No longer show the version number in the public#27473
Conversation
|
This will likely break federated sharing because federated sharing current contains a hack that checks if the remote instance is an ownCloud instance by pinging the status.php or to see if the instance is up after getting a 404/403 from a regular endpoint. I'm not sure is such calls are authenticated. |
|
|
This breaks log-in with mobile apps and probably desktop client. Requires immediate patch-and-release. @felixboehm , is this still in discussion or we'll be in OC 10.0 at any cost? cc @michaelstingl , @nasli , @jesmrec , @davigonz |
|
On iOS app to validate the url we only check for "installed" parameter in status.php. You can log in but the server will have the wrong features supported by the server To update the features supported(capabilities,cookies,forbiddencharacters,FedShares), it is used "version" parameter. |
|
There is some danger and we need to be fast. Make it a config option. |
DeepDiver1975
force-pushed
the
kill-status.php
branch
from
29977b7 to
0b02b10
Compare
|
|
So, if configuration is "don't hide status.php", nothing changes. If configuration is "hide it", status.php is accessible but shows no info? Sorry, my server side understanding... you know... |
| 'version' => '', | ||
|
|
||
| /** | ||
| * While hardening an ownCloud instance hiding the version information in status.php |
There was a problem hiding this comment.
"legitimate"
"condult" => "consult"
core/js/config.php
Outdated
| * | ||
| */ | ||
|
|
||
| if (OC_User::getUser() === null) { |
There was a problem hiding this comment.
This page returns some config settings that might be used by some JS code in the public link page for example (ex: heartbeat interval).
Might need to split this page into two, one for the login-only settings and one for the generic settings.
There was a problem hiding this comment.
I wanted to test this... Even when not logged in, config.php (aja oc.js) is still loaded in a public link page.
This if statement doesn't work because getUser() returns false... If I fix it then it breaks the public link page when not logged in. Breaks because the public link page needs access to several JS variables provided by this, like theme information, some app configs, etc.
If we want to move forward with this PR I suggest we discard this change in core/js/config.php.
@DeepDiver1975 agree ?
There was a problem hiding this comment.
I'll take care .... pushing ....
|
What is the status here? (client and mobile development/qa depend on it) |
DeepDiver1975
force-pushed
the
kill-status.php
branch
from
3711790 to
5c93377
Compare
ready for the final review and can be merged for oc10 from my pov |
guruz
left a comment
guruz
left a comment
There was a problem hiding this comment.
👎
04-12 15:24:10:906 1562546 OCC::JsonApiJob::finished: "{\"ocs\":{\"meta\":{\"status\":\"ok\",\"statuscode\":100,\"message\":\"OK\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":{\"version\":{\"major\":10,\"minor\":0,\"micro\":0,\"string\":\"10.0.0 beta2\",\"edition\":\"Community\"},\"capabilities\":{\"core\":{\"pollinterval\":60,\"webdav-root\":\"remote.php\\/webdav\",\"status\":{\"installed\":\"true\",\"maintenance\":\"false\",\"needsDbUpgrade\":\"false\",\"version\":\"\",\"versionstring\":\"\",\"edition\":\"\",\"productname\":\"\"}},\"dav\":{\"chunking\":\"1.0\"},\"files_sharing\":{\"api_enabled\":true,\"public\":{\"enabled\":true,\"password\":{\"enforced\":false},\"expire_date\":{\"enabled\":false},\"send_mail\":false,\"upload\":true},\"user\":{\"send_mail\":false},\"resharing\":true,\"group_sharing\":true,\"federation\":{\"outgoing\":true,\"incoming\":true}},\"checksums\":{\"supportedTypes\":[\"SHA1\"],\"preferredUploadType\":\"SHA1\"},\"files\":{\"bigfilechunking\":true,\"blacklisted_files\":[\".htaccess\"],\"undelete\":true,\"versioning\":true}}}}}"
Hides version also in capabilities
|
@guruz addressed - please test - thx |
|
Now thinking of it, without the "oc.js" fix this PR becomes pointless as someone who really wants to know the version could just ping that... On the other hand we could merge this and then work on finding a solution to split "oc.js" into config values that are required for the UI to work and others to be kept secret. The middle ground would be to also check the flag. If the flag to set the version is hidden, then remove the keys "version" and "versionstring" from the oc.js response. Does that make sense ? |
|
I vote for merge. We can address oc.js in a follow up pr |
|
Will the follow up PR come today ? If not, we need a ticket to not forget |
|
👍 |
|
imprecise response. (T)icket or (P)r today ? |
|
P |
|
#27669 having the fields present with empty values doesn't look that good. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
7 participants
Description
Don't expose server version
Types of changes
Checklist: