Merge pull request #705 from nextcloud/backport-408-psr4-for-theming

[stable10] Theming input validation

apps/theming/appinfo/app.php

@@ -31,7 +31,7 @@
 		'v' => \OC::$server->getConfig()->getAppValue('theming', 'cachebuster', '0'),
 	]
 );
-\OC_Util::addHeader(
+\OCP\Util::addHeader(
 	'link',
 	[
 		'rel' => 'stylesheet',

apps/theming/appinfo/routes.php

@@ -24,9 +24,7 @@
  *
  */
 
-namespace OCA\Theming\AppInfo;
-
-(new \OCP\AppFramework\App('theming'))->registerRoutes($this, array('routes' => array(
+return ['routes' => [
 	[
 		'name' => 'Theming#updateStylesheet',
 		'url' => '/ajax/updateStylesheet',
@@ -57,5 +55,5 @@
 		'url' => '/loginbackground',
 		'verb' => 'GET',
 	],
-)));
+]];
 

apps/theming/lib/controller/themingcontroller.php → apps/theming/lib/Controller/ThemingController.php

@@ -30,7 +30,10 @@
 use OCA\Theming\Template;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataDownloadResponse;
 use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\StreamResponse;
+use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Files\IRootFolder;
 use OCP\IConfig;
 use OCP\IL10N;
@@ -47,6 +50,10 @@
 class ThemingController extends Controller {
 	/** @var Template */
 	private $template;
+	/** @var Util */
+	private $util;
+	/** @var ITimeFactory */
+	private $timeFactory;
 	/** @var IL10N */
 	private $l;
 	/** @var IConfig */
@@ -61,6 +68,8 @@ class ThemingController extends Controller {
 	 * @param IRequest $request
 	 * @param IConfig $config
 	 * @param Template $template
+	 * @param Util $util
+	 * @param ITimeFactory $timeFactory
 	 * @param IL10N $l
 	 * @param IRootFolder $rootFolder
 	 */
@@ -69,12 +78,16 @@ public function __construct(
 		IRequest $request,
 		IConfig $config,
 		Template $template,
+		Util $util,
+		ITimeFactory $timeFactory,
 		IL10N $l,
 		IRootFolder $rootFolder
 	) {
 		parent::__construct($appName, $request);
 
 		$this->template = $template;
+		$this->util = $util;
+		$this->timeFactory = $timeFactory;
 		$this->l = $l;
 		$this->config = $config;
 		$this->rootFolder = $rootFolder;
@@ -87,6 +100,50 @@ public function __construct(
 	 * @internal param string $color
 	 */
 	public function updateStylesheet($setting, $value) {
+		$value = trim($value);
+		switch ($setting) {
+			case 'name':
+				if (strlen($value) > 250) {
+					return new DataResponse([
+						'data' => [
+							'message' => $this->l->t('The given name is too long'),
+						],
+						'status' => 'error'
+					]);
+				}
+				break;
+			case 'url':
+				if (strlen($value) > 500) {
+					return new DataResponse([
+						'data' => [
+							'message' => $this->l->t('The given web address is too long'),
+						],
+						'status' => 'error'
+					]);
+				}
+				break;
+			case 'slogan':
+				if (strlen($value) > 500) {
+					return new DataResponse([
+						'data' => [
+							'message' => $this->l->t('The given slogan is too long'),
+						],
+						'status' => 'error'
+					]);
+				}
+				break;
+			case 'color':
+				if (!preg_match('/^\#([0-9a-f]{3}|[0-9a-f]{6})$/i', $value)) {
+					return new DataResponse([
+						'data' => [
+							'message' => $this->l->t('The given color is invalid'),
+						],
+						'status' => 'error'
+					]);
+				}
+				break;
+		}
+
 		$this->template->set($setting, $value);
 		return new DataResponse(
 			[
@@ -166,18 +223,17 @@ public function undo($setting) {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 *
-	 * @return Http\StreamResponse
+	 * @return StreamResponse|DataResponse
 	 */
 	public function getLogo() {
 		$pathToLogo = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/') . '/themedinstancelogo';
 		if(!file_exists($pathToLogo)) {
 			return new DataResponse();
 		}
 
-		\OC_Response::setExpiresHeader(gmdate('D, d M Y H:i:s', time() + (60*60*24*45)) . ' GMT');
-		\OC_Response::enableCaching();
 		$response = new Http\StreamResponse($pathToLogo);
 		$response->cacheFor(3600);
+		$response->addHeader('Expires', date(\DateTime::RFC2822, $this->timeFactory->getTime()));
 		$response->addHeader('Content-Disposition', 'attachment');
 		$response->addHeader('Content-Type', $this->config->getAppValue($this->appName, 'logoMime', ''));
 		return $response;
@@ -187,18 +243,17 @@ public function getLogo() {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 *
-	 * @return Http\StreamResponse
+	 * @return StreamResponse|DataResponse
 	 */
 	public function getLoginBackground() {
 		$pathToLogo = $this->config->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data/') . '/themedbackgroundlogo';
 		if(!file_exists($pathToLogo)) {
 			return new DataResponse();
 		}
 
-		\OC_Response::setExpiresHeader(gmdate('D, d M Y H:i:s', time() + (60*60*24*45)) . ' GMT');
-		\OC_Response::enableCaching();
-		$response = new Http\StreamResponse($pathToLogo);
+		$response = new StreamResponse($pathToLogo);
 		$response->cacheFor(3600);
+		$response->addHeader('Expires', date(\DateTime::RFC2822, $this->timeFactory->getTime()));
 		$response->addHeader('Content-Disposition', 'attachment');
 		$response->addHeader('Content-Type', $this->config->getAppValue($this->appName, 'backgroundMime', ''));
 		return $response;
@@ -208,13 +263,13 @@ public function getLoginBackground() {
 	 * @NoCSRFRequired
 	 * @PublicPage
 	 *
-	 * @return Http\DataDownloadResponse
+	 * @return DataDownloadResponse
 	 */
 	public function getStylesheet() {
 		$cacheBusterValue = $this->config->getAppValue('theming', 'cachebuster', '0');
 		$responseCss = '';
 		$color = $this->config->getAppValue($this->appName, 'color');
-		$elementColor = Util::elementColor($color);
+		$elementColor = $this->util->elementColor($color);
 		if($color !== '') {
 			$responseCss .= sprintf(
 				'#body-user #header,#body-settings #header,#body-public #header,#body-login,.searchbox input[type="search"]:focus,.searchbox input[type="search"]:active,.searchbox input[type="search"]:valid {background-color: %s}' . "\n",
@@ -229,7 +284,7 @@ public function getStylesheet() {
 				$elementColor
 			);
 			$responseCss .= 'input[type="radio"].radio:checked:not(.radio--white):not(:disabled) + label:before {' .
-				'background-image: url(\'data:image/svg+xml;base64,'.Util::generateRadioButton($elementColor).'\');' .
+				'background-image: url(\'data:image/svg+xml;base64,'.$this->util->generateRadioButton($elementColor).'\');' .
 				"}\n";
 			$responseCss .= '
 				#firstrunwizard .firstrunwizard-header {
@@ -265,16 +320,15 @@ public function getStylesheet() {
 				'background-image: url(\'./loginbackground?v='.$cacheBusterValue.'\');' .
 			'}' . "\n";
 		}
-		if(Util::invertTextColor($color)) {
+		if($this->util->invertTextColor($color)) {
 			$responseCss .= '#header .header-appname, #expandDisplayName { color: #000000; }' . "\n";
 			$responseCss .= '#header .icon-caret { background-image: url(\'' . \OC::$WEBROOT . '/core/img/actions/caret-dark.svg\'); }' . "\n";
 			$responseCss .= '.searchbox input[type="search"] { background: transparent url(\'' . \OC::$WEBROOT . '/core/img/actions/search.svg\') no-repeat 6px center; color: #000; }' . "\n";
 			$responseCss .= '.searchbox input[type="search"]:focus,.searchbox input[type="search"]:active,.searchbox input[type="search"]:valid { color: #000; border: 1px solid rgba(0, 0, 0, .5); }' . "\n";
 		}
 
-		\OC_Response::setExpiresHeader(gmdate('D, d M Y H:i:s', time() + (60*60*24*45)) . ' GMT');
-		\OC_Response::enableCaching();
-		$response = new Http\DataDownloadResponse($responseCss, 'style', 'text/css');
+		$response = new DataDownloadResponse($responseCss, 'style', 'text/css');
+		$response->addHeader('Expires', date(\DateTime::RFC2822, $this->timeFactory->getTime()));
 		$response->cacheFor(3600);
 		return $response;
 	}

apps/theming/lib/template.php → apps/theming/lib/Template.php

@@ -40,7 +40,7 @@
 class Template extends \OC_Defaults {
 	/** @var IConfig */
 	private $config;
-	/** @var  IL10N */
+	/** @var IL10N */
 	private $l;
 	/** @var IURLGenerator */
 	private $urlGenerator;

apps/theming/lib/util.php → apps/theming/lib/Util.php

@@ -29,8 +29,8 @@ class Util {
 	 * @param string $color rgb color value
 	 * @return bool
 	 */
-	public static function invertTextColor($color) {
-		$l = self::calculateLuminance($color);
+	public function invertTextColor($color) {
+		$l = $this->calculateLuminance($color);
 		if($l>0.5) {
 			return true;
 		} else {
@@ -44,8 +44,8 @@ public static function invertTextColor($color) {
 	 * @param $color
 	 * @return string
 	 */
-	public static function elementColor($color) {
-		$l = self::calculateLuminance($color);
+	public function elementColor($color) {
+		$l = $this->calculateLuminance($color);
 		if($l>0.8) {
 			return '#555555';
 		} else {
@@ -57,7 +57,7 @@ public static function elementColor($color) {
 	 * @param string $color rgb color value
 	 * @return float
 	 */
-	public static function calculateLuminance($color) {
+	public function calculateLuminance($color) {
 		$hex = preg_replace("/[^0-9A-Fa-f]/", '', $color);
 		if (strlen($hex) === 3) {
 			$hex = $hex{0} . $hex{0} . $hex{1} . $hex{1} . $hex{2} . $hex{2};
@@ -75,7 +75,7 @@ public static function calculateLuminance($color) {
 	 * @param $color
 	 * @return string base64 encoded radio button svg
 	 */
-	public static function generateRadioButton($color) {
+	public function generateRadioButton($color) {
 		$radioButtonIcon = '<svg xmlns="http://www.w3.org/2000/svg" height="16" width="16">' .
 			'<path d="M8 1a7 7 0 0 0-7 7 7 7 0 0 0 7 7 7 7 0 0 0 7-7 7 7 0 0 0-7-7zm0 1a6 6 0 0 1 6 6 6 6 0 0 1-6 6 6 6 0 0 1-6-6 6 6 0 0 1 6-6zm0 2a4 4 0 1 0 0 8 4 4 0 0 0 0-8z" fill="'.$color.'"/></svg>';
 		return base64_encode($radioButtonIcon);

apps/theming/settings/settings-admin.php

@@ -23,8 +23,6 @@
  *
  */
 
-\OC_Util::checkAdminUser();
-
 $config = \OC::$server->getConfig();
 $l = \OC::$server->getL10N('theming');
 $urlGenerator = \OC::$server->getURLGenerator();
@@ -40,7 +38,7 @@
 	$errorMessage = $l->t('You already use a custom theme');
 }
 
-$template = new OCP\Template('theming', 'settings-admin');
+$template = new \OCP\Template('theming', 'settings-admin');
 
 $template->assign('themable', $themable);
 $template->assign('errorMessage', $errorMessage);

apps/theming/templates/settings-admin.php

@@ -15,25 +15,25 @@
 	<?php } else { ?>
 	<p>
 		<label><span><?php p($l->t('Name')) ?></span>
-			<input id="theming-name" type="text" placeholder="<?php p($l->t('Name')); ?>" value="<?php p($_['name']) ?>" />
+			<input id="theming-name" type="text" placeholder="<?php p($l->t('Name')); ?>" value="<?php p($_['name']) ?>" maxlength="250" />
 		</label>
 		<span data-setting="name" data-toggle="tooltip" data-original-title="<?php p($l->t('reset to default')); ?>" class="theme-undo icon icon-history"></span>
 	</p>
 	<p>
 		<label><span><?php p($l->t('Web address')) ?></span>
-			<input id="theming-url" type="text" placeholder="<?php p($l->t('Web address https://…')); ?>" value="<?php p($_['url']) ?>" />
+			<input id="theming-url" type="text" placeholder="<?php p($l->t('Web address https://…')); ?>" value="<?php p($_['url']) ?>" maxlength="500" />
 		</label>
 		<span data-setting="url" data-toggle="tooltip" data-original-title="<?php p($l->t('reset to default')); ?>" class="theme-undo icon icon-history"></span>
 	</p>
 	<p>
 		<label><span><?php p($l->t('Slogan')) ?></span>
-			<input id="theming-slogan" type="text" placeholder="<?php p($l->t('Slogan')); ?>" value="<?php p($_['slogan']) ?>" />
+			<input id="theming-slogan" type="text" placeholder="<?php p($l->t('Slogan')); ?>" value="<?php p($_['slogan']) ?>" maxlength="500" />
 		</label>
 		<span data-setting="slogan" data-toggle="tooltip" data-original-title="<?php p($l->t('reset to default')); ?>" class="theme-undo icon icon-history"></span>
 	</p>
 	<p>
 		<label><span><?php p($l->t('Color')) ?></span>
-			<input id="theming-color" type="text" class="jscolor" value="<?php p($_['color']) ?>" />
+			<input id="theming-color" type="text" class="jscolor" maxlength="6" value="<?php p($_['color']) ?>" />
 		</label>
 		<span data-setting="color" data-toggle="tooltip" data-original-title="<?php p($l->t('reset to default')); ?>" class="theme-undo icon icon-history"></span>
 	</p>