 'Your web server is not set up properly to resolve "{url}". Further information can be found in our <a target="_blank" href="{docLink}">documentation</a>.', { docLink: docUrl, url: url }),
  69. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  70. });
  71. }
  72. deferred.resolve(messages);
  73. };
  75. $.ajax({
  76. type: 'PROPFIND',
  77. url: url,
  78. complete: afterCall
  79. });
  80. return deferred.promise();
  81. },
  83. /**
  84. * Runs setup checks on the server side
  85. *
  86. * @return $.Deferred object resolved with an array of error messages
  87. */
  88. checkSetup: function() {
  89. var deferred = $.Deferred();
  90. var afterCall = function(data, statusText, xhr) {
  91. var messages = [];
  92. if (xhr.status === 200 && data) {
  93. if (!data.serverHasInternetConnection) {
  94. messages.push({
  95. msg: t('core', 'This server has no working Internet connection. This means that some of the features like mounting external storage, notifications about updates or installation of third-party apps will not work. Accessing files remotely and sending of notification emails might not work, either. We suggest to enable Internet connection for this server if you want to have all features.'),
  96. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  97. });
  98. }
  99. if(!data.isMemcacheConfigured) {
  100. messages.push({
  101. msg: t('core', 'No memory cache has been configured. To enhance your performance please configure a memcache if available. Further information can be found in our <a target="_blank" href="{docLink}">documentation</a>.', {docLink: data.memcacheDocs}),
  102. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  103. });
  104. }
  105. if(!data.isUrandomAvailable) {
  106. messages.push({
  107. msg: t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a target="_blank" href="{docLink}">documentation</a>.', {docLink: data.securityDocs}),
  108. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  109. });
  110. }
  111. if(data.isUsedTlsLibOutdated) {
  112. messages.push({
  113. msg: data.isUsedTlsLibOutdated,
  114. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  115. });
  116. }
  117. if(data.phpSupported && data.phpSupported.eol) {
  118. messages.push({
  119. msg: t('core', 'Your PHP version ({version}) is no longer <a target="_blank" href="{phpLink}">supported by PHP</a>. We encourage you to upgrade your PHP version to take advantage of performance and security updates provided by PHP.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}),
  120. type: OC.SetupChecks.MESSAGE_TYPE_INFO
  121. });
  122. }
  123. if(!data.forwardedForHeadersWorking) {
  124. messages.push({
  125. msg: t('core', 'The reverse proxy headers configuration is incorrect, or you are accessing ownCloud from a trusted proxy. If you are not accessing ownCloud from a trusted proxy, this is a security issue and can allow an attacker to spoof their IP address as visible to ownCloud. Further information can be found in our <a target="_blank" href="{docLink}">documentation</a>.', {docLink: data.reverseProxyDocs}),
  126. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  127. });
  128. }
  129. if(!data.isCorrectMemcachedPHPModuleInstalled) {
  130. messages.push({
  131. msg: t('core', 'Memcached is configured as distributed cache, but the wrong PHP module "memcache" is installed. \\OC\\Memcache\\Memcached only supports "memcached" and not "memcache". See the <a target="_blank" href="{wikiLink}">memcached wiki about both modules</a>.', {wikiLink: 'https://code.google.com/p/memcached/wiki/PHPClientComparison'}),
  132. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  133. });
  134. }
  135. if(!data.hasPassedCodeIntegrityCheck) {
  136. messages.push({
  137. msg: t(
  138. 'core',
  139. 'Some files have not passed the integrity check. Further information on how to resolve this issue can be found in our <a target="_blank" href="{docLink}">documentation</a>. (<a href="{codeIntegrityDownloadEndpoint}">List of invalid files…</a> / <a href="{rescanEndpoint}">Rescan…</a>)',
  140. {
  141. docLink: data.codeIntegrityCheckerDocumentation,
  142. codeIntegrityDownloadEndpoint: OC.generateUrl('/settings/integrity/failed'),
  143. rescanEndpoint: OC.generateUrl('/settings/integrity/rescan?requesttoken={requesttoken}', {'requesttoken': OC.requestToken})
  144. }
  145. ),
  146. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  147. });
  148. }
  149. } else {
  150. messages.push({
  151. msg: t('core', 'Error occurred while checking server setup'),
  152. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  153. });
  154. }
  155. deferred.resolve(messages);
  156. };
  158. $.ajax({
  159. type: 'GET',
  160. url: OC.generateUrl('settings/ajax/checksetup')
  161. }).then(afterCall, afterCall);
  162. return deferred.promise();
  163. },
  165. /**
  166. * Runs generic checks on the server side, the difference to dedicated
  167. * methods is that we use the same XHR object for all checks to save
  168. * requests.
  169. *
  170. * @return $.Deferred object resolved with an array of error messages
  171. */
  172. checkGeneric: function() {
  173. var self = this;
  174. var deferred = $.Deferred();
  175. var afterCall = function(data, statusText, xhr) {
  176. var messages = [];
  177. messages = messages.concat(self._checkSecurityHeaders(xhr));
  178. messages = messages.concat(self._checkSSL(xhr));
  179. deferred.resolve(messages);
  180. };
  182. $.ajax({
  183. type: 'GET',
  184. url: OC.generateUrl('heartbeat')
  185. }).then(afterCall, afterCall);
  187. return deferred.promise();
  188. },
  190. checkDataProtected: function() {
  191. var deferred = $.Deferred();
  192. if(oc_dataURL === false){
  193. return deferred.resolve([]);
  194. }
  195. var afterCall = function(xhr) {
  196. var messages = [];
  197. if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText === '') {
  198. messages.push({
  199. msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
  200. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  201. });
  202. }
  203. deferred.resolve(messages);
  204. };
  206. $.ajax({
  207. type: 'GET',
  208. url: OC.linkTo('', oc_dataURL+'/.ocdata'),
  209. complete: afterCall
  210. });
  211. return deferred.promise();
  212. },
  214. /**
  215. * Runs check for some generic security headers on the server side
  216. *
  217. * @param {Object} xhr
  218. * @return {Array} Array with error messages
  219. */
  220. _checkSecurityHeaders: function(xhr) {
  221. var messages = [];
  223. if (xhr.status === 200) {
  224. var securityHeaders = {
  225. 'X-XSS-Protection': '1; mode=block',
  226. 'X-Content-Type-Options': 'nosniff',
  227. 'X-Robots-Tag': 'none',
  228. 'X-Frame-Options': 'SAMEORIGIN',
  229. 'X-Download-Options': 'noopen',
  230. 'X-Permitted-Cross-Domain-Policies': 'none',
  231. };
  233. for (var header in securityHeaders) {
  234. if(!xhr.getResponseHeader(header) || xhr.getResponseHeader(header).toLowerCase() !== securityHeaders[header].toLowerCase()) {
  235. messages.push({
  236. msg: t('core', 'The "{header}" HTTP header is not configured to equal to "{expected}". This is a potential security or privacy risk and we recommend adjusting this setting.', {header: header, expected: securityHeaders[header]}),
  237. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  238. });
  239. }
  240. }
  241. } else {
  242. messages.push({
  243. msg: t('core', 'Error occurred while checking server setup'),
  244. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  245. });
  246. }
  248. return messages;
  249. },
  251. /**
  252. * Runs check for some SSL configuration issues on the server side
  253. *
  254. * @param {Object} xhr
  255. * @return {Array} Array with error messages
  256. */
  257. _checkSSL: function(xhr) {
  258. var messages = [];
  260. if (xhr.status === 200) {
  261. if(OC.getProtocol() === 'https') {
  262. // Extract the value of 'Strict-Transport-Security'
  263. var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
  264. if(transportSecurityValidity !== null && transportSecurityValidity.length > 8) {
  265. var firstComma = transportSecurityValidity.indexOf(";");
  266. if(firstComma !== -1) {
  267. transportSecurityValidity = transportSecurityValidity.substring(8, firstComma);
  268. } else {
  269. transportSecurityValidity = transportSecurityValidity.substring(8);
  270. }
  271. }
  273. var minimumSeconds = 15768000;
  274. if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
  275. messages.push({
  276. msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),
  277. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  278. });
  279. }
  280. } else {
  281. messages.push({
  282. msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),
  283. type: OC.SetupChecks.MESSAGE_TYPE_WARNING
  284. });
  285. }
  286. } else {
  287. messages.push({
  288. msg: t('core', 'Error occurred while checking server setup'),
  289. type: OC.SetupChecks.MESSAGE_TYPE_ERROR
  290. });
  291. }
  293. return messages;
  294. }
  295. };
  296. })();