Skip to content

Commit

Permalink
Merge pull request #36315 from owncloud/fix/36238
Browse files Browse the repository at this point in the history
[For 10.4] Fix doc links in the admin settings
  • Loading branch information
micbar authored Dec 3, 2019
2 parents f3fbd51 + 24801b0 commit 24443e5
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 11 deletions.
6 changes: 6 additions & 0 deletions changelog/unreleased/36315
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Fix links in setupchecks.js

Security tips at Settings -> Admin -> General had two broken links to the owncloud docs in the messages performing HTTPS and HSTS checks

https://github.com/owncloud/core/pull/36315
https://github.com/owncloud/core/issues/36238
12 changes: 9 additions & 3 deletions core/js/setupchecks.js
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,9 @@
var messages = [];

if (xhr.status === 200) {
var oc_defaults = oc_defaults || {};
var docPlaceholderUrl = oc_defaults.docPlaceholderUrl || '';

if(OC.getProtocol() === 'https') {
// Extract the value of 'Strict-Transport-Security'
var transportSecurityValidity = xhr.getResponseHeader('Strict-Transport-Security');
Expand All @@ -283,17 +286,20 @@
transportSecurityValidity = transportSecurityValidity.substring(8);
}
}

var minimumSeconds = 15552000;
if(isNaN(transportSecurityValidity) || transportSecurityValidity <= (minimumSeconds - 1)) {
messages.push({
msg: t('core', 'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.', {'seconds': minimumSeconds, docUrl: '#admin-tips'}),
msg: t('core',
'The "Strict-Transport-Security" HTTP header is not configured to at least "{seconds}" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="{docUrl}" rel="noreferrer">security tips</a>.',
{'seconds': minimumSeconds, docUrl: docPlaceholderUrl.replace('PLACEHOLDER', 'enable-http-strict-transport-security')}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
} else {
messages.push({
msg: t('core', 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.', {docUrl: '#admin-tips'}),
msg: t('core',
'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="{docUrl}">security tips</a>.',
{docUrl: docPlaceholderUrl.replace('PLACEHOLDER', 'use-https')}),
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
});
}
Expand Down
16 changes: 8 additions & 8 deletions core/js/tests/specs/setupchecksSpec.js
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ describe('OC.SetupChecks tests', function() {
done();
});
});

it('should not return an error if data directory is protected', function(done) {
var async = OC.SetupChecks.checkDataProtected();

Expand Down Expand Up @@ -391,7 +391,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
},{
msg: 'Error occurred while checking server setup',
Expand Down Expand Up @@ -457,7 +457,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
msg: 'The "X-XSS-Protection" HTTP header is not configured to equal to "1; mode=block". This is a potential security or privacy risk and we recommend adjusting this setting.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING,
}, {
msg: 'The "X-Content-Type-Options" HTTP header is not configured to equal to "nosniff". This is a potential security or privacy risk and we recommend adjusting this setting.',
Expand Down Expand Up @@ -508,7 +508,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="#admin-tips">security tips</a>.',
msg: 'You are accessing this site via HTTP. We strongly suggest you configure your server to require using HTTPS instead as described in our <a href="">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -527,7 +527,7 @@ describe('OC.SetupChecks tests', function() {
);
async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'Error occurred while checking server setup',
msg: 'Error occurred while checking server setup',
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
}, {
msg: 'Error occurred while checking server setup',
Expand All @@ -554,7 +554,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -579,7 +579,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand All @@ -604,7 +604,7 @@ describe('OC.SetupChecks tests', function() {

async.done(function( data, s, x ){
expect(data).toEqual([{
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="#admin-tips" rel="noreferrer">security tips</a>.',
msg: 'The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our <a href="" rel="noreferrer">security tips</a>.',
type: OC.SetupChecks.MESSAGE_TYPE_WARNING
}]);
done();
Expand Down

0 comments on commit 24443e5

Please sign in to comment.