diff --git a/apps/settings/appinfo/routes.php b/apps/settings/appinfo/routes.php index e238510b1a75f..0c5c1978359a6 100644 --- a/apps/settings/appinfo/routes.php +++ b/apps/settings/appinfo/routes.php @@ -66,6 +66,7 @@ ['name' => 'LogSettings#getEntries', 'url' => '/settings/admin/log/entries', 'verb' => 'GET' , 'root' => ''], ['name' => 'LogSettings#download', 'url' => '/settings/admin/log/download', 'verb' => 'GET' , 'root' => ''], ['name' => 'CheckSetup#check', 'url' => '/settings/ajax/checksetup', 'verb' => 'GET' , 'root' => ''], + ['name' => 'CheckSetup#checkCookies', 'url' => '/settings/ajax/checksetupcookies.png', 'verb' => 'GET' , 'root' => ''], ['name' => 'CheckSetup#getFailedIntegrityCheckFiles', 'url' => '/settings/integrity/failed', 'verb' => 'GET' , 'root' => ''], ['name' => 'CheckSetup#rescanFailedIntegrityCheck', 'url' => '/settings/integrity/rescan', 'verb' => 'GET' , 'root' => ''], ['name' => 'PersonalSettings#index', 'url' => '/settings/user/{section}', 'verb' => 'GET', 'defaults' => ['section' => 'personal-info'] , 'root' => ''], diff --git a/apps/settings/lib/Controller/CheckSetupController.php b/apps/settings/lib/Controller/CheckSetupController.php index 5dcf6cda29c84..c2e397c502ee6 100644 --- a/apps/settings/lib/Controller/CheckSetupController.php +++ b/apps/settings/lib/Controller/CheckSetupController.php @@ -74,6 +74,7 @@ use OCP\AppFramework\Http\Attribute\IgnoreOpenAPI; use OCP\AppFramework\Http\DataDisplayResponse; use OCP\AppFramework\Http\DataResponse; +use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\RedirectResponse; use OCP\DB\Events\AddMissingColumnsEvent; use OCP\DB\Events\AddMissingIndicesEvent; @@ -94,6 +95,8 @@ use OCP\Security\Bruteforce\IThrottler; use OCP\Security\ISecureRandom; use Psr\Log\LoggerInterface; +use function setcookie; +use function time; #[IgnoreOpenAPI] class CheckSetupController extends Controller { @@ -972,4 +975,19 @@ public function check() { ] ); } + + /** + * @AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Overview) + */ + public function checkCookies(): JSONResponse { + $rand = $this->secureRandom->generate(32); + setcookie( + 'nc_setup_check', + $rand, + time() + 60 + ); + return new JSONResponse([ + 'rand' => $rand, + ]); + } } diff --git a/apps/settings/src/admin.js b/apps/settings/src/admin.js index c8d04049ded06..42df521d6c62f 100644 --- a/apps/settings/src/admin.js +++ b/apps/settings/src/admin.js @@ -243,8 +243,9 @@ window.addEventListener('DOMContentLoaded', () => { OC.SetupChecks.checkGeneric(), OC.SetupChecks.checkWOFF2Loading(OC.filePath('core', '', 'fonts/NotoSans-Regular-latin.woff2'), OC.theme.docPlaceholderUrl), OC.SetupChecks.checkDataProtected(), - ).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11) => { - const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11) + OC.SetupChecks.checkCaching(), + ).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12) => { + const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12) const $el = $('#postsetupchecks') $('#security-warning-state-loading').addClass('hidden') diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index eb5a20c596614..2435e1ba5a751 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -47,6 +47,27 @@ return deferred.promise(); }, + checkCaching: function() { + return Promise.all([ + $.get(OC.generateUrl('settings/ajax/checksetupcookies.png')), + $.get(OC.generateUrl('settings/ajax/checksetupcookies.png')), + ]).then(function(responses) { + if (responses[0].rand === responses[1].rand) { + console.error('Two unique requests returned the same response', { + rand1: responses[0].rand, + rand2: responses[1].rand, + }); + return [ + { + msg: t('core', 'Your web server is caching too aggressively. This could lead to leaked cookies and sessions.'), + type: OC.SetupChecks.MESSAGE_TYPE_ERROR + } + ]; + } + return []; + }) + }, + /** * Check whether the .well-known URLs works. *