mirror of
https://github.com/nextcloud/documentation.git
synced 2026-01-02 17:59:36 +07:00
42 lines
1.3 KiB
ReStructuredText
42 lines
1.3 KiB
ReStructuredText
Security
|
|
========
|
|
|
|
Blacklisted PHP functionality
|
|
-----------------------------
|
|
**echo, print(), <?=**
|
|
Use $this->p in templates instead
|
|
**error_log**
|
|
Use throw new Exception("Description") instead
|
|
**==**
|
|
Use === instead
|
|
**!=**
|
|
Use !== instead
|
|
**rand(), srand(), mt_rand()**
|
|
If you need a cryptographical secure random string use OC_Util::generate_random_bytes() instead, the PHP provided functions are `not secure <http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/>`_.
|
|
|
|
CSRF protection
|
|
-----------------------------
|
|
Please add::
|
|
|
|
OC_Util::isCallRegistered()
|
|
|
|
or::
|
|
|
|
OC_JSON::callCheck() at the top of your file to prevent Cross-site request forgery.
|
|
|
|
See http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
|
|
Auth checks
|
|
-----------------------------
|
|
OC_Util::checkLoggedIn() or OC_JSON::checkLoggedIn()
|
|
Checks if the user is logged in
|
|
OC_Util::checkAdminUser() or OC_JSON::checkAdminUser()
|
|
Checks if the user has admin rights
|
|
OC_Util::checkSubAdminUser() or OC_JSON::checkSubAdminUser()
|
|
Checks if the user has subadmin rights
|
|
|
|
Recommended reading
|
|
-----------------------------
|
|
The `OWASP Top Ten Project <https://www.owasp.org/index.php/Top_10_2010-Main>`_ provides good informations about the 10 most common security vulnerabilities in web applications.
|
|
|
|
TBD |