Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[For 10.4] Fix doc links in the admin settings #36315

Merged
merged 1 commit into from
Dec 3, 2019
Merged

[For 10.4] Fix doc links in the admin settings #36315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions changelog/unreleased/36315
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Fix links in setupchecks.js

Security tips at Settings -> Admin -> General had two broken links to the owncloud docs in the messages performing HTTPS and HSTS checks

https://github.com/owncloud/core/pull/36315
https://github.com/owncloud/core/issues/36238
12 changes: 9 additions & 3 deletions core/js/setupchecks.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,9 @@
var messages = [];

if (xhr.status === 200) {
var oc_defaults = oc_defaults || {};
var docPlaceholderUrl = oc_defaults.docPlaceholderUrl || '';

if(OC.getProtocol() === 'https') {
// Extract the value of 'Strict-Transport-Security'
var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
Expand All @@ -283,17 +286,20 @@
transportSecurityValidity = transportSecurityValidity.substring(8);
}
}

var minimumSeconds = 15552000;
if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push({
msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),
msg: t('core',
'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.',
{'seconds': minimumSeconds, docUrl: docPlaceholderUrl.replace('PLACEHOLDER', 'enable-http-strict-transport-security')}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
} else {
messages.push({
msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),
msg: t('core',
'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.',
{docUrl: docPlaceholderUrl.replace('PLACEHOLDER', 'use-https')}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
Expand Down
16 changes: 8 additions & 8 deletions core/js/tests/specs/setupchecksSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ describe('OC.SetupChecks tests', function() {
done();
});
});

it('should not return an error if data directory is protected', function(done) {
var async = OC.SetupChecks.checkDataProtected();

Expand Down Expand Up @@ -391,7 +391,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
},{
msg: 'Error occurred while checking server setup',
Expand Down Expand Up @@ -457,7 +457,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
}, {
msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.',
Expand Down Expand Up @@ -508,7 +508,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="#admin-tips">security tips</a>.',
msg: 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -527,7 +527,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}, {
msg: 'Error occurred while checking server setup',
Expand All @@ -554,7 +554,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -579,7 +579,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -604,7 +604,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand Down