Merge pull request #42866 from nextcloud/backport/42862/stable26

[stable26] fix(manifest): Check if app exists instead of accessing null as an array
nextcloud · Jan 17, 2024 · 711ee5e · 711ee5e
2 parents fdf3e62 + ea8553f
commit 711ee5e
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 15 deletions.
diff --git a/apps/theming/lib/Controller/IconController.php b/apps/theming/lib/Controller/IconController.php
@@ -31,6 +31,7 @@
 use OCA\Theming\IconBuilder;
 use OCA\Theming\ImageManager;
 use OCA\Theming\ThemingDefaults;
+use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataDisplayResponse;
@@ -49,31 +50,25 @@ class IconController extends Controller {
 	private $imageManager;
 	/** @var FileAccessHelper */
 	private $fileAccessHelper;
+	/** @var IAppManager */
+	private $appManager;
 
-	/**
-	 * IconController constructor.
-	 *
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param ThemingDefaults $themingDefaults
-	 * @param IconBuilder $iconBuilder
-	 * @param ImageManager $imageManager
-	 * @param FileAccessHelper $fileAccessHelper
-	 */
 	public function __construct(
 		$appName,
 		IRequest $request,
 		ThemingDefaults $themingDefaults,
 		IconBuilder $iconBuilder,
 		ImageManager $imageManager,
-		FileAccessHelper $fileAccessHelper
+		FileAccessHelper $fileAccessHelper,
+		IAppManager $appManager
 	) {
 		parent::__construct($appName, $request);
 
 		$this->themingDefaults = $themingDefaults;
 		$this->iconBuilder = $iconBuilder;
 		$this->imageManager = $imageManager;
 		$this->fileAccessHelper = $fileAccessHelper;
+		$this->appManager = $appManager;
 	}
 
 	/**
@@ -86,6 +81,11 @@ public function __construct(
 	 * @throws \Exception
 	 */
 	public function getThemedIcon(string $app, string $image): Response {
+		if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) {
+			$app = 'core';
+			$image = 'favicon.png';
+		}
+
 		$color = $this->themingDefaults->getColorPrimary();
 		try {
 			$iconFileName = $this->imageManager->getCachedImage('icon-' . $app . '-' . $color . str_replace('/', '_', $image));
@@ -112,6 +112,10 @@ public function getThemedIcon(string $app, string $image): Response {
 	 * @throws \Exception
 	 */
 	public function getFavicon(string $app = 'core'): Response {
+		if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) {
+			$app = 'core';
+		}
+
 		$response = null;
 		$iconFile = null;
 		try {
@@ -151,6 +155,10 @@ public function getFavicon(string $app = 'core'): Response {
 	 * @throws \Exception
 	 */
 	public function getTouchIcon(string $app = 'core'): Response {
+		if ($app !== 'core' && !$this->appManager->isEnabledForUser($app)) {
+			$app = 'core';
+		}
+
 		$response = null;
 		try {
 			$iconFile = $this->imageManager->getImage('favicon');

diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php
@@ -386,6 +386,7 @@ public function getThemeStylesheet(string $themeId, bool $plain = false, bool $w
 	/**
 	 * @NoCSRFRequired
 	 * @PublicPage
+	 * @BruteForceProtection(action=manifest)
 	 *
 	 * @return Http\JSONResponse
 	 */
@@ -397,6 +398,12 @@ public function getManifest($app) {
 			$startUrl = $this->urlGenerator->getBaseUrl();
 			$description = $this->themingDefaults->getSlogan();
 		} else {
+			if (!$this->appManager->isEnabledForUser($app)) {
+				$response = new Http\JSONResponse([], Http::STATUS_NOT_FOUND);
+				$response->throttle(['action' => 'manifest', 'app' => $app]);
+				return $response;
+			}
+
 			$info = $this->appManager->getAppInfo($app, false, $this->l10n->getLanguageCode());
 			$name = $info['name'] . ' - ' . $this->themingDefaults->getName();
 			$shortName = $info['name'];

diff --git a/apps/theming/tests/Controller/IconControllerTest.php b/apps/theming/tests/Controller/IconControllerTest.php
@@ -33,6 +33,7 @@
 use OCA\Theming\IconBuilder;
 use OCA\Theming\ImageManager;
 use OCA\Theming\ThemingDefaults;
+use OCP\App\IAppManager;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataDisplayResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
@@ -57,6 +58,8 @@ class IconControllerTest extends TestCase {
 	private $iconBuilder;
 	/** @var FileAccessHelper|\PHPUnit\Framework\MockObject\MockObject */
 	private $fileAccessHelper;
+	/** @var IAppManager|\PHPUnit\Framework\MockObject\MockObject */
+	private $appManager;
 	/** @var ImageManager */
 	private $imageManager;
 
@@ -66,6 +69,7 @@ protected function setUp(): void {
 		$this->iconBuilder = $this->createMock(IconBuilder::class);
 		$this->imageManager = $this->createMock(ImageManager::class);
 		$this->fileAccessHelper = $this->createMock(FileAccessHelper::class);
+		$this->appManager = $this->createMock(IAppManager::class);
 
 		$this->timeFactory = $this->createMock(ITimeFactory::class);
 		$this->timeFactory->expects($this->any())
@@ -80,7 +84,8 @@ protected function setUp(): void {
 			$this->themingDefaults,
 			$this->iconBuilder,
 			$this->imageManager,
-			$this->fileAccessHelper
+			$this->fileAccessHelper,
+			$this->appManager,
 		);
 
 		parent::setUp();

diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php
@@ -20,7 +20,7 @@
 		<link rel="icon" href="<?php print_unescaped(image_path('core', 'favicon.ico')); /* IE11+ supports png */ ?>">
 		<link rel="apple-touch-icon" href="<?php print_unescaped(image_path('core', 'favicon-touch.png')); ?>">
 		<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path('core', 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
-		<link rel="manifest" href="<?php print_unescaped(image_path('core', 'manifest.json')); ?>">
+		<link rel="manifest" href="<?php print_unescaped(image_path('core', 'manifest.json')); ?>" crossorigin="use-credentials">
 		<?php emit_css_loading_tags($_); ?>
 		<?php emit_script_loading_tags($_); ?>
 		<?php print_unescaped($_['headers']); ?>

diff --git a/core/templates/layout.public.php b/core/templates/layout.public.php
@@ -21,7 +21,7 @@
 	<link rel="apple-touch-icon" href="<?php print_unescaped(image_path($_['appid'], 'favicon-touch.png')); ?>">
 	<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path($_['appid'], 'favicon-touch.png')); ?>">
 	<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path($_['appid'], 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
-	<link rel="manifest" href="<?php print_unescaped(image_path($_['appid'], 'manifest.json')); ?>">
+	<link rel="manifest" href="<?php print_unescaped(image_path($_['appid'], 'manifest.json')); ?>" crossorigin="use-credentials">
 	<?php emit_css_loading_tags($_); ?>
 	<?php emit_script_loading_tags($_); ?>
 	<?php print_unescaped($_['headers']); ?>

diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
@@ -37,7 +37,7 @@
 		<link rel="apple-touch-icon" href="<?php print_unescaped(image_path($_['appid'], 'favicon-touch.png')); ?>">
 		<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path($_['appid'], 'favicon-touch.png')); ?>">
 		<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path($_['appid'], 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
-		<link rel="manifest" href="<?php print_unescaped(image_path($_['appid'], 'manifest.json')); ?>">
+		<link rel="manifest" href="<?php print_unescaped(image_path($_['appid'], 'manifest.json')); ?>" crossorigin="use-credentials">
 		<?php emit_css_loading_tags($_); ?>
 		<?php emit_script_loading_tags($_); ?>
 		<?php print_unescaped($_['headers']); ?>