Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No longer show the version number in the public #27473

Merged
merged 2 commits into from
Apr 13, 2017
Merged

No longer show the version number in the public #27473

merged 2 commits into from
Apr 13, 2017

Conversation

DeepDiver1975
Copy link
Member

Description

Don't expose server version

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@DeepDiver1975 DeepDiver1975 added this to the 10.0 milestone Mar 23, 2017
@PVince81
Copy link
Contributor

This will likely break federated sharing because federated sharing current contains a hack that checks if the remote instance is an ownCloud instance by pinging the status.php or to see if the instance is up after getting a 404/403 from a regular endpoint. I'm not sure is such calls are authenticated.

@PVince81
Copy link
Contributor 

apps/files_sharing/lib/Controllers/ExternalSharesController.php|135| $this->testUrl('https://' . $remote . '/status.php', true)
apps/files_sharing/lib/Controllers/ExternalSharesController.php|141| $this->testUrl('http://' . $remote . '/status.php', true)
apps/files_sharing/lib/External/Storage.php|255| || $this->testRemoteUrl($this->remote . '/status.php');
apps/files_sharing/lib/External/Storage.php|296| if(defined('PHPUNIT_RUN') || !$this->testRemoteUrl($this->getRemote() . '/status.php')) {
apps/federation/lib/TrustedServers.php|222| $url . '/status.php',
apps/federation/tests/TrustedServersTest.php|283| $this->httpClient->expects($this->once())->method('get')->with($server . '/status.php')
apps/federation/tests/TrustedServersTest.php|320| $this->httpClient->expects($this->once())->method('get')->with($server . '/status.php')
lib/private/Setup.php|460| $content .= "\n  RewriteCond %{REQUEST_FILENAME} !/status.php";
core/js/maintenance-check.js|1| // Check every 20 seconds via status.php if maintenance is over
core/js/maintenance-check.js|6| request.open("GET", OC.webroot+'/status.php', true);

@davivel
Copy link

davivel commented Mar 24, 2017

This breaks log-in with mobile apps and probably desktop client. Requires immediate patch-and-release.

@felixboehm , is this still in discussion or we'll be in OC 10.0 at any cost?

cc @michaelstingl , @nasli , @jesmrec , @davigonz

@nasli
Copy link

nasli commented Mar 24, 2017

On iOS app to validate the url we only check for "installed" parameter in status.php. You can log in but the server will have the wrong features supported by the server

To update the features supported(capabilities,cookies,forbiddencharacters,FedShares), it is used "version" parameter.

@felixboehm
Copy link
Contributor

There is some danger and we need to be fast. Make it a config option.

@DeepDiver1975
Copy link
Member Author

Make it a config option.

done @felixboehm @PVince81 @guruz @davivel @nasli

@davivel
Copy link

davivel commented Mar 29, 2017

So, if configuration is "don't hide status.php", nothing changes.

If configuration is "hide it", status.php is accessible but shows no info? Sorry, my server side understanding... you know...

This was referenced Mar 29, 2017
Closed
Closed
PVince81
PVince81 reviewed Apr 3, 2017
View reviewed changes
config/config.sample.php Outdated
@@ -80,6 +80,12 @@
'version' => '',

/**
* While hardening an ownCloud instance hiding the version information in status.php
* can be a legitim step. Please condult the documentation before enabling this.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"legitimate"

"condult" => "consult"

PVince81
PVince81 reviewed Apr 3, 2017
View reviewed changes
core/js/config.php Outdated
@@ -37,6 +37,11 @@
*
*/

if (OC_User::getUser() === null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This page returns some config settings that might be used by some JS code in the public link page for example (ex: heartbeat interval).
Might need to split this page into two, one for the login-only settings and one for the generic settings.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to test this... Even when not logged in, config.php (aja oc.js) is still loaded in a public link page.

This if statement doesn't work because getUser() returns false... If I fix it then it breaks the public link page when not logged in. Breaks because the public link page needs access to several JS variables provided by this, like theme information, some app configs, etc.

If we want to move forward with this PR I suggest we discard this change in core/js/config.php.

@DeepDiver1975 agree ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take care .... pushing ....

@guruz guruz mentioned this pull request Apr 10, 2017
Closed
@jesmrec jesmrec mentioned this pull request Apr 12, 2017
Merged
@michaelstingl
Copy link

What is the status here? (client and mobile development/qa depend on it)

@DeepDiver1975
Copy link
Member Author

What is the status here? (client and mobile development/qa depend on it)

ready for the final review and can be merged for oc10 from my pov

guruz
guruz suggested changes Apr 12, 2017
View reviewed changes
Copy link
Contributor

@guruz guruz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👎

04-12 15:24:10:906 1562546 OCC::JsonApiJob::finished: "{\"ocs\":{\"meta\":{\"status\":\"ok\",\"statuscode\":100,\"message\":\"OK\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":{\"version\":{\"major\":10,\"minor\":0,\"micro\":0,\"string\":\"10.0.0 beta2\",\"edition\":\"Community\"},\"capabilities\":{\"core\":{\"pollinterval\":60,\"webdav-root\":\"remote.php\\/webdav\",\"status\":{\"installed\":\"true\",\"maintenance\":\"false\",\"needsDbUpgrade\":\"false\",\"version\":\"\",\"versionstring\":\"\",\"edition\":\"\",\"productname\":\"\"}},\"dav\":{\"chunking\":\"1.0\"},\"files_sharing\":{\"api_enabled\":true,\"public\":{\"enabled\":true,\"password\":{\"enforced\":false},\"expire_date\":{\"enabled\":false},\"send_mail\":false,\"upload\":true},\"user\":{\"send_mail\":false},\"resharing\":true,\"group_sharing\":true,\"federation\":{\"outgoing\":true,\"incoming\":true}},\"checksums\":{\"supportedTypes\":[\"SHA1\"],\"preferredUploadType\":\"SHA1\"},\"files\":{\"bigfilechunking\":true,\"blacklisted_files\":[\".htaccess\"],\"undelete\":true,\"versioning\":true}}}}}"

Hides version also in capabilities

@DeepDiver1975
Copy link
Member Author

@guruz addressed - please test - thx

guruz
guruz approved these changes Apr 12, 2017
View reviewed changes
Copy link
Contributor

@guruz guruz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, works.. desktop client fix will be in 2.3.2

@PVince81
Copy link
Contributor

Now thinking of it, without the "oc.js" fix this PR becomes pointless as someone who really wants to know the version could just ping that...

On the other hand we could merge this and then work on finding a solution to split "oc.js" into config values that are required for the UI to work and others to be kept secret.

The middle ground would be to also check the flag. If the flag to set the version is hidden, then remove the keys "version" and "versionstring" from the oc.js response.

Does that make sense ?

@DeepDiver1975
Copy link
Member Author

I vote for merge. We can address oc.js in a follow up pr

@PVince81 PVince81 merged commit 54150e7 into master Apr 13, 2017
@PVince81 PVince81 deleted the kill-status.php branch April 13, 2017 07:41
@PVince81
Copy link
Contributor

Will the follow up PR come today ? If not, we need a ticket to not forget

@DeepDiver1975
Copy link
Member Author

👍

@PVince81
Copy link
Contributor

imprecise response.

(T)icket or (P)r today ?

@DeepDiver1975
Copy link
Member Author

P

@DeepDiver1975 DeepDiver1975 mentioned this pull request Apr 13, 2017
Merged
9 tasks
@PVince81
Copy link
Contributor

#27669 having the fields present with empty values doesn't look that good.

@SamuAlfageme SamuAlfageme mentioned this pull request Jul 31, 2017
Closed
@butonic butonic mentioned this pull request Mar 23, 2018
Closed
@lock
Copy link

lock bot commented Aug 3, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@PVince81 PVince81 PVince81 left review comments

@guruz guruz guruz approved these changes

Assignees
No one assigned
Labels
3 - To Review
Projects
None yet
Milestone
10.0
Development

Successfully merging this pull request may close these issues.
7 participants
@DeepDiver1975 @PVince81 @davivel @nasli @felixboehm @michaelstingl @guruz