mirror of
https://github.com/nextcloud/documentation.git
synced 2026-01-03 02:09:45 +07:00
bad8aa054e
This reverts commit a711d0125a.
We need this so we can pull further changes from the 4.5 branch
without reverting 5.0 documentation all the time.
42 lines
1.3 KiB
ReStructuredText
42 lines
1.3 KiB
ReStructuredText
Security
|
|
========
|
|
|
|
Blacklisted PHP functionality
|
|
-----------------------------
|
|
**echo, print(), <?=**
|
|
Use $this->p in templates instead
|
|
**error_log**
|
|
Use throw new Exception("Description") instead
|
|
**==**
|
|
Use === instead
|
|
**!=**
|
|
Use !== instead
|
|
**rand(), srand(), mt_rand()**
|
|
If you need a cryptographical secure random string use OC_Util::generate_random_bytes() instead, the PHP provided functions are `not secure <http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/>`_.
|
|
|
|
CSRF protection
|
|
-----------------------------
|
|
Please add::
|
|
|
|
OC_Util::isCallRegistered()
|
|
|
|
or::
|
|
|
|
OC_JSON::callCheck() at the top of your file to prevent Cross-site request forgery.
|
|
|
|
See http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
|
|
Auth checks
|
|
-----------------------------
|
|
OC_Util::checkLoggedIn() or OC_JSON::checkLoggedIn()
|
|
Checks if the user is logged in
|
|
OC_Util::checkAdminUser() or OC_JSON::checkAdminUser()
|
|
Checks if the user has admin rights
|
|
OC_Util::checkSubAdminUser() or OC_JSON::checkSubAdminUser()
|
|
Checks if the user has subadmin rights
|
|
|
|
Recommended reading
|
|
-----------------------------
|
|
The `OWASP Top Ten Project <https://www.owasp.org/index.php/Top_10_2010-Main>`_ provides good informations about the 10 most common security vulnerabilities in web applications.
|
|
|
|
TBD |