diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000000000..b18b31297838c
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,49 @@
+localhost {
+ php_server {
+ worker index.php
+ }
+
+ log {
+ level ERROR
+ output stderr
+ }
+
+ encode gzip
+
+ redir /.well-known/carddav /remote.php/dav 301
+ redir /.well-known/caldav /remote.php/dav 301
+
+ # Rule: Maps most RFC 8615 compliant well-known URIs to our main frontend controller (/index.php) by default
+ @wellKnown {
+ path "/.well-known/"
+ not {
+ path /.well-known/acme-challenge
+ path /.well-known/pki-validation
+ }
+ }
+ rewrite @wellKnown /index.php
+
+ rewrite /ocm-provider/ /index.php
+
+ @forbidden {
+ path /.htaccess
+ path /data/*
+ path /config/*
+ path /db_structure
+ path /.xml
+ path /README
+ path /3rdparty/*
+ path /lib/*
+ path /templates/*
+ path /occ
+ path /build
+ path /tests
+ path /console.php
+ path /autotest
+ path /issue
+ path /indi
+ path /db_
+ path /console
+ }
+ respond @forbidden 404
+}
diff --git a/apps/testing/appinfo/info.xml b/apps/testing/appinfo/info.xml
index 12cf4c51e22e2..cb7d0a31c8e89 100644
--- a/apps/testing/appinfo/info.xml
+++ b/apps/testing/appinfo/info.xml
@@ -16,6 +16,11 @@
+
+
+ OCA\Testing\Command\StaticHunt
+
+
monitoring
https://github.com/nextcloud/server/issues
diff --git a/apps/testing/composer/composer/autoload_classmap.php b/apps/testing/composer/composer/autoload_classmap.php
index ad50a15224a02..ee7424a0ea809 100644
--- a/apps/testing/composer/composer/autoload_classmap.php
+++ b/apps/testing/composer/composer/autoload_classmap.php
@@ -9,6 +9,7 @@
'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
'OCA\\Testing\\AlternativeHomeUserBackend' => $baseDir . '/../lib/AlternativeHomeUserBackend.php',
'OCA\\Testing\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
+ 'OCA\\Testing\\Command\\StaticHunt' => $baseDir . '/../lib/Command/StaticHunt.php',
'OCA\\Testing\\Controller\\ConfigController' => $baseDir . '/../lib/Controller/ConfigController.php',
'OCA\\Testing\\Controller\\LockingController' => $baseDir . '/../lib/Controller/LockingController.php',
'OCA\\Testing\\Controller\\RateLimitTestController' => $baseDir . '/../lib/Controller/RateLimitTestController.php',
diff --git a/apps/testing/composer/composer/autoload_static.php b/apps/testing/composer/composer/autoload_static.php
index d3e37546416a3..9ea8e6dc0a8f0 100644
--- a/apps/testing/composer/composer/autoload_static.php
+++ b/apps/testing/composer/composer/autoload_static.php
@@ -24,6 +24,7 @@ class ComposerStaticInitTesting
'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
'OCA\\Testing\\AlternativeHomeUserBackend' => __DIR__ . '/..' . '/../lib/AlternativeHomeUserBackend.php',
'OCA\\Testing\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
+ 'OCA\\Testing\\Command\\StaticHunt' => __DIR__ . '/..' . '/../lib/Command/StaticHunt.php',
'OCA\\Testing\\Controller\\ConfigController' => __DIR__ . '/..' . '/../lib/Controller/ConfigController.php',
'OCA\\Testing\\Controller\\LockingController' => __DIR__ . '/..' . '/../lib/Controller/LockingController.php',
'OCA\\Testing\\Controller\\RateLimitTestController' => __DIR__ . '/..' . '/../lib/Controller/RateLimitTestController.php',
diff --git a/apps/testing/lib/Command/StaticHunt.php b/apps/testing/lib/Command/StaticHunt.php
new file mode 100644
index 0000000000000..2ee6f9b5d9fbe
--- /dev/null
+++ b/apps/testing/lib/Command/StaticHunt.php
@@ -0,0 +1,110 @@
+setName('testing:static-hunt')
+ ->setDescription('Hunt for static properties in classes');
+ }
+
+
+ protected function execute(InputInterface $input, OutputInterface $output): int {
+ $folders = [
+ '' => __DIR__ . '/../../../../lib/private/legacy',
+ '\\OC' => __DIR__ . '/../../../../lib/private',
+ '\\OC\\Core' => __DIR__ . '/../../../../core',
+ ];
+ $apps = $this->appManager->getAllAppsInAppsFolders();
+ foreach ($apps as $app) {
+ $info = $this->appManager->getAppInfo($app);
+ if (!isset($info['namespace'])) {
+ continue;
+ }
+ $folders['\\OCA\\' . $info['namespace']] = $this->appManager->getAppPath($app) . '/lib';
+ }
+ $stats = [
+ 'classes' => 0,
+ 'properties' => 0,
+ ];
+ foreach ($folders as $namespace => $folder) {
+ $this->scanFolder($folder, $namespace, $output, $stats);
+ }
+
+ $output->writeln('Found ' . $stats['properties'] . ' static properties spread among ' . $stats['classes'] . ' classes');
+
+ return 0;
+ }
+
+ private function scanFolder(string $folder, string $namespace, OutputInterface $output, array &$stats): void {
+ $folder = realpath($folder);
+ $output->writeln('Folder ' . $folder, OutputInterface::VERBOSITY_VERBOSE);
+ foreach ($this->recursiveGlob($folder) as $filename) {
+ try {
+ $filename = realpath($filename);
+ if (($namespace === '\\OC') && str_contains($filename, 'lib/private/legacy')) {
+ // Skip legacy in OC as it’s scanned with an empty namespace separately
+ continue;
+ }
+ foreach (self::SKIP_REGEX as $skipRegex) {
+ if (preg_match($skipRegex, $filename)) {
+ continue 2;
+ }
+ }
+ $classname = $namespace . substr(str_replace('/', '\\', substr($filename, strlen($folder))), 0, -4);
+ $output->writeln('Class ' . $classname, OutputInterface::VERBOSITY_VERBOSE);
+ if (!class_exists($classname)) {
+ continue;
+ }
+ $rClass = new \ReflectionClass($classname);
+ $staticProperties = $rClass->getStaticProperties();
+ if (empty($staticProperties)) {
+ continue;
+ }
+ $stats['classes']++;
+ $output->writeln('# ' . str_replace(\OC::$SERVERROOT, '', $filename) . " $classname");
+ foreach ($staticProperties as $property => $value) {
+ $propertyObject = $rClass->getProperty($property);
+ $stats['properties']++;
+ $output->write("$propertyObject");
+ }
+ $output->writeln('');
+ } catch (\Throwable $t) {
+ $output->writeln("$t");
+ }
+ }
+ }
+
+ private function recursiveGlob(string $path, int $depth = 1): \Generator {
+ $pattern = $path . str_repeat('/*', $depth);
+ yield from glob($pattern . '.php');
+ if (!empty(glob($pattern, GLOB_ONLYDIR))) {
+ yield from $this->recursiveGlob($path, $depth + 1);
+ }
+ }
+}
diff --git a/index.php b/index.php
index b368462371d40..9c9fb7bc9823e 100644
--- a/index.php
+++ b/index.php
@@ -10,6 +10,7 @@
require_once __DIR__ . '/lib/versioncheck.php';
+use OC\Files\Filesystem;
use OC\ServiceUnavailableException;
use OC\User\LoginException;
use OCP\HintException;
@@ -19,90 +20,124 @@
use OCP\Template\ITemplateManager;
use Psr\Log\LoggerInterface;
-try {
- require_once __DIR__ . '/lib/base.php';
+require_once __DIR__ . '/lib/OC.php';
- OC::handleRequest();
-} catch (ServiceUnavailableException $ex) {
- Server::get(LoggerInterface::class)->error($ex->getMessage(), [
- 'app' => 'index',
- 'exception' => $ex,
- ]);
+\OC::boot();
- //show the user a detailed error page
- Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 503);
-} catch (HintException $ex) {
+function cleanupStaticCrap(): void {
+ // FIXME needed because these use a static var
+ \OC_Hook::clear();
+ \OC_Util::$styles = [];
+ \OC_Util::$headers = [];
+ \OC_User::setIncognitoMode(false);
+ \OC_User::$_setupedBackends = [];
+ \OC_App::reset();
+ \OC_Helper::reset();
+ Filesystem::reset();
+}
+
+$handler = static function () {
try {
- Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getHint(), 503);
- } catch (Exception $ex2) {
+ cleanupStaticCrap();
+ OC::init();
+ OC::handleRequest();
+ } catch (ServiceUnavailableException $ex) {
+ Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+ 'app' => 'index',
+ 'exception' => $ex,
+ ]);
+
+ //show the user a detailed error page
+ Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 503);
+ } catch (HintException $ex) {
+ try {
+ Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getHint(), 503);
+ } catch (Exception $ex2) {
+ try {
+ Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+ 'app' => 'index',
+ 'exception' => $ex,
+ ]);
+ Server::get(LoggerInterface::class)->error($ex2->getMessage(), [
+ 'app' => 'index',
+ 'exception' => $ex2,
+ ]);
+ } catch (Throwable $e) {
+ // no way to log it properly - but to avoid a white page of death we try harder and ignore this one here
+ }
+
+ //show the user a detailed error page
+ Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+ }
+ } catch (LoginException $ex) {
+ $request = Server::get(IRequest::class);
+ /**
+ * Routes with the @CORS annotation and other API endpoints should
+ * not return a webpage, so we only print the error page when html is accepted,
+ * otherwise we reply with a JSON array like the SecurityMiddleware would do.
+ */
+ if (stripos($request->getHeader('Accept'), 'html') === false) {
+ http_response_code(401);
+ header('Content-Type: application/json; charset=utf-8');
+ echo json_encode(['message' => $ex->getMessage()]);
+ exit();
+ }
+ Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
+ } catch (MaxDelayReached $ex) {
+ $request = Server::get(IRequest::class);
+ /**
+ * Routes with the @CORS annotation and other API endpoints should
+ * not return a webpage, so we only print the error page when html is accepted,
+ * otherwise we reply with a JSON array like the BruteForceMiddleware would do.
+ */
+ if (stripos($request->getHeader('Accept'), 'html') === false) {
+ http_response_code(429);
+ header('Content-Type: application/json; charset=utf-8');
+ echo json_encode(['message' => $ex->getMessage()]);
+ exit();
+ }
+ http_response_code(429);
+ Server::get(ITemplateManager::class)->printGuestPage('core', '429');
+ } catch (Exception $ex) {
+ Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+ 'app' => 'index',
+ 'exception' => $ex,
+ ]);
+
+ //show the user a detailed error page
+ Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+ } catch (Error $ex) {
try {
Server::get(LoggerInterface::class)->error($ex->getMessage(), [
'app' => 'index',
'exception' => $ex,
]);
- Server::get(LoggerInterface::class)->error($ex2->getMessage(), [
- 'app' => 'index',
- 'exception' => $ex2,
- ]);
- } catch (Throwable $e) {
- // no way to log it properly - but to avoid a white page of death we try harder and ignore this one here
- }
+ } catch (Error $e) {
+ http_response_code(500);
+ header('Content-Type: text/plain; charset=utf-8');
+ print("Internal Server Error\n\n");
+ print("The server encountered an internal error and was unable to complete your request.\n");
+ print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n");
+ print("More details can be found in the webserver log.\n");
- //show the user a detailed error page
+ throw $ex;
+ }
Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
}
-} catch (LoginException $ex) {
- $request = Server::get(IRequest::class);
- /**
- * Routes with the @CORS annotation and other API endpoints should
- * not return a webpage, so we only print the error page when html is accepted,
- * otherwise we reply with a JSON array like the SecurityMiddleware would do.
- */
- if (stripos($request->getHeader('Accept'), 'html') === false) {
- http_response_code(401);
- header('Content-Type: application/json; charset=utf-8');
- echo json_encode(['message' => $ex->getMessage()]);
- exit();
- }
- Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
-} catch (MaxDelayReached $ex) {
- $request = Server::get(IRequest::class);
- /**
- * Routes with the @CORS annotation and other API endpoints should
- * not return a webpage, so we only print the error page when html is accepted,
- * otherwise we reply with a JSON array like the BruteForceMiddleware would do.
- */
- if (stripos($request->getHeader('Accept'), 'html') === false) {
- http_response_code(429);
- header('Content-Type: application/json; charset=utf-8');
- echo json_encode(['message' => $ex->getMessage()]);
- exit();
- }
- http_response_code(429);
- Server::get(ITemplateManager::class)->printGuestPage('core', '429');
-} catch (Exception $ex) {
- Server::get(LoggerInterface::class)->error($ex->getMessage(), [
- 'app' => 'index',
- 'exception' => $ex,
- ]);
+};
- //show the user a detailed error page
- Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
-} catch (Error $ex) {
- try {
- Server::get(LoggerInterface::class)->error($ex->getMessage(), [
- 'app' => 'index',
- 'exception' => $ex,
- ]);
- } catch (Error $e) {
- http_response_code(500);
- header('Content-Type: text/plain; charset=utf-8');
- print("Internal Server Error\n\n");
- print("The server encountered an internal error and was unable to complete your request.\n");
- print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n");
- print("More details can be found in the webserver log.\n");
+if (function_exists('frankenphp_handle_request') && isset($_SERVER['FRANKENPHP_WORKER']) && $_SERVER['FRANKENPHP_WORKER'] === '1') {
+ $maxRequests = (int)($_SERVER['MAX_REQUESTS'] ?? 0);
+ for ($nbRequests = 0; !$maxRequests || $nbRequests < $maxRequests; ++$nbRequests) {
+ $keepRunning = \frankenphp_handle_request($handler);
- throw $ex;
+ // Call the garbage collector to reduce the chances of it being triggered in the middle of a page generation
+ gc_collect_cycles();
+
+ if (!$keepRunning) {
+ break;
+ }
}
- Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+} else {
+ $handler();
}
diff --git a/lib/OC.php b/lib/OC.php
new file mode 100644
index 0000000000000..273ba0b3b49df
--- /dev/null
+++ b/lib/OC.php
@@ -0,0 +1,1326 @@
+ [
+ 'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'] ?? null,
+ 'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'] ?? null,
+ ],
+ ];
+ if (isset($_SERVER['REMOTE_ADDR'])) {
+ $params['server']['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
+ }
+ $fakeRequest = new \OC\AppFramework\Http\Request(
+ $params,
+ new \OC\AppFramework\Http\RequestId($_SERVER['UNIQUE_ID'] ?? '', new \OC\Security\SecureRandom()),
+ new \OC\AllConfig(new \OC\SystemConfig(self::$config))
+ );
+ $scriptName = $fakeRequest->getScriptName();
+ if (substr($scriptName, -1) == '/') {
+ $scriptName .= 'index.php';
+ //make sure suburi follows the same rules as scriptName
+ if (substr(OC::$SUBURI, -9) !== 'index.php') {
+ if (substr(OC::$SUBURI, -1) !== '/') {
+ OC::$SUBURI = OC::$SUBURI . '/';
+ }
+ OC::$SUBURI = OC::$SUBURI . 'index.php';
+ }
+ }
+
+ if (OC::$CLI) {
+ OC::$WEBROOT = self::$config->getValue('overwritewebroot', '');
+ } else {
+ if (substr($scriptName, 0 - strlen(OC::$SUBURI)) === OC::$SUBURI) {
+ OC::$WEBROOT = substr($scriptName, 0, 0 - strlen(OC::$SUBURI));
+
+ if (OC::$WEBROOT !== '' && OC::$WEBROOT[0] !== '/') {
+ OC::$WEBROOT = '/' . OC::$WEBROOT;
+ }
+ } else {
+ // The scriptName is not ending with OC::$SUBURI
+ // This most likely means that we are calling from CLI.
+ // However some cron jobs still need to generate
+ // a web URL, so we use overwritewebroot as a fallback.
+ OC::$WEBROOT = self::$config->getValue('overwritewebroot', '');
+ }
+
+ // Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing
+ // slash which is required by URL generation.
+ if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT
+ && substr($_SERVER['REQUEST_URI'], -1) !== '/') {
+ header('Location: ' . \OC::$WEBROOT . '/');
+ exit();
+ }
+ }
+
+ // search the apps folder
+ $config_paths = self::$config->getValue('apps_paths', []);
+ if (!empty($config_paths)) {
+ foreach ($config_paths as $paths) {
+ if (isset($paths['url']) && isset($paths['path'])) {
+ $paths['url'] = rtrim($paths['url'], '/');
+ $paths['path'] = rtrim($paths['path'], '/');
+ OC::$APPSROOTS[] = $paths;
+ }
+ }
+ } elseif (file_exists(OC::$SERVERROOT . '/apps')) {
+ OC::$APPSROOTS[] = ['path' => OC::$SERVERROOT . '/apps', 'url' => '/apps', 'writable' => true];
+ }
+
+ if (empty(OC::$APPSROOTS)) {
+ throw new \RuntimeException('apps directory not found! Please put the Nextcloud apps folder in the Nextcloud folder'
+ . '. You can also configure the location in the config.php file.');
+ }
+ $paths = [];
+ foreach (OC::$APPSROOTS as $path) {
+ $paths[] = $path['path'];
+ if (!is_dir($path['path'])) {
+ throw new \RuntimeException(sprintf('App directory "%s" not found! Please put the Nextcloud apps folder in the'
+ . ' Nextcloud folder. You can also configure the location in the config.php file.', $path['path']));
+ }
+ }
+
+ // set the right include path
+ set_include_path(
+ implode(PATH_SEPARATOR, $paths)
+ );
+ }
+
+ public static function checkConfig(): void {
+ // Create config if it does not already exist
+ $configFilePath = self::$configDir . '/config.php';
+ if (!file_exists($configFilePath)) {
+ @touch($configFilePath);
+ }
+
+ // Check if config is writable
+ $configFileWritable = is_writable($configFilePath);
+ $configReadOnly = Server::get(IConfig::class)->getSystemValueBool('config_is_read_only');
+ if (!$configFileWritable && !$configReadOnly
+ || !$configFileWritable && \OCP\Util::needUpgrade()) {
+ $urlGenerator = Server::get(IURLGenerator::class);
+ $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
+
+ if (self::$CLI) {
+ echo $l->t('Cannot write into "config" directory!') . "\n";
+ echo $l->t('This can usually be fixed by giving the web server write access to the config directory.') . "\n";
+ echo "\n";
+ echo $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . "\n";
+ echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]) . "\n";
+ exit;
+ } else {
+ Server::get(ITemplateManager::class)->printErrorPage(
+ $l->t('Cannot write into "config" directory!'),
+ $l->t('This can usually be fixed by giving the web server write access to the config directory.') . ' '
+ . $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . ' '
+ . $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]),
+ 503
+ );
+ }
+ }
+ }
+
+ public static function checkInstalled(\OC\SystemConfig $systemConfig): void {
+ if (defined('OC_CONSOLE')) {
+ return;
+ }
+ // Redirect to installer if not installed
+ if (!$systemConfig->getValue('installed', false) && OC::$SUBURI !== '/index.php' && OC::$SUBURI !== '/status.php') {
+ if (OC::$CLI) {
+ throw new Exception('Not installed');
+ } else {
+ $url = OC::$WEBROOT . '/index.php';
+ header('Location: ' . $url);
+ }
+ exit();
+ }
+ }
+
+ public static function checkMaintenanceMode(\OC\SystemConfig $systemConfig): void {
+ // Allow ajax update script to execute without being stopped
+ if (((bool)$systemConfig->getValue('maintenance', false)) && OC::$SUBURI !== '/core/ajax/update.php') {
+ // send http status 503
+ http_response_code(503);
+ header('X-Nextcloud-Maintenance-Mode: 1');
+ header('Retry-After: 120');
+
+ // render error page
+ $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.user', 'guest');
+ \OCP\Util::addScript('core', 'maintenance');
+ \OCP\Util::addScript('core', 'common');
+ \OCP\Util::addStyle('core', 'guest');
+ $template->printPage();
+ die();
+ }
+ }
+
+ /**
+ * Prints the upgrade page
+ */
+ private static function printUpgradePage(\OC\SystemConfig $systemConfig): void {
+ $cliUpgradeLink = $systemConfig->getValue('upgrade.cli-upgrade-link', '');
+ $disableWebUpdater = $systemConfig->getValue('upgrade.disable-web', false);
+ $tooBig = false;
+ if (!$disableWebUpdater) {
+ $apps = Server::get(\OCP\App\IAppManager::class);
+ if ($apps->isEnabledForAnyone('user_ldap')) {
+ $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder();
+
+ $result = $qb->select($qb->func()->count('*', 'user_count'))
+ ->from('ldap_user_mapping')
+ ->executeQuery();
+ $row = $result->fetch();
+ $result->closeCursor();
+
+ $tooBig = ($row['user_count'] > 50);
+ }
+ if (!$tooBig && $apps->isEnabledForAnyone('user_saml')) {
+ $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder();
+
+ $result = $qb->select($qb->func()->count('*', 'user_count'))
+ ->from('user_saml_users')
+ ->executeQuery();
+ $row = $result->fetch();
+ $result->closeCursor();
+
+ $tooBig = ($row['user_count'] > 50);
+ }
+ if (!$tooBig) {
+ // count users
+ $totalUsers = Server::get(\OCP\IUserManager::class)->countUsersTotal(51);
+ $tooBig = ($totalUsers > 50);
+ }
+ }
+ $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'])
+ && $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis';
+
+ Util::addTranslations('core');
+ Util::addScript('core', 'common');
+ Util::addScript('core', 'main');
+ Util::addScript('core', 'update');
+
+ $initialState = Server::get(IInitialStateService::class);
+ $serverVersion = Server::get(\OCP\ServerVersion::class);
+ if ($disableWebUpdater || ($tooBig && !$ignoreTooBigWarning)) {
+ // send http status 503
+ http_response_code(503);
+ header('Retry-After: 120');
+
+ $urlGenerator = Server::get(IURLGenerator::class);
+ $initialState->provideInitialState('core', 'updaterView', 'adminCli');
+ $initialState->provideInitialState('core', 'updateInfo', [
+ 'cliUpgradeLink' => $cliUpgradeLink ?: $urlGenerator->linkToDocs('admin-cli-upgrade'),
+ 'productName' => self::getProductName(),
+ 'version' => $serverVersion->getVersionString(),
+ 'tooBig' => $tooBig,
+ ]);
+
+ // render error page
+ Server::get(ITemplateManager::class)
+ ->getTemplate('', 'update', 'guest')
+ ->printPage();
+ die();
+ }
+
+ // check whether this is a core update or apps update
+ $installedVersion = $systemConfig->getValue('version', '0.0.0');
+ $currentVersion = implode('.', $serverVersion->getVersion());
+
+ // if not a core upgrade, then it's apps upgrade
+ $isAppsOnlyUpgrade = version_compare($currentVersion, $installedVersion, '=');
+
+ $oldTheme = $systemConfig->getValue('theme');
+ $systemConfig->setValue('theme', '');
+
+ /** @var \OC\App\AppManager $appManager */
+ $appManager = Server::get(\OCP\App\IAppManager::class);
+
+ // get third party apps
+ $ocVersion = $serverVersion->getVersion();
+ $ocVersion = implode('.', $ocVersion);
+ $incompatibleApps = $appManager->getIncompatibleApps($ocVersion);
+ $incompatibleOverwrites = $systemConfig->getValue('app_install_overwrite', []);
+ $incompatibleShippedApps = [];
+ $incompatibleDisabledApps = [];
+ foreach ($incompatibleApps as $appInfo) {
+ if ($appManager->isShipped($appInfo['id'])) {
+ $incompatibleShippedApps[] = $appInfo['name'] . ' (' . $appInfo['id'] . ')';
+ }
+ if (!in_array($appInfo['id'], $incompatibleOverwrites)) {
+ $incompatibleDisabledApps[] = $appInfo;
+ }
+ }
+
+ if (!empty($incompatibleShippedApps)) {
+ $l = Server::get(\OCP\L10N\IFactory::class)->get('core');
+ $hint = $l->t('Application %1$s is not present or has a non-compatible version with this server. Please check the apps directory.', [implode(', ', $incompatibleShippedApps)]);
+ throw new \OCP\HintException('Application ' . implode(', ', $incompatibleShippedApps) . ' is not present or has a non-compatible version with this server. Please check the apps directory.', $hint);
+ }
+
+ $appConfig = Server::get(IAppConfig::class);
+ $appsToUpgrade = array_map(function ($app) use (&$appConfig) {
+ return [
+ 'id' => $app['id'],
+ 'name' => $app['name'],
+ 'version' => $app['version'],
+ 'oldVersion' => $appConfig->getValueString($app['id'], 'installed_version'),
+ ];
+ }, $appManager->getAppsNeedingUpgrade($ocVersion));
+
+ $params = [
+ 'appsToUpgrade' => $appsToUpgrade,
+ 'incompatibleAppsList' => $incompatibleDisabledApps,
+ 'isAppsOnlyUpgrade' => $isAppsOnlyUpgrade,
+ 'oldTheme' => $oldTheme,
+ 'productName' => self::getProductName(),
+ 'version' => $serverVersion->getVersionString(),
+ ];
+
+ $initialState->provideInitialState('core', 'updaterView', 'admin');
+ $initialState->provideInitialState('core', 'updateInfo', $params);
+ Server::get(ITemplateManager::class)
+ ->getTemplate('', 'update', 'guest')
+ ->printPage();
+ }
+
+ private static function getProductName(): string {
+ $productName = 'Nextcloud';
+ try {
+ $defaults = new \OC_Defaults();
+ $productName = $defaults->getName();
+ } catch (Throwable $error) {
+ // ignore
+ }
+ return $productName;
+ }
+
+ public static function initSession(): void {
+ $request = Server::get(IRequest::class);
+
+ // TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies
+ // TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments
+ // TODO: for further information.
+ // $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
+ // if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest && !isset($_COOKIE['nc_session_id'])) {
+ // setcookie('cookie_test', 'test', time() + 3600);
+ // // Do not initialize the session if a request is authenticated directly
+ // // unless there is a session cookie already sent along
+ // return;
+ // }
+
+ if ($request->getServerProtocol() === 'https') {
+ ini_set('session.cookie_secure', 'true');
+ }
+
+ // prevents javascript from accessing php session cookies
+ ini_set('session.cookie_httponly', 'true');
+
+ // set the cookie path to the Nextcloud directory
+ $cookie_path = OC::$WEBROOT ? : '/';
+ ini_set('session.cookie_path', $cookie_path);
+
+ // set the cookie domain to the Nextcloud domain
+ $cookie_domain = self::$config->getValue('cookie_domain', '');
+ if ($cookie_domain) {
+ ini_set('session.cookie_domain', $cookie_domain);
+ }
+
+ // Do not initialize sessions for 'status.php' requests
+ // Monitoring endpoints can quickly flood session handlers
+ // and 'status.php' doesn't require sessions anyway
+ // We still need to run the ini_set above so that same-site cookies use the correct configuration.
+ if (str_ends_with($request->getScriptName(), '/status.php')) {
+ return;
+ }
+
+ // Let the session name be changed in the initSession Hook
+ $sessionName = OC_Util::getInstanceId();
+
+ try {
+ $logger = null;
+ if (Server::get(\OC\SystemConfig::class)->getValue('installed', false)) {
+ $logger = logger('core');
+ }
+
+ // set the session name to the instance id - which is unique
+ $session = new \OC\Session\Internal(
+ $sessionName,
+ $logger,
+ );
+
+ $cryptoWrapper = Server::get(\OC\Session\CryptoWrapper::class);
+ $session = $cryptoWrapper->wrapSession($session);
+ self::$server->setSession($session);
+
+ // if session can't be started break with http 500 error
+ } catch (Exception $e) {
+ Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'base','exception' => $e]);
+ //show the user a detailed error page
+ Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500);
+ die();
+ }
+
+ //try to set the session lifetime
+ $sessionLifeTime = self::getSessionLifeTime();
+
+ // session timeout
+ if ($session->exists('LAST_ACTIVITY') && (time() - $session->get('LAST_ACTIVITY') > $sessionLifeTime)) {
+ if (isset($_COOKIE[session_name()])) {
+ setcookie(session_name(), '', -1, self::$WEBROOT ? : '/');
+ }
+ Server::get(IUserSession::class)->logout();
+ }
+
+ if (!self::hasSessionRelaxedExpiry()) {
+ $session->set('LAST_ACTIVITY', time());
+ }
+ $session->close();
+ }
+
+ private static function getSessionLifeTime(): int {
+ return Server::get(IConfig::class)->getSystemValueInt('session_lifetime', 60 * 60 * 24);
+ }
+
+ /**
+ * @return bool true if the session expiry should only be done by gc instead of an explicit timeout
+ */
+ public static function hasSessionRelaxedExpiry(): bool {
+ return Server::get(IConfig::class)->getSystemValueBool('session_relaxed_expiry', false);
+ }
+
+ /**
+ * Try to set some values to the required Nextcloud default
+ */
+ public static function setRequiredIniValues(): void {
+ // Don't display errors and log them
+ @ini_set('display_errors', '0');
+ @ini_set('log_errors', '1');
+
+ // Try to configure php to enable big file uploads.
+ // This doesn't work always depending on the webserver and php configuration.
+ // Let's try to overwrite some defaults if they are smaller than 1 hour
+
+ if (intval(@ini_get('max_execution_time') ?: 0) < 3600) {
+ @ini_set('max_execution_time', strval(3600));
+ }
+
+ if (intval(@ini_get('max_input_time') ?: 0) < 3600) {
+ @ini_set('max_input_time', strval(3600));
+ }
+
+ // Try to set the maximum execution time to the largest time limit we have
+ if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) {
+ @set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time'))));
+ }
+
+ @ini_set('default_charset', 'UTF-8');
+ @ini_set('gd.jpeg_ignore_warning', '1');
+ }
+
+ /**
+ * Send the same site cookies
+ */
+ private static function sendSameSiteCookies(): void {
+ $cookieParams = session_get_cookie_params();
+ $secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : '';
+ $policies = [
+ 'lax',
+ 'strict',
+ ];
+
+ // Append __Host to the cookie if it meets the requirements
+ $cookiePrefix = '';
+ if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
+ $cookiePrefix = '__Host-';
+ }
+
+ foreach ($policies as $policy) {
+ header(
+ sprintf(
+ 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s',
+ $cookiePrefix,
+ $policy,
+ $cookieParams['path'],
+ $policy
+ ),
+ false
+ );
+ }
+ }
+
+ /**
+ * Same Site cookie to further mitigate CSRF attacks. This cookie has to
+ * be set in every request if cookies are sent to add a second level of
+ * defense against CSRF.
+ *
+ * If the cookie is not sent this will set the cookie and reload the page.
+ * We use an additional cookie since we want to protect logout CSRF and
+ * also we can't directly interfere with PHP's session mechanism.
+ */
+ private static function performSameSiteCookieProtection(IConfig $config): void {
+ $request = Server::get(IRequest::class);
+
+ // Some user agents are notorious and don't really properly follow HTTP
+ // specifications. For those, have an automated opt-out. Since the protection
+ // for remote.php is applied in base.php as starting point we need to opt out
+ // here.
+ $incompatibleUserAgents = $config->getSystemValue('csrf.optout');
+
+ // Fallback, if csrf.optout is unset
+ if (!is_array($incompatibleUserAgents)) {
+ $incompatibleUserAgents = [
+ // OS X Finder
+ '/^WebDAVFS/',
+ // Windows webdav drive
+ '/^Microsoft-WebDAV-MiniRedir/',
+ ];
+ }
+
+ if ($request->isUserAgent($incompatibleUserAgents)) {
+ return;
+ }
+
+ if (count($_COOKIE) > 0) {
+ $requestUri = $request->getScriptName();
+ $processingScript = explode('/', $requestUri);
+ $processingScript = $processingScript[count($processingScript) - 1];
+
+ if ($processingScript === 'index.php' // index.php routes are handled in the middleware
+ || $processingScript === 'cron.php' // and cron.php does not need any authentication at all
+ || $processingScript === 'public.php' // For public.php, auth for password protected shares is done in the PublicAuth plugin
+ ) {
+ return;
+ }
+
+ // All other endpoints require the lax and the strict cookie
+ if (!$request->passesStrictCookieCheck()) {
+ logger('core')->warning('Request does not pass strict cookie check');
+ self::sendSameSiteCookies();
+ // Debug mode gets access to the resources without strict cookie
+ // due to the fact that the SabreDAV browser also lives there.
+ if (!$config->getSystemValueBool('debug', false)) {
+ http_response_code(\OCP\AppFramework\Http::STATUS_PRECONDITION_FAILED);
+ header('Content-Type: application/json');
+ echo json_encode(['error' => 'Strict Cookie has not been found in request']);
+ exit();
+ }
+ }
+ } elseif (!isset($_COOKIE['nc_sameSiteCookielax']) || !isset($_COOKIE['nc_sameSiteCookiestrict'])) {
+ self::sendSameSiteCookies();
+ }
+ }
+
+ /**
+ * This function adds some security related headers to all requests served via base.php
+ * The implementation of this function has to happen here to ensure that all third-party
+ * components (e.g. SabreDAV) also benefit from this headers.
+ */
+ private static function addSecurityHeaders(): void {
+ /**
+ * FIXME: Content Security Policy for legacy components. This
+ * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
+ * is used everywhere.
+ * @see \OCP\AppFramework\Http\Response::getHeaders
+ */
+ $policy = 'default-src \'self\'; '
+ . 'script-src \'self\' \'nonce-' . Server::get(ContentSecurityPolicyNonceManager::class)->getNonce() . '\'; '
+ . 'style-src \'self\' \'unsafe-inline\'; '
+ . 'frame-src *; '
+ . 'img-src * data: blob:; '
+ . 'font-src \'self\' data:; '
+ . 'media-src *; '
+ . 'connect-src *; '
+ . 'object-src \'none\'; '
+ . 'base-uri \'self\'; ';
+ header('Content-Security-Policy:' . $policy);
+
+ // Send fallback headers for installations that don't have the possibility to send
+ // custom headers on the webserver side
+ if (getenv('modHeadersAvailable') !== 'true') {
+ header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
+ header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+ header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
+ header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
+ header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
+ }
+ }
+
+ public static function boot(): void {
+ // prevent any XML processing from loading external entities
+ libxml_set_external_entity_loader(static function () {
+ return null;
+ });
+
+ // Set default timezone before the Server object is booted
+ if (!date_default_timezone_set('UTC')) {
+ throw new \RuntimeException('Could not set timezone to UTC');
+ }
+
+ // calculate the root directories
+ OC::$SERVERROOT = str_replace('\\', '/', substr(__DIR__, 0, -4));
+
+ // register autoloader
+ self::$loaderStart = microtime(true);
+
+ self::$CLI = (php_sapi_name() == 'cli');
+
+ // Add default composer PSR-4 autoloader, ensure apcu to be disabled
+ self::$composerAutoloader = require_once OC::$SERVERROOT . '/lib/composer/autoload.php';
+ self::$composerAutoloader->setApcuPrefix(null);
+
+ // setup 3rdparty autoloader
+ $vendorAutoLoad = OC::$SERVERROOT . '/3rdparty/autoload.php';
+ if (!file_exists($vendorAutoLoad)) {
+ throw new \RuntimeException('Composer autoloader not found, unable to continue. Check the folder "3rdparty". Running "git submodule update --init" will initialize the git submodule that handles the subfolder "3rdparty".');
+ }
+ require_once $vendorAutoLoad;
+
+ self::$loaderEnd = microtime(true);
+
+ // load configs
+ if (defined('PHPUNIT_CONFIG_DIR')) {
+ self::$configDir = OC::$SERVERROOT . '/' . PHPUNIT_CONFIG_DIR . '/';
+ } elseif (defined('PHPUNIT_RUN') && PHPUNIT_RUN && is_dir(OC::$SERVERROOT . '/tests/config/')) {
+ self::$configDir = OC::$SERVERROOT . '/tests/config/';
+ } elseif ($dir = getenv('NEXTCLOUD_CONFIG_DIR')) {
+ self::$configDir = rtrim($dir, '/') . '/';
+ } else {
+ self::$configDir = OC::$SERVERROOT . '/config/';
+ }
+ self::$config = new \OC\Config(self::$configDir);
+
+ // Enable lazy loading if activated
+ \OC\AppFramework\Utility\SimpleContainer::$useLazyObjects = (bool)self::$config->getValue('enable_lazy_objects', true);
+
+ try {
+ self::initPaths();
+ } catch (\RuntimeException $e) {
+ if (!self::$CLI) {
+ http_response_code(503);
+ }
+ // we can't use the template error page here, because this needs the
+ // DI container which isn't available yet
+ print($e->getMessage());
+ exit();
+ }
+ }
+
+ public static function init(): void {
+ // First handle PHP configuration and copy auth headers to the expected
+ // $_SERVER variable before doing anything Server object related
+ self::setRequiredIniValues();
+ self::handleAuthHeaders();
+
+ // setup the basic server
+ self::$server = new \OC\Server(\OC::$WEBROOT, self::$config);
+ self::$server->boot();
+
+ $loaderStart = microtime(true);
+
+ try {
+ $profiler = new BuiltInProfiler(
+ Server::get(IConfig::class),
+ Server::get(IRequest::class),
+ );
+ $profiler->start();
+ } catch (\Throwable $e) {
+ logger('core')->error('Failed to start profiler: ' . $e->getMessage(), ['app' => 'base']);
+ }
+
+ if (self::$CLI && in_array('--' . \OCP\Console\ReservedOptions::DEBUG_LOG, $_SERVER['argv'])) {
+ \OC\Core\Listener\BeforeMessageLoggedEventListener::setup();
+ }
+
+ $eventLogger = Server::get(\OCP\Diagnostics\IEventLogger::class);
+ $eventLogger->log('autoloader', 'Autoloader', self::$loaderStart, self::$loaderEnd); // set during boot
+ $eventLogger->start('boot', 'Initialize');
+
+ // Override php.ini and log everything if we're troubleshooting
+ if (self::$config->getValue('loglevel') === ILogger::DEBUG) {
+ error_reporting(E_ALL);
+ }
+
+ // initialize intl fallback if necessary
+ OC_Util::isSetLocaleWorking();
+
+ $config = Server::get(IConfig::class);
+ if (!defined('PHPUNIT_RUN')) {
+ $errorHandler = new OC\Log\ErrorHandler(
+ Server::get(\Psr\Log\LoggerInterface::class),
+ );
+ $exceptionHandler = [$errorHandler, 'onException'];
+ if ($config->getSystemValueBool('debug', false)) {
+ set_error_handler([$errorHandler, 'onAll'], E_ALL);
+ if (\OC::$CLI) {
+ $exceptionHandler = [Server::get(ITemplateManager::class), 'printExceptionErrorPage'];
+ }
+ } else {
+ set_error_handler([$errorHandler, 'onError']);
+ }
+ register_shutdown_function([$errorHandler, 'onShutdown']);
+ set_exception_handler($exceptionHandler);
+ }
+
+ /** @var \OC\AppFramework\Bootstrap\Coordinator $bootstrapCoordinator */
+ $bootstrapCoordinator = Server::get(\OC\AppFramework\Bootstrap\Coordinator::class);
+ $bootstrapCoordinator->runInitialRegistration();
+
+ $eventLogger->start('init_session', 'Initialize session');
+
+ // Check for PHP SimpleXML extension earlier since we need it before our other checks and want to provide a useful hint for web users
+ // see https://github.com/nextcloud/server/pull/2619
+ if (!function_exists('simplexml_load_file')) {
+ throw new \OCP\HintException('The PHP SimpleXML/PHP-XML extension is not installed.', 'Install the extension or make sure it is enabled.');
+ }
+
+ $systemConfig = Server::get(\OC\SystemConfig::class);
+ $appManager = Server::get(\OCP\App\IAppManager::class);
+ if ($systemConfig->getValue('installed', false)) {
+ $appManager->loadApps(['session']);
+ }
+ if (!self::$CLI) {
+ self::initSession();
+ }
+ $eventLogger->end('init_session');
+ self::checkConfig();
+ self::checkInstalled($systemConfig);
+
+ if (!self::$CLI) {
+ self::addSecurityHeaders();
+ self::performSameSiteCookieProtection($config);
+ }
+
+ if (!defined('OC_CONSOLE')) {
+ $eventLogger->start('check_server', 'Run a few configuration checks');
+ $errors = OC_Util::checkServer($systemConfig);
+ if (count($errors) > 0) {
+ if (!self::$CLI) {
+ http_response_code(503);
+ Util::addStyle('guest');
+ try {
+ Server::get(ITemplateManager::class)->printGuestPage('', 'error', ['errors' => $errors]);
+ exit;
+ } catch (\Exception $e) {
+ // In case any error happens when showing the error page, we simply fall back to posting the text.
+ // This might be the case when e.g. the data directory is broken and we can not load/write SCSS to/from it.
+ }
+ }
+
+ // Convert l10n string into regular string for usage in database
+ $staticErrors = [];
+ foreach ($errors as $error) {
+ echo $error['error'] . "\n";
+ echo $error['hint'] . "\n\n";
+ $staticErrors[] = [
+ 'error' => (string)$error['error'],
+ 'hint' => (string)$error['hint'],
+ ];
+ }
+
+ try {
+ $config->setAppValue('core', 'cronErrors', json_encode($staticErrors));
+ } catch (\Exception $e) {
+ echo('Writing to database failed');
+ }
+ exit(1);
+ } elseif (self::$CLI && $config->getSystemValueBool('installed', false)) {
+ $config->deleteAppValue('core', 'cronErrors');
+ }
+ $eventLogger->end('check_server');
+ }
+
+ // User and Groups
+ if (!$systemConfig->getValue('installed', false)) {
+ Server::get(ISession::class)->set('user_id', '');
+ }
+
+ $eventLogger->start('setup_backends', 'Setup group and user backends');
+ Server::get(\OCP\IUserManager::class)->registerBackend(new \OC\User\Database());
+ Server::get(\OCP\IGroupManager::class)->addBackend(new \OC\Group\Database());
+
+ // Subscribe to the hook
+ \OCP\Util::connectHook(
+ '\OCA\Files_Sharing\API\Server2Server',
+ 'preLoginNameUsedAsUserName',
+ '\OC\User\Database',
+ 'preLoginNameUsedAsUserName'
+ );
+
+ //setup extra user backends
+ if (!\OCP\Util::needUpgrade()) {
+ OC_User::setupBackends();
+ } else {
+ // Run upgrades in incognito mode
+ OC_User::setIncognitoMode(true);
+ }
+ $eventLogger->end('setup_backends');
+
+ self::registerCleanupHooks($systemConfig);
+ self::registerShareHooks($systemConfig);
+ self::registerEncryptionWrapperAndHooks();
+ self::registerAccountHooks();
+ self::registerResourceCollectionHooks();
+ self::registerFileReferenceEventListener();
+ self::registerRenderReferenceEventListener();
+ self::registerAppRestrictionsHooks();
+
+ // Make sure that the application class is not loaded before the database is setup
+ if ($systemConfig->getValue('installed', false)) {
+ $appManager->loadApp('settings');
+ }
+
+ //make sure temporary files are cleaned up
+ $tmpManager = Server::get(\OCP\ITempManager::class);
+ register_shutdown_function([$tmpManager, 'clean']);
+ $lockProvider = Server::get(\OCP\Lock\ILockingProvider::class);
+ register_shutdown_function([$lockProvider, 'releaseAll']);
+
+ // Check whether the sample configuration has been copied
+ if ($systemConfig->getValue('copied_sample_config', false)) {
+ $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
+ Server::get(ITemplateManager::class)->printErrorPage(
+ $l->t('Sample configuration detected'),
+ $l->t('It has been detected that the sample configuration has been copied. This can break your installation and is unsupported. Please read the documentation before performing changes on config.php'),
+ 503
+ );
+ return;
+ }
+
+ $request = Server::get(IRequest::class);
+ $host = $request->getInsecureServerHost();
+ /**
+ * if the host passed in headers isn't trusted
+ * FIXME: Should not be in here at all :see_no_evil:
+ */
+ if (!OC::$CLI
+ && !Server::get(\OC\Security\TrustedDomainHelper::class)->isTrustedDomain($host)
+ && $config->getSystemValueBool('installed', false)
+ ) {
+ // Allow access to CSS resources
+ $isScssRequest = false;
+ if (strpos($request->getPathInfo() ?: '', '/css/') === 0) {
+ $isScssRequest = true;
+ }
+
+ if (substr($request->getRequestUri(), -11) === '/status.php') {
+ http_response_code(400);
+ header('Content-Type: application/json');
+ echo '{"error": "Trusted domain error.", "code": 15}';
+ exit();
+ }
+
+ if (!$isScssRequest) {
+ http_response_code(400);
+ Server::get(LoggerInterface::class)->info(
+ 'Trusted domain error. "{remoteAddress}" tried to access using "{host}" as host.',
+ [
+ 'app' => 'core',
+ 'remoteAddress' => $request->getRemoteAddress(),
+ 'host' => $host,
+ ]
+ );
+
+ $tmpl = Server::get(ITemplateManager::class)->getTemplate('core', 'untrustedDomain', 'guest');
+ $tmpl->assign('docUrl', Server::get(IURLGenerator::class)->linkToDocs('admin-trusted-domains'));
+ $tmpl->printPage();
+
+ exit();
+ }
+ }
+ $eventLogger->end('boot');
+ $eventLogger->log('init', 'OC::init', $loaderStart, microtime(true));
+ $eventLogger->start('runtime', 'Runtime');
+ $eventLogger->start('request', 'Full request after boot');
+ register_shutdown_function(function () use ($eventLogger) {
+ $eventLogger->end('request');
+ });
+
+ register_shutdown_function(function () use ($config) {
+ $memoryPeak = memory_get_peak_usage();
+ $debugModeEnabled = $config->getSystemValueBool('debug', false);
+ $memoryLimit = null;
+
+ if (!$debugModeEnabled) {
+ // Use the memory helper to get the real memory limit in bytes if debug mode is disabled
+ try {
+ $memoryInfo = new \OC\MemoryInfo();
+ $memoryLimit = $memoryInfo->getMemoryLimit();
+ } catch (Throwable $e) {
+ // Ignore any errors and fall back to hardcoded thresholds
+ }
+ }
+
+ // Check if a memory limit is configured and can be retrieved and determine log level if debug mode is disabled
+ if (!$debugModeEnabled && $memoryLimit !== null && $memoryLimit !== -1) {
+ $logLevel = match (true) {
+ $memoryPeak > $memoryLimit * 0.9 => ILogger::FATAL,
+ $memoryPeak > $memoryLimit * 0.75 => ILogger::ERROR,
+ $memoryPeak > $memoryLimit * 0.5 => ILogger::WARN,
+ default => null,
+ };
+
+ $memoryLimitIni = @ini_get('memory_limit');
+ $message = 'Request used ' . Util::humanFileSize($memoryPeak) . ' of memory. Memory limit: ' . ($memoryLimitIni ?: 'unknown');
+ } else {
+ // Fall back to hardcoded thresholds if memory_limit cannot be determined or if debug mode is enabled
+ $logLevel = match (true) {
+ $memoryPeak > 500_000_000 => ILogger::FATAL,
+ $memoryPeak > 400_000_000 => ILogger::ERROR,
+ $memoryPeak > 300_000_000 => ILogger::WARN,
+ default => null,
+ };
+
+ $message = 'Request used more than 300 MB of RAM: ' . Util::humanFileSize($memoryPeak);
+ }
+
+ // Log the message
+ if ($logLevel !== null) {
+ $logger = Server::get(LoggerInterface::class);
+ $logger->log($logLevel, $message, ['app' => 'core']);
+ }
+ });
+ }
+
+ /**
+ * register hooks for the cleanup of cache and bruteforce protection
+ */
+ public static function registerCleanupHooks(\OC\SystemConfig $systemConfig): void {
+ //don't try to do this before we are properly setup
+ if ($systemConfig->getValue('installed', false) && !\OCP\Util::needUpgrade()) {
+ // NOTE: This will be replaced to use OCP
+ $userSession = Server::get(\OC\User\Session::class);
+ $userSession->listen('\OC\User', 'postLogin', function () use ($userSession) {
+ if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) {
+ // reset brute force delay for this IP address and username
+ $uid = $userSession->getUser()->getUID();
+ $request = Server::get(IRequest::class);
+ $throttler = Server::get(IThrottler::class);
+ $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]);
+ }
+
+ try {
+ $cache = new \OC\Cache\File();
+ $cache->gc();
+ } catch (\OC\ServerNotAvailableException $e) {
+ // not a GC exception, pass it on
+ throw $e;
+ } catch (\OC\ForbiddenException $e) {
+ // filesystem blocked for this request, ignore
+ } catch (\Exception $e) {
+ // a GC exception should not prevent users from using OC,
+ // so log the exception
+ Server::get(LoggerInterface::class)->warning('Exception when running cache gc.', [
+ 'app' => 'core',
+ 'exception' => $e,
+ ]);
+ }
+ });
+ }
+ }
+
+ private static function registerEncryptionWrapperAndHooks(): void {
+ /** @var \OC\Encryption\Manager */
+ $manager = Server::get(\OCP\Encryption\IManager::class);
+ Server::get(IEventDispatcher::class)->addListener(
+ BeforeFileSystemSetupEvent::class,
+ $manager->setupStorage(...),
+ );
+
+ $enabled = $manager->isEnabled();
+ if ($enabled) {
+ \OC\Encryption\EncryptionEventListener::register(Server::get(IEventDispatcher::class));
+ }
+ }
+
+ private static function registerAccountHooks(): void {
+ /** @var IEventDispatcher $dispatcher */
+ $dispatcher = Server::get(IEventDispatcher::class);
+ $dispatcher->addServiceListener(UserChangedEvent::class, \OC\Accounts\Hooks::class);
+ }
+
+ private static function registerAppRestrictionsHooks(): void {
+ /** @var \OC\Group\Manager $groupManager */
+ $groupManager = Server::get(\OCP\IGroupManager::class);
+ $groupManager->listen('\OC\Group', 'postDelete', function (\OCP\IGroup $group) {
+ $appManager = Server::get(\OCP\App\IAppManager::class);
+ $apps = $appManager->getEnabledAppsForGroup($group);
+ foreach ($apps as $appId) {
+ $restrictions = $appManager->getAppRestriction($appId);
+ if (empty($restrictions)) {
+ continue;
+ }
+ $key = array_search($group->getGID(), $restrictions, true);
+ unset($restrictions[$key]);
+ $restrictions = array_values($restrictions);
+ if (empty($restrictions)) {
+ $appManager->disableApp($appId);
+ } else {
+ $appManager->enableAppForGroups($appId, $restrictions);
+ }
+ }
+ });
+ }
+
+ private static function registerResourceCollectionHooks(): void {
+ \OC\Collaboration\Resources\Listener::register(Server::get(IEventDispatcher::class));
+ }
+
+ private static function registerFileReferenceEventListener(): void {
+ \OC\Collaboration\Reference\File\FileReferenceEventListener::register(Server::get(IEventDispatcher::class));
+ }
+
+ private static function registerRenderReferenceEventListener() {
+ \OC\Collaboration\Reference\RenderReferenceEventListener::register(Server::get(IEventDispatcher::class));
+ }
+
+ /**
+ * register hooks for sharing
+ */
+ public static function registerShareHooks(\OC\SystemConfig $systemConfig): void {
+ if ($systemConfig->getValue('installed')) {
+
+ $dispatcher = Server::get(IEventDispatcher::class);
+ $dispatcher->addServiceListener(UserRemovedEvent::class, UserRemovedListener::class);
+ $dispatcher->addServiceListener(GroupDeletedEvent::class, GroupDeletedListener::class);
+ $dispatcher->addServiceListener(UserDeletedEvent::class, UserDeletedListener::class);
+ }
+ }
+
+ /**
+ * Handle the request
+ */
+ public static function handleRequest(): void {
+ Server::get(\OCP\Diagnostics\IEventLogger::class)->start('handle_request', 'Handle request');
+ $systemConfig = Server::get(\OC\SystemConfig::class);
+
+ // Check if Nextcloud is installed or in maintenance (update) mode
+ if (!$systemConfig->getValue('installed', false)) {
+ Server::get(ISession::class)->clear();
+ $controller = Server::get(\OC\Core\Controller\SetupController::class);
+ $controller->run($_POST);
+ exit();
+ }
+
+ $request = Server::get(IRequest::class);
+ $request->throwDecodingExceptionIfAny();
+ $requestPath = $request->getRawPathInfo();
+ if ($requestPath === '/heartbeat') {
+ return;
+ }
+ if (substr($requestPath, -3) !== '.js') { // we need these files during the upgrade
+ self::checkMaintenanceMode($systemConfig);
+
+ if (\OCP\Util::needUpgrade()) {
+ if (function_exists('opcache_reset')) {
+ opcache_reset();
+ }
+ if (!((bool)$systemConfig->getValue('maintenance', false))) {
+ self::printUpgradePage($systemConfig);
+ exit();
+ }
+ }
+ }
+
+ $appManager = Server::get(\OCP\App\IAppManager::class);
+
+ // Always load authentication apps
+ $appManager->loadApps(['authentication']);
+ $appManager->loadApps(['extended_authentication']);
+
+ // Load minimum set of apps
+ if (!\OCP\Util::needUpgrade()
+ && !((bool)$systemConfig->getValue('maintenance', false))) {
+ // For logged-in users: Load everything
+ if (Server::get(IUserSession::class)->isLoggedIn()) {
+ $appManager->loadApps();
+ } else {
+ // For guests: Load only filesystem and logging
+ $appManager->loadApps(['filesystem', 'logging']);
+
+ // Don't try to login when a client is trying to get a OAuth token.
+ // OAuth needs to support basic auth too, so the login is not valid
+ // inside Nextcloud and the Login exception would ruin it.
+ if ($request->getRawPathInfo() !== '/apps/oauth2/api/v1/token') {
+ try {
+ self::handleLogin($request);
+ } catch (DisabledUserException $e) {
+ // Disabled users would not be seen as logged in and
+ // trying to log them in would fail, so the login
+ // exception is ignored for the themed stylesheets and
+ // images.
+ if ($request->getRawPathInfo() !== '/apps/theming/theme/default.css'
+ && $request->getRawPathInfo() !== '/apps/theming/theme/light.css'
+ && $request->getRawPathInfo() !== '/apps/theming/theme/dark.css'
+ && $request->getRawPathInfo() !== '/apps/theming/theme/light-highcontrast.css'
+ && $request->getRawPathInfo() !== '/apps/theming/theme/dark-highcontrast.css'
+ && $request->getRawPathInfo() !== '/apps/theming/theme/opendyslexic.css'
+ && $request->getRawPathInfo() !== '/apps/theming/image/background'
+ && $request->getRawPathInfo() !== '/apps/theming/image/logo'
+ && $request->getRawPathInfo() !== '/apps/theming/image/logoheader'
+ && !str_starts_with($request->getRawPathInfo(), '/apps/theming/favicon')
+ && !str_starts_with($request->getRawPathInfo(), '/apps/theming/icon')) {
+ throw $e;
+ }
+ }
+ }
+ }
+ }
+
+ if (!self::$CLI) {
+ try {
+ if (!\OCP\Util::needUpgrade()) {
+ $appManager->loadApps(['filesystem', 'logging']);
+ $appManager->loadApps();
+ }
+ Server::get(\OC\Route\Router::class)->match($request->getRawPathInfo());
+ return;
+ } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) {
+ //header('HTTP/1.0 404 Not Found');
+ } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) {
+ http_response_code(405);
+ return;
+ }
+ }
+
+ // Handle WebDAV
+ if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PROPFIND') {
+ // not allowed any more to prevent people
+ // mounting this root directly.
+ // Users need to mount remote.php/webdav instead.
+ http_response_code(405);
+ return;
+ }
+
+ // Handle requests for JSON or XML
+ $acceptHeader = $request->getHeader('Accept');
+ if (in_array($acceptHeader, ['application/json', 'application/xml'], true)) {
+ http_response_code(404);
+ return;
+ }
+
+ // Handle resources that can't be found
+ // This prevents browsers from redirecting to the default page and then
+ // attempting to parse HTML as CSS and similar.
+ $destinationHeader = $request->getHeader('Sec-Fetch-Dest');
+ if (in_array($destinationHeader, ['font', 'script', 'style'])) {
+ http_response_code(404);
+ return;
+ }
+
+ // Redirect to the default app or login only as an entry point
+ if ($requestPath === '') {
+ // Someone is logged in
+ $userSession = Server::get(IUserSession::class);
+ if ($userSession->isLoggedIn()) {
+ header('X-User-Id: ' . $userSession->getUser()?->getUID());
+ header('Location: ' . Server::get(IURLGenerator::class)->linkToDefaultPageUrl());
+ } else {
+ // Not handled and not logged in
+ header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute('core.login.showLoginForm'));
+ }
+ return;
+ }
+
+ try {
+ Server::get(\OC\Route\Router::class)->match('/error/404');
+ } catch (\Exception $e) {
+ if (!$e instanceof MethodNotAllowedException) {
+ logger('core')->emergency($e->getMessage(), ['exception' => $e]);
+ }
+ $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
+ Server::get(ITemplateManager::class)->printErrorPage(
+ '404',
+ $l->t('The page could not be found on the server.'),
+ 404
+ );
+ }
+ }
+
+ /**
+ * Check login: apache auth, auth token, basic auth
+ */
+ public static function handleLogin(OCP\IRequest $request): bool {
+ if ($request->getHeader('X-Nextcloud-Federation')) {
+ return false;
+ }
+ $userSession = Server::get(\OC\User\Session::class);
+ if (OC_User::handleApacheAuth()) {
+ return true;
+ }
+ if (self::tryAppAPILogin($request)) {
+ return true;
+ }
+ if ($userSession->tryTokenLogin($request)) {
+ return true;
+ }
+ if (isset($_COOKIE['nc_username'])
+ && isset($_COOKIE['nc_token'])
+ && isset($_COOKIE['nc_session_id'])
+ && $userSession->loginWithCookie($_COOKIE['nc_username'], $_COOKIE['nc_token'], $_COOKIE['nc_session_id'])) {
+ return true;
+ }
+ if ($userSession->tryBasicAuthLogin($request, Server::get(IThrottler::class))) {
+ return true;
+ }
+ return false;
+ }
+
+ protected static function handleAuthHeaders(): void {
+ //copy http auth headers for apache+php-fcgid work around
+ if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) {
+ $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION'];
+ }
+
+ // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary.
+ $vars = [
+ 'HTTP_AUTHORIZATION', // apache+php-cgi work around
+ 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative
+ ];
+ foreach ($vars as $var) {
+ if (isset($_SERVER[$var]) && is_string($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) {
+ $credentials = explode(':', base64_decode($matches[1]), 2);
+ if (count($credentials) === 2) {
+ $_SERVER['PHP_AUTH_USER'] = $credentials[0];
+ $_SERVER['PHP_AUTH_PW'] = $credentials[1];
+ break;
+ }
+ }
+ }
+ }
+
+ protected static function tryAppAPILogin(OCP\IRequest $request): bool {
+ if (!$request->getHeader('AUTHORIZATION-APP-API')) {
+ return false;
+ }
+ $appManager = Server::get(OCP\App\IAppManager::class);
+ if (!$appManager->isEnabledForAnyone('app_api')) {
+ return false;
+ }
+ try {
+ $appAPIService = Server::get(OCA\AppAPI\Service\AppAPIService::class);
+ return $appAPIService->validateExAppRequestToNC($request);
+ } catch (\Psr\Container\NotFoundExceptionInterface|\Psr\Container\ContainerExceptionInterface $e) {
+ return false;
+ }
+ }
+}
diff --git a/lib/base.php b/lib/base.php
index 10f86c59bc596..d38e1fe259080 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -2,1308 +2,11 @@
declare(strict_types=1);
/**
- * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-FileCopyrightText: 2013-2016 ownCloud, Inc.
- * SPDX-License-Identifier: AGPL-3.0-only
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
*/
-use OC\Profiler\BuiltInProfiler;
-use OC\Security\CSP\ContentSecurityPolicyNonceManager;
-use OC\Share20\GroupDeletedListener;
-use OC\Share20\Hooks;
-use OC\Share20\UserDeletedListener;
-use OC\Share20\UserRemovedListener;
-use OC\User\DisabledUserException;
-use OCP\EventDispatcher\IEventDispatcher;
-use OCP\Files\Events\BeforeFileSystemSetupEvent;
-use OCP\Group\Events\GroupDeletedEvent;
-use OCP\Group\Events\UserRemovedEvent;
-use OCP\IAppConfig;
-use OCP\IConfig;
-use OCP\IInitialStateService;
-use OCP\ILogger;
-use OCP\IRequest;
-use OCP\ISession;
-use OCP\IURLGenerator;
-use OCP\IUserSession;
-use OCP\Security\Bruteforce\IThrottler;
-use OCP\Server;
-use OCP\Template\ITemplateManager;
-use OCP\User\Events\UserChangedEvent;
-use OCP\User\Events\UserDeletedEvent;
-use OCP\Util;
-use Psr\Log\LoggerInterface;
-use Symfony\Component\Routing\Exception\MethodNotAllowedException;
-use function OCP\Log\logger;
+require_once __DIR__ . '/OC.php';
-require_once 'public/Constants.php';
-
-/**
- * Class that is a namespace for all global OC variables
- * No, we can not put this class in its own file because it is used by
- * OC_autoload!
- */
-class OC {
- /**
- * The installation path for Nextcloud on the server (e.g. /srv/http/nextcloud)
- * @internal Use auto-loaded $serverRoot with DI instead.
- * @psalm-suppress ImpureStaticProperty
- */
- public static string $SERVERROOT = '';
- /**
- * the current request path relative to the Nextcloud root (e.g. files/index.php)
- * @psalm-suppress ImpureStaticProperty
- */
- private static string $SUBURI = '';
- /**
- * the Nextcloud root path for http requests (e.g. /nextcloud)
- * @psalm-suppress ImpureStaticProperty
- */
- public static string $WEBROOT = '';
- /**
- * The installation path array of the apps folder on the server (e.g. /srv/http/nextcloud) 'path' and
- * web path in 'url'
- * @psalm-suppress ImpureStaticProperty
- */
- public static array $APPSROOTS = [];
-
- /**
- * @psalm-suppress ImpureStaticProperty
- */
- public static string $configDir;
-
- /**
- * requested app
- * @psalm-suppress ImpureStaticProperty
- */
- public static string $REQUESTEDAPP = '';
-
- /**
- * check if Nextcloud runs in cli mode
- * @psalm-suppress ImpureStaticProperty
- */
- public static bool $CLI = false;
-
- /**
- * @psalm-suppress ImpureStaticProperty
- */
- public static \Composer\Autoload\ClassLoader $composerAutoloader;
-
- /**
- * @psalm-suppress ImpureStaticProperty
- */
- public static \OC\Server $server;
-
- /**
- * @psalm-suppress ImpureStaticProperty
- */
- private static \OC\Config $config;
-
- /**
- * @throws \RuntimeException when the 3rdparty directory is missing or
- * the app path list is empty or contains an invalid path
- */
- public static function initPaths(): void {
- if (defined('PHPUNIT_CONFIG_DIR')) {
- self::$configDir = OC::$SERVERROOT . '/' . PHPUNIT_CONFIG_DIR . '/';
- } elseif (defined('PHPUNIT_RUN') && PHPUNIT_RUN && is_dir(OC::$SERVERROOT . '/tests/config/')) {
- self::$configDir = OC::$SERVERROOT . '/tests/config/';
- } elseif ($dir = getenv('NEXTCLOUD_CONFIG_DIR')) {
- self::$configDir = rtrim($dir, '/') . '/';
- } else {
- self::$configDir = OC::$SERVERROOT . '/config/';
- }
- self::$config = new \OC\Config(self::$configDir);
-
- OC::$SUBURI = str_replace('\\', '/', substr(realpath($_SERVER['SCRIPT_FILENAME'] ?? ''), strlen(OC::$SERVERROOT)));
- /**
- * FIXME: The following lines are required because we can't yet instantiate
- * Server::get(\OCP\IRequest::class) since \OC::$server does not yet exist.
- */
- $params = [
- 'server' => [
- 'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'] ?? null,
- 'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'] ?? null,
- ],
- ];
- if (isset($_SERVER['REMOTE_ADDR'])) {
- $params['server']['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
- }
- $fakeRequest = new \OC\AppFramework\Http\Request(
- $params,
- new \OC\AppFramework\Http\RequestId($_SERVER['UNIQUE_ID'] ?? '', new \OC\Security\SecureRandom()),
- new \OC\AllConfig(new \OC\SystemConfig(self::$config))
- );
- $scriptName = $fakeRequest->getScriptName();
- if (substr($scriptName, -1) == '/') {
- $scriptName .= 'index.php';
- //make sure suburi follows the same rules as scriptName
- if (substr(OC::$SUBURI, -9) !== 'index.php') {
- if (substr(OC::$SUBURI, -1) !== '/') {
- OC::$SUBURI = OC::$SUBURI . '/';
- }
- OC::$SUBURI = OC::$SUBURI . 'index.php';
- }
- }
-
- if (OC::$CLI) {
- OC::$WEBROOT = self::$config->getValue('overwritewebroot', '');
- } else {
- if (substr($scriptName, 0 - strlen(OC::$SUBURI)) === OC::$SUBURI) {
- OC::$WEBROOT = substr($scriptName, 0, 0 - strlen(OC::$SUBURI));
-
- if (OC::$WEBROOT !== '' && OC::$WEBROOT[0] !== '/') {
- OC::$WEBROOT = '/' . OC::$WEBROOT;
- }
- } else {
- // The scriptName is not ending with OC::$SUBURI
- // This most likely means that we are calling from CLI.
- // However some cron jobs still need to generate
- // a web URL, so we use overwritewebroot as a fallback.
- OC::$WEBROOT = self::$config->getValue('overwritewebroot', '');
- }
-
- // Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing
- // slash which is required by URL generation.
- if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT
- && substr($_SERVER['REQUEST_URI'], -1) !== '/') {
- header('Location: ' . \OC::$WEBROOT . '/');
- exit();
- }
- }
-
- // search the apps folder
- $config_paths = self::$config->getValue('apps_paths', []);
- if (!empty($config_paths)) {
- foreach ($config_paths as $paths) {
- if (isset($paths['url']) && isset($paths['path'])) {
- $paths['url'] = rtrim($paths['url'], '/');
- $paths['path'] = rtrim($paths['path'], '/');
- OC::$APPSROOTS[] = $paths;
- }
- }
- } elseif (file_exists(OC::$SERVERROOT . '/apps')) {
- OC::$APPSROOTS[] = ['path' => OC::$SERVERROOT . '/apps', 'url' => '/apps', 'writable' => true];
- }
-
- if (empty(OC::$APPSROOTS)) {
- throw new \RuntimeException('apps directory not found! Please put the Nextcloud apps folder in the Nextcloud folder'
- . '. You can also configure the location in the config.php file.');
- }
- $paths = [];
- foreach (OC::$APPSROOTS as $path) {
- $paths[] = $path['path'];
- if (!is_dir($path['path'])) {
- throw new \RuntimeException(sprintf('App directory "%s" not found! Please put the Nextcloud apps folder in the'
- . ' Nextcloud folder. You can also configure the location in the config.php file.', $path['path']));
- }
- }
-
- // set the right include path
- set_include_path(
- implode(PATH_SEPARATOR, $paths)
- );
- }
-
- public static function checkConfig(): void {
- // Create config if it does not already exist
- $configFilePath = self::$configDir . '/config.php';
- if (!file_exists($configFilePath)) {
- @touch($configFilePath);
- }
-
- // Check if config is writable
- $configFileWritable = is_writable($configFilePath);
- $configReadOnly = Server::get(IConfig::class)->getSystemValueBool('config_is_read_only');
- if (!$configFileWritable && !$configReadOnly
- || !$configFileWritable && \OCP\Util::needUpgrade()) {
- $urlGenerator = Server::get(IURLGenerator::class);
- $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
-
- if (self::$CLI) {
- echo $l->t('Cannot write into "config" directory!') . "\n";
- echo $l->t('This can usually be fixed by giving the web server write access to the config directory.') . "\n";
- echo "\n";
- echo $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . "\n";
- echo $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]) . "\n";
- exit;
- } else {
- Server::get(ITemplateManager::class)->printErrorPage(
- $l->t('Cannot write into "config" directory!'),
- $l->t('This can usually be fixed by giving the web server write access to the config directory.') . ' '
- . $l->t('But, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.') . ' '
- . $l->t('See %s', [ $urlGenerator->linkToDocs('admin-config') ]),
- 503
- );
- }
- }
- }
-
- public static function checkInstalled(\OC\SystemConfig $systemConfig): void {
- if (defined('OC_CONSOLE')) {
- return;
- }
- // Redirect to installer if not installed
- if (!$systemConfig->getValue('installed', false) && OC::$SUBURI !== '/index.php' && OC::$SUBURI !== '/status.php') {
- if (OC::$CLI) {
- throw new Exception('Not installed');
- } else {
- $url = OC::$WEBROOT . '/index.php';
- header('Location: ' . $url);
- }
- exit();
- }
- }
-
- public static function checkMaintenanceMode(\OC\SystemConfig $systemConfig): void {
- // Allow ajax update script to execute without being stopped
- if (((bool)$systemConfig->getValue('maintenance', false)) && OC::$SUBURI !== '/core/ajax/update.php') {
- // send http status 503
- http_response_code(503);
- header('X-Nextcloud-Maintenance-Mode: 1');
- header('Retry-After: 120');
-
- // render error page
- $template = Server::get(ITemplateManager::class)->getTemplate('', 'update.user', 'guest');
- \OCP\Util::addScript('core', 'maintenance');
- \OCP\Util::addScript('core', 'common');
- \OCP\Util::addStyle('core', 'guest');
- $template->printPage();
- die();
- }
- }
-
- /**
- * Prints the upgrade page
- */
- private static function printUpgradePage(\OC\SystemConfig $systemConfig): void {
- $cliUpgradeLink = $systemConfig->getValue('upgrade.cli-upgrade-link', '');
- $disableWebUpdater = $systemConfig->getValue('upgrade.disable-web', false);
- $tooBig = false;
- if (!$disableWebUpdater) {
- $apps = Server::get(\OCP\App\IAppManager::class);
- if ($apps->isEnabledForAnyone('user_ldap')) {
- $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder();
-
- $result = $qb->select($qb->func()->count('*', 'user_count'))
- ->from('ldap_user_mapping')
- ->executeQuery();
- $row = $result->fetch();
- $result->closeCursor();
-
- $tooBig = ($row['user_count'] > 50);
- }
- if (!$tooBig && $apps->isEnabledForAnyone('user_saml')) {
- $qb = Server::get(\OCP\IDBConnection::class)->getQueryBuilder();
-
- $result = $qb->select($qb->func()->count('*', 'user_count'))
- ->from('user_saml_users')
- ->executeQuery();
- $row = $result->fetch();
- $result->closeCursor();
-
- $tooBig = ($row['user_count'] > 50);
- }
- if (!$tooBig) {
- // count users
- $totalUsers = Server::get(\OCP\IUserManager::class)->countUsersTotal(51);
- $tooBig = ($totalUsers > 50);
- }
- }
- $ignoreTooBigWarning = isset($_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'])
- && $_GET['IKnowThatThisIsABigInstanceAndTheUpdateRequestCouldRunIntoATimeoutAndHowToRestoreABackup'] === 'IAmSuperSureToDoThis';
-
- Util::addTranslations('core');
- Util::addScript('core', 'common');
- Util::addScript('core', 'main');
- Util::addScript('core', 'update');
-
- $initialState = Server::get(IInitialStateService::class);
- $serverVersion = Server::get(\OCP\ServerVersion::class);
- if ($disableWebUpdater || ($tooBig && !$ignoreTooBigWarning)) {
- // send http status 503
- http_response_code(503);
- header('Retry-After: 120');
-
- $urlGenerator = Server::get(IURLGenerator::class);
- $initialState->provideInitialState('core', 'updaterView', 'adminCli');
- $initialState->provideInitialState('core', 'updateInfo', [
- 'cliUpgradeLink' => $cliUpgradeLink ?: $urlGenerator->linkToDocs('admin-cli-upgrade'),
- 'productName' => self::getProductName(),
- 'version' => $serverVersion->getVersionString(),
- 'tooBig' => $tooBig,
- ]);
-
- // render error page
- Server::get(ITemplateManager::class)
- ->getTemplate('', 'update', 'guest')
- ->printPage();
- die();
- }
-
- // check whether this is a core update or apps update
- $installedVersion = $systemConfig->getValue('version', '0.0.0');
- $currentVersion = implode('.', $serverVersion->getVersion());
-
- // if not a core upgrade, then it's apps upgrade
- $isAppsOnlyUpgrade = version_compare($currentVersion, $installedVersion, '=');
-
- $oldTheme = $systemConfig->getValue('theme');
- $systemConfig->setValue('theme', '');
-
- /** @var \OC\App\AppManager $appManager */
- $appManager = Server::get(\OCP\App\IAppManager::class);
-
- // get third party apps
- $ocVersion = $serverVersion->getVersion();
- $ocVersion = implode('.', $ocVersion);
- $incompatibleApps = $appManager->getIncompatibleApps($ocVersion);
- $incompatibleOverwrites = $systemConfig->getValue('app_install_overwrite', []);
- $incompatibleShippedApps = [];
- $incompatibleDisabledApps = [];
- foreach ($incompatibleApps as $appInfo) {
- if ($appManager->isShipped($appInfo['id'])) {
- $incompatibleShippedApps[] = $appInfo['name'] . ' (' . $appInfo['id'] . ')';
- }
- if (!in_array($appInfo['id'], $incompatibleOverwrites)) {
- $incompatibleDisabledApps[] = $appInfo;
- }
- }
-
- if (!empty($incompatibleShippedApps)) {
- $l = Server::get(\OCP\L10N\IFactory::class)->get('core');
- $hint = $l->t('Application %1$s is not present or has a non-compatible version with this server. Please check the apps directory.', [implode(', ', $incompatibleShippedApps)]);
- throw new \OCP\HintException('Application ' . implode(', ', $incompatibleShippedApps) . ' is not present or has a non-compatible version with this server. Please check the apps directory.', $hint);
- }
-
- $appConfig = Server::get(IAppConfig::class);
- $appsToUpgrade = array_map(function ($app) use (&$appConfig) {
- return [
- 'id' => $app['id'],
- 'name' => $app['name'],
- 'version' => $app['version'],
- 'oldVersion' => $appConfig->getValueString($app['id'], 'installed_version'),
- ];
- }, $appManager->getAppsNeedingUpgrade($ocVersion));
-
- $params = [
- 'appsToUpgrade' => $appsToUpgrade,
- 'incompatibleAppsList' => $incompatibleDisabledApps,
- 'isAppsOnlyUpgrade' => $isAppsOnlyUpgrade,
- 'oldTheme' => $oldTheme,
- 'productName' => self::getProductName(),
- 'version' => $serverVersion->getVersionString(),
- ];
-
- $initialState->provideInitialState('core', 'updaterView', 'admin');
- $initialState->provideInitialState('core', 'updateInfo', $params);
- Server::get(ITemplateManager::class)
- ->getTemplate('', 'update', 'guest')
- ->printPage();
- }
-
- private static function getProductName(): string {
- $productName = 'Nextcloud';
- try {
- $defaults = new \OC_Defaults();
- $productName = $defaults->getName();
- } catch (Throwable $error) {
- // ignore
- }
- return $productName;
- }
-
- public static function initSession(): void {
- $request = Server::get(IRequest::class);
-
- // TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies
- // TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments
- // TODO: for further information.
- // $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
- // if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest && !isset($_COOKIE['nc_session_id'])) {
- // setcookie('cookie_test', 'test', time() + 3600);
- // // Do not initialize the session if a request is authenticated directly
- // // unless there is a session cookie already sent along
- // return;
- // }
-
- if ($request->getServerProtocol() === 'https') {
- ini_set('session.cookie_secure', 'true');
- }
-
- // prevents javascript from accessing php session cookies
- ini_set('session.cookie_httponly', 'true');
-
- // set the cookie path to the Nextcloud directory
- $cookie_path = OC::$WEBROOT ? : '/';
- ini_set('session.cookie_path', $cookie_path);
-
- // set the cookie domain to the Nextcloud domain
- $cookie_domain = self::$config->getValue('cookie_domain', '');
- if ($cookie_domain) {
- ini_set('session.cookie_domain', $cookie_domain);
- }
-
- // Do not initialize sessions for 'status.php' requests
- // Monitoring endpoints can quickly flood session handlers
- // and 'status.php' doesn't require sessions anyway
- // We still need to run the ini_set above so that same-site cookies use the correct configuration.
- if (str_ends_with($request->getScriptName(), '/status.php')) {
- return;
- }
-
- // Let the session name be changed in the initSession Hook
- $sessionName = OC_Util::getInstanceId();
-
- try {
- $logger = null;
- if (Server::get(\OC\SystemConfig::class)->getValue('installed', false)) {
- $logger = logger('core');
- }
-
- // set the session name to the instance id - which is unique
- $session = new \OC\Session\Internal(
- $sessionName,
- $logger,
- );
-
- $cryptoWrapper = Server::get(\OC\Session\CryptoWrapper::class);
- $session = $cryptoWrapper->wrapSession($session);
- self::$server->setSession($session);
-
- // if session can't be started break with http 500 error
- } catch (Exception $e) {
- Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'base','exception' => $e]);
- //show the user a detailed error page
- Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500);
- die();
- }
-
- //try to set the session lifetime
- $sessionLifeTime = self::getSessionLifeTime();
-
- // session timeout
- if ($session->exists('LAST_ACTIVITY') && (time() - $session->get('LAST_ACTIVITY') > $sessionLifeTime)) {
- if (isset($_COOKIE[session_name()])) {
- setcookie(session_name(), '', -1, self::$WEBROOT ? : '/');
- }
- Server::get(IUserSession::class)->logout();
- }
-
- if (!self::hasSessionRelaxedExpiry()) {
- $session->set('LAST_ACTIVITY', time());
- }
- $session->close();
- }
-
- private static function getSessionLifeTime(): int {
- return Server::get(IConfig::class)->getSystemValueInt('session_lifetime', 60 * 60 * 24);
- }
-
- /**
- * @return bool true if the session expiry should only be done by gc instead of an explicit timeout
- */
- public static function hasSessionRelaxedExpiry(): bool {
- return Server::get(IConfig::class)->getSystemValueBool('session_relaxed_expiry', false);
- }
-
- /**
- * Try to set some values to the required Nextcloud default
- */
- public static function setRequiredIniValues(): void {
- // Don't display errors and log them
- @ini_set('display_errors', '0');
- @ini_set('log_errors', '1');
-
- // Try to configure php to enable big file uploads.
- // This doesn't work always depending on the webserver and php configuration.
- // Let's try to overwrite some defaults if they are smaller than 1 hour
-
- if (intval(@ini_get('max_execution_time') ?: 0) < 3600) {
- @ini_set('max_execution_time', strval(3600));
- }
-
- if (intval(@ini_get('max_input_time') ?: 0) < 3600) {
- @ini_set('max_input_time', strval(3600));
- }
-
- // Try to set the maximum execution time to the largest time limit we have
- if (strpos(@ini_get('disable_functions'), 'set_time_limit') === false) {
- @set_time_limit(max(intval(@ini_get('max_execution_time')), intval(@ini_get('max_input_time'))));
- }
-
- @ini_set('default_charset', 'UTF-8');
- @ini_set('gd.jpeg_ignore_warning', '1');
- }
-
- /**
- * Send the same site cookies
- */
- private static function sendSameSiteCookies(): void {
- $cookieParams = session_get_cookie_params();
- $secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : '';
- $policies = [
- 'lax',
- 'strict',
- ];
-
- // Append __Host to the cookie if it meets the requirements
- $cookiePrefix = '';
- if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
- $cookiePrefix = '__Host-';
- }
-
- foreach ($policies as $policy) {
- header(
- sprintf(
- 'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s',
- $cookiePrefix,
- $policy,
- $cookieParams['path'],
- $policy
- ),
- false
- );
- }
- }
-
- /**
- * Same Site cookie to further mitigate CSRF attacks. This cookie has to
- * be set in every request if cookies are sent to add a second level of
- * defense against CSRF.
- *
- * If the cookie is not sent this will set the cookie and reload the page.
- * We use an additional cookie since we want to protect logout CSRF and
- * also we can't directly interfere with PHP's session mechanism.
- */
- private static function performSameSiteCookieProtection(IConfig $config): void {
- $request = Server::get(IRequest::class);
-
- // Some user agents are notorious and don't really properly follow HTTP
- // specifications. For those, have an automated opt-out. Since the protection
- // for remote.php is applied in base.php as starting point we need to opt out
- // here.
- $incompatibleUserAgents = $config->getSystemValue('csrf.optout');
-
- // Fallback, if csrf.optout is unset
- if (!is_array($incompatibleUserAgents)) {
- $incompatibleUserAgents = [
- // OS X Finder
- '/^WebDAVFS/',
- // Windows webdav drive
- '/^Microsoft-WebDAV-MiniRedir/',
- ];
- }
-
- if ($request->isUserAgent($incompatibleUserAgents)) {
- return;
- }
-
- if (count($_COOKIE) > 0) {
- $requestUri = $request->getScriptName();
- $processingScript = explode('/', $requestUri);
- $processingScript = $processingScript[count($processingScript) - 1];
-
- if ($processingScript === 'index.php' // index.php routes are handled in the middleware
- || $processingScript === 'cron.php' // and cron.php does not need any authentication at all
- || $processingScript === 'public.php' // For public.php, auth for password protected shares is done in the PublicAuth plugin
- ) {
- return;
- }
-
- // All other endpoints require the lax and the strict cookie
- if (!$request->passesStrictCookieCheck()) {
- logger('core')->warning('Request does not pass strict cookie check');
- self::sendSameSiteCookies();
- // Debug mode gets access to the resources without strict cookie
- // due to the fact that the SabreDAV browser also lives there.
- if (!$config->getSystemValueBool('debug', false)) {
- http_response_code(\OCP\AppFramework\Http::STATUS_PRECONDITION_FAILED);
- header('Content-Type: application/json');
- echo json_encode(['error' => 'Strict Cookie has not been found in request']);
- exit();
- }
- }
- } elseif (!isset($_COOKIE['nc_sameSiteCookielax']) || !isset($_COOKIE['nc_sameSiteCookiestrict'])) {
- self::sendSameSiteCookies();
- }
- }
-
- /**
- * This function adds some security related headers to all requests served via base.php
- * The implementation of this function has to happen here to ensure that all third-party
- * components (e.g. SabreDAV) also benefit from this headers.
- */
- private static function addSecurityHeaders(): void {
- /**
- * FIXME: Content Security Policy for legacy components. This
- * can be removed once \OCP\AppFramework\Http\Response from the AppFramework
- * is used everywhere.
- * @see \OCP\AppFramework\Http\Response::getHeaders
- */
- $policy = 'default-src \'self\'; '
- . 'script-src \'self\' \'nonce-' . Server::get(ContentSecurityPolicyNonceManager::class)->getNonce() . '\'; '
- . 'style-src \'self\' \'unsafe-inline\'; '
- . 'frame-src *; '
- . 'img-src * data: blob:; '
- . 'font-src \'self\' data:; '
- . 'media-src *; '
- . 'connect-src *; '
- . 'object-src \'none\'; '
- . 'base-uri \'self\'; ';
- header('Content-Security-Policy:' . $policy);
-
- // Send fallback headers for installations that don't have the possibility to send
- // custom headers on the webserver side
- if (getenv('modHeadersAvailable') !== 'true') {
- header('Referrer-Policy: no-referrer'); // https://www.w3.org/TR/referrer-policy/
- header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
- header('X-Frame-Options: SAMEORIGIN'); // Disallow iFraming from other domains
- header('X-Permitted-Cross-Domain-Policies: none'); // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
- header('X-Robots-Tag: noindex, nofollow'); // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag
- }
- }
-
- public static function init(): void {
- // First handle PHP configuration and copy auth headers to the expected
- // $_SERVER variable before doing anything Server object related
- self::setRequiredIniValues();
- self::handleAuthHeaders();
-
- // prevent any XML processing from loading external entities
- libxml_set_external_entity_loader(static function () {
- return null;
- });
-
- // Set default timezone before the Server object is booted
- if (!date_default_timezone_set('UTC')) {
- throw new \RuntimeException('Could not set timezone to UTC');
- }
-
- // calculate the root directories
- OC::$SERVERROOT = str_replace('\\', '/', substr(__DIR__, 0, -4));
-
- // register autoloader
- $loaderStart = microtime(true);
-
- self::$CLI = (php_sapi_name() == 'cli');
-
- // Add default composer PSR-4 autoloader, ensure apcu to be disabled
- self::$composerAutoloader = require_once OC::$SERVERROOT . '/lib/composer/autoload.php';
- self::$composerAutoloader->setApcuPrefix(null);
-
- try {
- self::initPaths();
- // setup 3rdparty autoloader
- $vendorAutoLoad = OC::$SERVERROOT . '/3rdparty/autoload.php';
- if (!file_exists($vendorAutoLoad)) {
- throw new \RuntimeException('Composer autoloader not found, unable to continue. Check the folder "3rdparty". Running "git submodule update --init" will initialize the git submodule that handles the subfolder "3rdparty".');
- }
- require_once $vendorAutoLoad;
- } catch (\RuntimeException $e) {
- if (!self::$CLI) {
- http_response_code(503);
- }
- // we can't use the template error page here, because this needs the
- // DI container which isn't available yet
- print($e->getMessage());
- exit();
- }
- $loaderEnd = microtime(true);
-
- // Enable lazy loading if activated
- \OC\AppFramework\Utility\SimpleContainer::$useLazyObjects = (bool)self::$config->getValue('enable_lazy_objects', true);
-
- // setup the basic server
- self::$server = new \OC\Server(\OC::$WEBROOT, self::$config);
- self::$server->boot();
-
- try {
- $profiler = new BuiltInProfiler(
- Server::get(IConfig::class),
- Server::get(IRequest::class),
- );
- $profiler->start();
- } catch (\Throwable $e) {
- logger('core')->error('Failed to start profiler: ' . $e->getMessage(), ['app' => 'base']);
- }
-
- if (self::$CLI && in_array('--' . \OCP\Console\ReservedOptions::DEBUG_LOG, $_SERVER['argv'])) {
- \OC\Core\Listener\BeforeMessageLoggedEventListener::setup();
- }
-
- $eventLogger = Server::get(\OCP\Diagnostics\IEventLogger::class);
- $eventLogger->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd);
- $eventLogger->start('boot', 'Initialize');
-
- // Override php.ini and log everything if we're troubleshooting
- if (self::$config->getValue('loglevel') === ILogger::DEBUG) {
- error_reporting(E_ALL);
- }
-
- // initialize intl fallback if necessary
- OC_Util::isSetLocaleWorking();
-
- $config = Server::get(IConfig::class);
- if (!defined('PHPUNIT_RUN')) {
- $errorHandler = new OC\Log\ErrorHandler(
- Server::get(\Psr\Log\LoggerInterface::class),
- );
- $exceptionHandler = [$errorHandler, 'onException'];
- if ($config->getSystemValueBool('debug', false)) {
- set_error_handler([$errorHandler, 'onAll'], E_ALL);
- if (\OC::$CLI) {
- $exceptionHandler = [Server::get(ITemplateManager::class), 'printExceptionErrorPage'];
- }
- } else {
- set_error_handler([$errorHandler, 'onError']);
- }
- register_shutdown_function([$errorHandler, 'onShutdown']);
- set_exception_handler($exceptionHandler);
- }
-
- /** @var \OC\AppFramework\Bootstrap\Coordinator $bootstrapCoordinator */
- $bootstrapCoordinator = Server::get(\OC\AppFramework\Bootstrap\Coordinator::class);
- $bootstrapCoordinator->runInitialRegistration();
-
- $eventLogger->start('init_session', 'Initialize session');
-
- // Check for PHP SimpleXML extension earlier since we need it before our other checks and want to provide a useful hint for web users
- // see https://github.com/nextcloud/server/pull/2619
- if (!function_exists('simplexml_load_file')) {
- throw new \OCP\HintException('The PHP SimpleXML/PHP-XML extension is not installed.', 'Install the extension or make sure it is enabled.');
- }
-
- $systemConfig = Server::get(\OC\SystemConfig::class);
- $appManager = Server::get(\OCP\App\IAppManager::class);
- if ($systemConfig->getValue('installed', false)) {
- $appManager->loadApps(['session']);
- }
- if (!self::$CLI) {
- self::initSession();
- }
- $eventLogger->end('init_session');
- self::checkConfig();
- self::checkInstalled($systemConfig);
-
- if (!self::$CLI) {
- self::addSecurityHeaders();
- self::performSameSiteCookieProtection($config);
- }
-
- if (!defined('OC_CONSOLE')) {
- $eventLogger->start('check_server', 'Run a few configuration checks');
- $errors = OC_Util::checkServer($systemConfig);
- if (count($errors) > 0) {
- if (!self::$CLI) {
- http_response_code(503);
- Util::addStyle('guest');
- try {
- Server::get(ITemplateManager::class)->printGuestPage('', 'error', ['errors' => $errors]);
- exit;
- } catch (\Exception $e) {
- // In case any error happens when showing the error page, we simply fall back to posting the text.
- // This might be the case when e.g. the data directory is broken and we can not load/write SCSS to/from it.
- }
- }
-
- // Convert l10n string into regular string for usage in database
- $staticErrors = [];
- foreach ($errors as $error) {
- echo $error['error'] . "\n";
- echo $error['hint'] . "\n\n";
- $staticErrors[] = [
- 'error' => (string)$error['error'],
- 'hint' => (string)$error['hint'],
- ];
- }
-
- try {
- $config->setAppValue('core', 'cronErrors', json_encode($staticErrors));
- } catch (\Exception $e) {
- echo('Writing to database failed');
- }
- exit(1);
- } elseif (self::$CLI && $config->getSystemValueBool('installed', false)) {
- $config->deleteAppValue('core', 'cronErrors');
- }
- $eventLogger->end('check_server');
- }
-
- // User and Groups
- if (!$systemConfig->getValue('installed', false)) {
- Server::get(ISession::class)->set('user_id', '');
- }
-
- $eventLogger->start('setup_backends', 'Setup group and user backends');
- Server::get(\OCP\IUserManager::class)->registerBackend(new \OC\User\Database());
- Server::get(\OCP\IGroupManager::class)->addBackend(new \OC\Group\Database());
-
- // Subscribe to the hook
- \OCP\Util::connectHook(
- '\OCA\Files_Sharing\API\Server2Server',
- 'preLoginNameUsedAsUserName',
- '\OC\User\Database',
- 'preLoginNameUsedAsUserName'
- );
-
- //setup extra user backends
- if (!\OCP\Util::needUpgrade()) {
- OC_User::setupBackends();
- } else {
- // Run upgrades in incognito mode
- OC_User::setIncognitoMode(true);
- }
- $eventLogger->end('setup_backends');
-
- self::registerCleanupHooks($systemConfig);
- self::registerShareHooks($systemConfig);
- self::registerEncryptionWrapperAndHooks();
- self::registerAccountHooks();
- self::registerResourceCollectionHooks();
- self::registerFileReferenceEventListener();
- self::registerRenderReferenceEventListener();
- self::registerAppRestrictionsHooks();
-
- // Make sure that the application class is not loaded before the database is setup
- if ($systemConfig->getValue('installed', false)) {
- $appManager->loadApp('settings');
- }
-
- //make sure temporary files are cleaned up
- $tmpManager = Server::get(\OCP\ITempManager::class);
- register_shutdown_function([$tmpManager, 'clean']);
- $lockProvider = Server::get(\OCP\Lock\ILockingProvider::class);
- register_shutdown_function([$lockProvider, 'releaseAll']);
-
- // Check whether the sample configuration has been copied
- if ($systemConfig->getValue('copied_sample_config', false)) {
- $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
- Server::get(ITemplateManager::class)->printErrorPage(
- $l->t('Sample configuration detected'),
- $l->t('It has been detected that the sample configuration has been copied. This can break your installation and is unsupported. Please read the documentation before performing changes on config.php'),
- 503
- );
- return;
- }
-
- $request = Server::get(IRequest::class);
- $host = $request->getInsecureServerHost();
- /**
- * if the host passed in headers isn't trusted
- * FIXME: Should not be in here at all :see_no_evil:
- */
- if (!OC::$CLI
- && !Server::get(\OC\Security\TrustedDomainHelper::class)->isTrustedDomain($host)
- && $config->getSystemValueBool('installed', false)
- ) {
- // Allow access to CSS resources
- $isScssRequest = false;
- if (strpos($request->getPathInfo() ?: '', '/css/') === 0) {
- $isScssRequest = true;
- }
-
- if (substr($request->getRequestUri(), -11) === '/status.php') {
- http_response_code(400);
- header('Content-Type: application/json');
- echo '{"error": "Trusted domain error.", "code": 15}';
- exit();
- }
-
- if (!$isScssRequest) {
- http_response_code(400);
- Server::get(LoggerInterface::class)->info(
- 'Trusted domain error. "{remoteAddress}" tried to access using "{host}" as host.',
- [
- 'app' => 'core',
- 'remoteAddress' => $request->getRemoteAddress(),
- 'host' => $host,
- ]
- );
-
- $tmpl = Server::get(ITemplateManager::class)->getTemplate('core', 'untrustedDomain', 'guest');
- $tmpl->assign('docUrl', Server::get(IURLGenerator::class)->linkToDocs('admin-trusted-domains'));
- $tmpl->printPage();
-
- exit();
- }
- }
- $eventLogger->end('boot');
- $eventLogger->log('init', 'OC::init', $loaderStart, microtime(true));
- $eventLogger->start('runtime', 'Runtime');
- $eventLogger->start('request', 'Full request after boot');
- register_shutdown_function(function () use ($eventLogger) {
- $eventLogger->end('request');
- });
-
- register_shutdown_function(function () use ($config) {
- $memoryPeak = memory_get_peak_usage();
- $debugModeEnabled = $config->getSystemValueBool('debug', false);
- $memoryLimit = null;
-
- if (!$debugModeEnabled) {
- // Use the memory helper to get the real memory limit in bytes if debug mode is disabled
- try {
- $memoryInfo = new \OC\MemoryInfo();
- $memoryLimit = $memoryInfo->getMemoryLimit();
- } catch (Throwable $e) {
- // Ignore any errors and fall back to hardcoded thresholds
- }
- }
-
- // Check if a memory limit is configured and can be retrieved and determine log level if debug mode is disabled
- if (!$debugModeEnabled && $memoryLimit !== null && $memoryLimit !== -1) {
- $logLevel = match (true) {
- $memoryPeak > $memoryLimit * 0.9 => ILogger::FATAL,
- $memoryPeak > $memoryLimit * 0.75 => ILogger::ERROR,
- $memoryPeak > $memoryLimit * 0.5 => ILogger::WARN,
- default => null,
- };
-
- $memoryLimitIni = @ini_get('memory_limit');
- $message = 'Request used ' . Util::humanFileSize($memoryPeak) . ' of memory. Memory limit: ' . ($memoryLimitIni ?: 'unknown');
- } else {
- // Fall back to hardcoded thresholds if memory_limit cannot be determined or if debug mode is enabled
- $logLevel = match (true) {
- $memoryPeak > 500_000_000 => ILogger::FATAL,
- $memoryPeak > 400_000_000 => ILogger::ERROR,
- $memoryPeak > 300_000_000 => ILogger::WARN,
- default => null,
- };
-
- $message = 'Request used more than 300 MB of RAM: ' . Util::humanFileSize($memoryPeak);
- }
-
- // Log the message
- if ($logLevel !== null) {
- $logger = Server::get(LoggerInterface::class);
- $logger->log($logLevel, $message, ['app' => 'core']);
- }
- });
- }
-
- /**
- * register hooks for the cleanup of cache and bruteforce protection
- */
- public static function registerCleanupHooks(\OC\SystemConfig $systemConfig): void {
- //don't try to do this before we are properly setup
- if ($systemConfig->getValue('installed', false) && !\OCP\Util::needUpgrade()) {
- // NOTE: This will be replaced to use OCP
- $userSession = Server::get(\OC\User\Session::class);
- $userSession->listen('\OC\User', 'postLogin', function () use ($userSession) {
- if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) {
- // reset brute force delay for this IP address and username
- $uid = $userSession->getUser()->getUID();
- $request = Server::get(IRequest::class);
- $throttler = Server::get(IThrottler::class);
- $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]);
- }
-
- try {
- $cache = new \OC\Cache\File();
- $cache->gc();
- } catch (\OC\ServerNotAvailableException $e) {
- // not a GC exception, pass it on
- throw $e;
- } catch (\OC\ForbiddenException $e) {
- // filesystem blocked for this request, ignore
- } catch (\Exception $e) {
- // a GC exception should not prevent users from using OC,
- // so log the exception
- Server::get(LoggerInterface::class)->warning('Exception when running cache gc.', [
- 'app' => 'core',
- 'exception' => $e,
- ]);
- }
- });
- }
- }
-
- private static function registerEncryptionWrapperAndHooks(): void {
- /** @var \OC\Encryption\Manager */
- $manager = Server::get(\OCP\Encryption\IManager::class);
- Server::get(IEventDispatcher::class)->addListener(
- BeforeFileSystemSetupEvent::class,
- $manager->setupStorage(...),
- );
-
- $enabled = $manager->isEnabled();
- if ($enabled) {
- \OC\Encryption\EncryptionEventListener::register(Server::get(IEventDispatcher::class));
- }
- }
-
- private static function registerAccountHooks(): void {
- /** @var IEventDispatcher $dispatcher */
- $dispatcher = Server::get(IEventDispatcher::class);
- $dispatcher->addServiceListener(UserChangedEvent::class, \OC\Accounts\Hooks::class);
- }
-
- private static function registerAppRestrictionsHooks(): void {
- /** @var \OC\Group\Manager $groupManager */
- $groupManager = Server::get(\OCP\IGroupManager::class);
- $groupManager->listen('\OC\Group', 'postDelete', function (\OCP\IGroup $group) {
- $appManager = Server::get(\OCP\App\IAppManager::class);
- $apps = $appManager->getEnabledAppsForGroup($group);
- foreach ($apps as $appId) {
- $restrictions = $appManager->getAppRestriction($appId);
- if (empty($restrictions)) {
- continue;
- }
- $key = array_search($group->getGID(), $restrictions, true);
- unset($restrictions[$key]);
- $restrictions = array_values($restrictions);
- if (empty($restrictions)) {
- $appManager->disableApp($appId);
- } else {
- $appManager->enableAppForGroups($appId, $restrictions);
- }
- }
- });
- }
-
- private static function registerResourceCollectionHooks(): void {
- \OC\Collaboration\Resources\Listener::register(Server::get(IEventDispatcher::class));
- }
-
- private static function registerFileReferenceEventListener(): void {
- \OC\Collaboration\Reference\File\FileReferenceEventListener::register(Server::get(IEventDispatcher::class));
- }
-
- private static function registerRenderReferenceEventListener() {
- \OC\Collaboration\Reference\RenderReferenceEventListener::register(Server::get(IEventDispatcher::class));
- }
-
- /**
- * register hooks for sharing
- */
- public static function registerShareHooks(\OC\SystemConfig $systemConfig): void {
- if ($systemConfig->getValue('installed')) {
-
- $dispatcher = Server::get(IEventDispatcher::class);
- $dispatcher->addServiceListener(UserRemovedEvent::class, UserRemovedListener::class);
- $dispatcher->addServiceListener(GroupDeletedEvent::class, GroupDeletedListener::class);
- $dispatcher->addServiceListener(UserDeletedEvent::class, UserDeletedListener::class);
- }
- }
-
- /**
- * Handle the request
- */
- public static function handleRequest(): void {
- Server::get(\OCP\Diagnostics\IEventLogger::class)->start('handle_request', 'Handle request');
- $systemConfig = Server::get(\OC\SystemConfig::class);
-
- // Check if Nextcloud is installed or in maintenance (update) mode
- if (!$systemConfig->getValue('installed', false)) {
- Server::get(ISession::class)->clear();
- $controller = Server::get(\OC\Core\Controller\SetupController::class);
- $controller->run($_POST);
- exit();
- }
-
- $request = Server::get(IRequest::class);
- $request->throwDecodingExceptionIfAny();
- $requestPath = $request->getRawPathInfo();
- if ($requestPath === '/heartbeat') {
- return;
- }
- if (substr($requestPath, -3) !== '.js') { // we need these files during the upgrade
- self::checkMaintenanceMode($systemConfig);
-
- if (\OCP\Util::needUpgrade()) {
- if (function_exists('opcache_reset')) {
- opcache_reset();
- }
- if (!((bool)$systemConfig->getValue('maintenance', false))) {
- self::printUpgradePage($systemConfig);
- exit();
- }
- }
- }
-
- $appManager = Server::get(\OCP\App\IAppManager::class);
-
- // Always load authentication apps
- $appManager->loadApps(['authentication']);
- $appManager->loadApps(['extended_authentication']);
-
- // Load minimum set of apps
- if (!\OCP\Util::needUpgrade()
- && !((bool)$systemConfig->getValue('maintenance', false))) {
- // For logged-in users: Load everything
- if (Server::get(IUserSession::class)->isLoggedIn()) {
- $appManager->loadApps();
- } else {
- // For guests: Load only filesystem and logging
- $appManager->loadApps(['filesystem', 'logging']);
-
- // Don't try to login when a client is trying to get a OAuth token.
- // OAuth needs to support basic auth too, so the login is not valid
- // inside Nextcloud and the Login exception would ruin it.
- if ($request->getRawPathInfo() !== '/apps/oauth2/api/v1/token') {
- try {
- self::handleLogin($request);
- } catch (DisabledUserException $e) {
- // Disabled users would not be seen as logged in and
- // trying to log them in would fail, so the login
- // exception is ignored for the themed stylesheets and
- // images.
- if ($request->getRawPathInfo() !== '/apps/theming/theme/default.css'
- && $request->getRawPathInfo() !== '/apps/theming/theme/light.css'
- && $request->getRawPathInfo() !== '/apps/theming/theme/dark.css'
- && $request->getRawPathInfo() !== '/apps/theming/theme/light-highcontrast.css'
- && $request->getRawPathInfo() !== '/apps/theming/theme/dark-highcontrast.css'
- && $request->getRawPathInfo() !== '/apps/theming/theme/opendyslexic.css'
- && $request->getRawPathInfo() !== '/apps/theming/image/background'
- && $request->getRawPathInfo() !== '/apps/theming/image/logo'
- && $request->getRawPathInfo() !== '/apps/theming/image/logoheader'
- && !str_starts_with($request->getRawPathInfo(), '/apps/theming/favicon')
- && !str_starts_with($request->getRawPathInfo(), '/apps/theming/icon')) {
- throw $e;
- }
- }
- }
- }
- }
-
- if (!self::$CLI) {
- try {
- if (!\OCP\Util::needUpgrade()) {
- $appManager->loadApps(['filesystem', 'logging']);
- $appManager->loadApps();
- }
- Server::get(\OC\Route\Router::class)->match($request->getRawPathInfo());
- return;
- } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) {
- //header('HTTP/1.0 404 Not Found');
- } catch (Symfony\Component\Routing\Exception\MethodNotAllowedException $e) {
- http_response_code(405);
- return;
- }
- }
-
- // Handle WebDAV
- if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PROPFIND') {
- // not allowed any more to prevent people
- // mounting this root directly.
- // Users need to mount remote.php/webdav instead.
- http_response_code(405);
- return;
- }
-
- // Handle requests for JSON or XML
- $acceptHeader = $request->getHeader('Accept');
- if (in_array($acceptHeader, ['application/json', 'application/xml'], true)) {
- http_response_code(404);
- return;
- }
-
- // Handle resources that can't be found
- // This prevents browsers from redirecting to the default page and then
- // attempting to parse HTML as CSS and similar.
- $destinationHeader = $request->getHeader('Sec-Fetch-Dest');
- if (in_array($destinationHeader, ['font', 'script', 'style'])) {
- http_response_code(404);
- return;
- }
-
- // Redirect to the default app or login only as an entry point
- if ($requestPath === '') {
- // Someone is logged in
- $userSession = Server::get(IUserSession::class);
- if ($userSession->isLoggedIn()) {
- header('X-User-Id: ' . $userSession->getUser()?->getUID());
- header('Location: ' . Server::get(IURLGenerator::class)->linkToDefaultPageUrl());
- } else {
- // Not handled and not logged in
- header('Location: ' . Server::get(IURLGenerator::class)->linkToRouteAbsolute('core.login.showLoginForm'));
- }
- return;
- }
-
- try {
- Server::get(\OC\Route\Router::class)->match('/error/404');
- } catch (\Exception $e) {
- if (!$e instanceof MethodNotAllowedException) {
- logger('core')->emergency($e->getMessage(), ['exception' => $e]);
- }
- $l = Server::get(\OCP\L10N\IFactory::class)->get('lib');
- Server::get(ITemplateManager::class)->printErrorPage(
- '404',
- $l->t('The page could not be found on the server.'),
- 404
- );
- }
- }
-
- /**
- * Check login: apache auth, auth token, basic auth
- */
- public static function handleLogin(OCP\IRequest $request): bool {
- if ($request->getHeader('X-Nextcloud-Federation')) {
- return false;
- }
- $userSession = Server::get(\OC\User\Session::class);
- if (OC_User::handleApacheAuth()) {
- return true;
- }
- if (self::tryAppAPILogin($request)) {
- return true;
- }
- if ($userSession->tryTokenLogin($request)) {
- return true;
- }
- if (isset($_COOKIE['nc_username'])
- && isset($_COOKIE['nc_token'])
- && isset($_COOKIE['nc_session_id'])
- && $userSession->loginWithCookie($_COOKIE['nc_username'], $_COOKIE['nc_token'], $_COOKIE['nc_session_id'])) {
- return true;
- }
- if ($userSession->tryBasicAuthLogin($request, Server::get(IThrottler::class))) {
- return true;
- }
- return false;
- }
-
- protected static function handleAuthHeaders(): void {
- //copy http auth headers for apache+php-fcgid work around
- if (isset($_SERVER['HTTP_XAUTHORIZATION']) && !isset($_SERVER['HTTP_AUTHORIZATION'])) {
- $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['HTTP_XAUTHORIZATION'];
- }
-
- // Extract PHP_AUTH_USER/PHP_AUTH_PW from other headers if necessary.
- $vars = [
- 'HTTP_AUTHORIZATION', // apache+php-cgi work around
- 'REDIRECT_HTTP_AUTHORIZATION', // apache+php-cgi alternative
- ];
- foreach ($vars as $var) {
- if (isset($_SERVER[$var]) && is_string($_SERVER[$var]) && preg_match('/Basic\s+(.*)$/i', $_SERVER[$var], $matches)) {
- $credentials = explode(':', base64_decode($matches[1]), 2);
- if (count($credentials) === 2) {
- $_SERVER['PHP_AUTH_USER'] = $credentials[0];
- $_SERVER['PHP_AUTH_PW'] = $credentials[1];
- break;
- }
- }
- }
- }
-
- protected static function tryAppAPILogin(OCP\IRequest $request): bool {
- if (!$request->getHeader('AUTHORIZATION-APP-API')) {
- return false;
- }
- $appManager = Server::get(OCP\App\IAppManager::class);
- if (!$appManager->isEnabledForAnyone('app_api')) {
- return false;
- }
- try {
- $appAPIService = Server::get(OCA\AppAPI\Service\AppAPIService::class);
- return $appAPIService->validateExAppRequestToNC($request);
- } catch (\Psr\Container\NotFoundExceptionInterface|\Psr\Container\ContainerExceptionInterface $e) {
- return false;
- }
- }
-}
-
-OC::init();
+\OC::boot();
+\OC::init();
diff --git a/lib/private/Files/Filesystem.php b/lib/private/Files/Filesystem.php
index 5d8824c67e1cb..7cd143094c01a 100644
--- a/lib/private/Files/Filesystem.php
+++ b/lib/private/Files/Filesystem.php
@@ -28,32 +28,32 @@
class Filesystem {
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
private static ?Mount\Manager $mounts = null;
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
public static bool $loaded = false;
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
private static ?View $defaultInstance = null;
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
private static ?FilenameValidator $validator = null;
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
private static ?StorageFactory $loader = null;
/**
- * @psalm-suppress ImpureStaticProperty
+ * @psalm-suppress ImpureStaticProperty This class has a reset method
*/
private static bool $logWarningWhenAddingStorageWrapper = true;
@@ -721,4 +721,12 @@ public static function getOwner($path) {
public static function getETag(string $path): string|false {
return self::$defaultInstance->getETag($path);
}
+
+ public static function reset(): void {
+ self::$defaultInstance = null;
+ self::$loader = null;
+ self::$loaded = false;
+ self::$mounts = null;
+ self::$validator = null;
+ }
}
diff --git a/lib/private/legacy/OC_App.php b/lib/private/legacy/OC_App.php
index 40e27e642ae6d..d240b996bcf77 100644
--- a/lib/private/legacy/OC_App.php
+++ b/lib/private/legacy/OC_App.php
@@ -44,6 +44,14 @@ class OC_App {
public const supportedApp = 300;
public const officialApp = 200;
+ /**
+ * @internal
+ */
+ public static function reset(): void {
+ self::$altLogin = [];
+ self::$alreadyRegistered = [];
+ }
+
/**
* clean the appId
*
diff --git a/lib/private/legacy/OC_Helper.php b/lib/private/legacy/OC_Helper.php
index ad736b8218bfd..8e9135b185707 100644
--- a/lib/private/legacy/OC_Helper.php
+++ b/lib/private/legacy/OC_Helper.php
@@ -46,6 +46,14 @@ class OC_Helper {
private static ?ICacheFactory $cacheFactory = null;
private static ?bool $quotaIncludeExternalStorage = null;
+ /**
+ * @internal
+ */
+ public static function reset(): void {
+ self::$cacheFactory = null;
+ self::$quotaIncludeExternalStorage = null;
+ }
+
/**
* Recursive copying of folders
* @param string $src source folder
diff --git a/lib/private/legacy/OC_Hook.php b/lib/private/legacy/OC_Hook.php
index 888057a7aca23..0def846b7cfd8 100644
--- a/lib/private/legacy/OC_Hook.php
+++ b/lib/private/legacy/OC_Hook.php
@@ -114,6 +114,7 @@ public static function clear($signalClass = '', $signalName = '') {
}
} else {
self::$registered = [];
+ self::$thrownExceptions = [];
}
}
diff --git a/lib/private/legacy/OC_User.php b/lib/private/legacy/OC_User.php
index 910253490b7fc..1cc3b343832b1 100644
--- a/lib/private/legacy/OC_User.php
+++ b/lib/private/legacy/OC_User.php
@@ -52,7 +52,7 @@
* logout()
*/
class OC_User {
- private static $_setupedBackends = [];
+ public static $_setupedBackends = [];
// bool, stores if a user want to access a resource anonymously, e.g if they open a public link
private static $incognitoMode = false;