Merge pull request #50087 from nextcloud/backport/49882/stable28

sorbaugh · web-flow · commit a89e6f11a6f2 · 2025-02-13T09:14:40.000+01:00
[stable28] fix(Http): Only allow valid HTTP status code values via template
diff --git a/apps/settings/lib/Controller/LogSettingsController.php b/apps/settings/lib/Controller/LogSettingsController.php
@@ -48,21 +48,21 @@ public function __construct(string $appName, IRequest $request, Log $logger) {
 	 *
 	 * @NoCSRFRequired
 	 *
-	 * @psalm-suppress MoreSpecificReturnType The value of Content-Disposition is not relevant
-	 * @psalm-suppress LessSpecificReturnStatement The value of Content-Disposition is not relevant
-	 * @return StreamResponse<Http::STATUS_OK, array{Content-Type: 'application/octet-stream', 'Content-Disposition': string}>
+	 * @return StreamResponse<Http::STATUS_OK, array{Content-Type: 'application/octet-stream', 'Content-Disposition': 'attachment; filename="nextcloud.log"'}>
 	 *
 	 * 200: Logfile returned
 	 */
 	public function download() {
 		if (!$this->log instanceof Log) {
 			throw new \UnexpectedValueException('Log file not available');
 		}
-		$resp = new StreamResponse($this->log->getLogPath());
-		$resp->setHeaders([
-			'Content-Type' => 'application/octet-stream',
-			'Content-Disposition' => 'attachment; filename="nextcloud.log"',
-		]);
-		return $resp;
+		return new StreamResponse(
+			$this->log->getLogPath(),
+			Http::STATUS_OK,
+			[
+				'Content-Type' => 'application/octet-stream',
+				'Content-Disposition' => 'attachment; filename="nextcloud.log"',
+			],
+		);
 	}
 }
diff --git a/apps/settings/openapi.json b/apps/settings/openapi.json
@@ -44,7 +44,10 @@
                         "headers": {
                             "Content-Disposition": {
                                 "schema": {
-                                    "type": "string"
+                                    "type": "string",
+                                    "enum": [
+                                        "attachment; filename=\"nextcloud.log\""
+                                    ]
                                 }
                             }
                         },
diff --git a/lib/private/AppFramework/OCS/BaseResponse.php b/lib/private/AppFramework/OCS/BaseResponse.php
@@ -33,10 +33,10 @@
 
 /**
  * @psalm-import-type DataResponseType from DataResponse
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template-covariant T of DataResponseType
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 abstract class BaseResponse extends Response {
 	/** @var array */
diff --git a/lib/private/AppFramework/OCS/V1Response.php b/lib/private/AppFramework/OCS/V1Response.php
@@ -31,17 +31,17 @@
 
 /**
  * @psalm-import-type DataResponseType from DataResponse
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template-covariant T of DataResponseType
  * @template H of array<string, mixed>
- * @template-extends BaseResponse<int, DataResponseType, array<string, mixed>>
+ * @template-extends BaseResponse<Http::STATUS_*, DataResponseType, array<string, mixed>>
  */
 class V1Response extends BaseResponse {
 	/**
 	 * The V1 endpoint has very limited http status codes basically everything
 	 * is status 200 except 401
 	 *
-	 * @return int
+	 * @return Http::STATUS_*
 	 */
 	public function getStatus() {
 		$status = parent::getStatus();
diff --git a/lib/private/AppFramework/OCS/V2Response.php b/lib/private/AppFramework/OCS/V2Response.php
@@ -30,17 +30,17 @@
 
 /**
  * @psalm-import-type DataResponseType from DataResponse
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template-covariant T of DataResponseType
  * @template H of array<string, mixed>
- * @template-extends BaseResponse<int, DataResponseType, array<string, mixed>>
+ * @template-extends BaseResponse<Http::STATUS_*, DataResponseType, array<string, mixed>>
  */
 class V2Response extends BaseResponse {
 	/**
 	 * The V2 endpoint just passes on status codes.
 	 * Of course we have to map the OCS specific codes to proper HTTP status codes
 	 *
-	 * @return int
+	 * @return Http::STATUS_*
 	 */
 	public function getStatus() {
 		$status = parent::getStatus();
diff --git a/lib/public/AppFramework/Http/DataDisplayResponse.php b/lib/public/AppFramework/Http/DataDisplayResponse.php
@@ -31,9 +31,9 @@
  * Class DataDisplayResponse
  *
  * @since 8.1.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class DataDisplayResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/DataDownloadResponse.php b/lib/public/AppFramework/Http/DataDownloadResponse.php
@@ -30,10 +30,10 @@
  * Class DataDownloadResponse
  *
  * @since 8.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template C of string
  * @template H of array<string, mixed>
- * @template-extends DownloadResponse<int, string, array<string, mixed>>
+ * @template-extends DownloadResponse<Http::STATUS_*, string, array<string, mixed>>
  */
 class DataDownloadResponse extends DownloadResponse {
 	/**
diff --git a/lib/public/AppFramework/Http/DataResponse.php b/lib/public/AppFramework/Http/DataResponse.php
@@ -32,10 +32,10 @@
  * for responders to transform
  * @since 8.0.0
  * @psalm-type DataResponseType = array|int|float|string|bool|object|null|\stdClass|\JsonSerializable
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template-covariant T of DataResponseType
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class DataResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/DownloadResponse.php b/lib/public/AppFramework/Http/DownloadResponse.php
@@ -31,10 +31,10 @@
 /**
  * Prompts the user to download the a file
  * @since 7.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template C of string
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class DownloadResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/FileDisplayResponse.php b/lib/public/AppFramework/Http/FileDisplayResponse.php
@@ -32,9 +32,9 @@
  * Class FileDisplayResponse
  *
  * @since 11.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class FileDisplayResponse extends Response implements ICallbackResponse {
 	/** @var File|ISimpleFile */
diff --git a/lib/public/AppFramework/Http/JSONResponse.php b/lib/public/AppFramework/Http/JSONResponse.php
@@ -33,10 +33,10 @@
 /**
  * A renderer for JSON calls
  * @since 6.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template-covariant T of null|string|int|float|bool|array|\stdClass|\JsonSerializable
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class JSONResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/NotFoundResponse.php b/lib/public/AppFramework/Http/NotFoundResponse.php
@@ -30,9 +30,9 @@
 /**
  * A generic 404 response showing an 404 error page as well to the end-user
  * @since 8.1.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends TemplateResponse<int, array<string, mixed>>
+ * @template-extends TemplateResponse<Http::STATUS_*, array<string, mixed>>
  */
 class NotFoundResponse extends TemplateResponse {
 	/**
diff --git a/lib/public/AppFramework/Http/RedirectResponse.php b/lib/public/AppFramework/Http/RedirectResponse.php
@@ -31,9 +31,9 @@
 /**
  * Redirects to a different URL
  * @since 7.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class RedirectResponse extends Response {
 	private $redirectURL;
diff --git a/lib/public/AppFramework/Http/RedirectToDefaultAppResponse.php b/lib/public/AppFramework/Http/RedirectToDefaultAppResponse.php
@@ -35,9 +35,9 @@
  *
  * @since 16.0.0
  * @deprecated 23.0.0 Use RedirectResponse() with IURLGenerator::linkToDefaultPageUrl() instead
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends RedirectResponse<int, array<string, mixed>>
+ * @template-extends RedirectResponse<Http::STATUS_*, array<string, mixed>>
  */
 class RedirectToDefaultAppResponse extends RedirectResponse {
 	/**
diff --git a/lib/public/AppFramework/Http/Response.php b/lib/public/AppFramework/Http/Response.php
@@ -42,7 +42,7 @@
  *
  * It handles headers, HTTP status code, last modified and ETag.
  * @since 6.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
  */
 class Response {
diff --git a/lib/public/AppFramework/Http/StandaloneTemplateResponse.php b/lib/public/AppFramework/Http/StandaloneTemplateResponse.php
@@ -26,16 +26,18 @@
  */
 namespace OCP\AppFramework\Http;
 
+use OCP\AppFramework\Http;
+
 /**
  * A template response that does not emit the loadAdditionalScripts events.
  *
  * This is useful for pages that are authenticated but do not yet show the
  * full nextcloud UI. Like the 2FA page, or the grant page in the login flow.
  *
  * @since 16.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends TemplateResponse<int, array<string, mixed>>
+ * @template-extends TemplateResponse<Http::STATUS_*, array<string, mixed>>
  */
 class StandaloneTemplateResponse extends TemplateResponse {
 }
diff --git a/lib/public/AppFramework/Http/StreamResponse.php b/lib/public/AppFramework/Http/StreamResponse.php
@@ -33,9 +33,9 @@
  * Class StreamResponse
  *
  * @since 8.1.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class StreamResponse extends Response implements ICallbackResponse {
 	/** @var string */
diff --git a/lib/public/AppFramework/Http/Template/PublicTemplateResponse.php b/lib/public/AppFramework/Http/Template/PublicTemplateResponse.php
@@ -34,8 +34,8 @@
  *
  * @since 14.0.0
  * @template H of array<string, mixed>
- * @template S of int
- * @template-extends TemplateResponse<int, array<string, mixed>>
+ * @template S of Http::STATUS_*
+ * @template-extends TemplateResponse<Http::STATUS_*, array<string, mixed>>
  */
 class PublicTemplateResponse extends TemplateResponse {
 	private $headerTitle = '';
diff --git a/lib/public/AppFramework/Http/TemplateResponse.php b/lib/public/AppFramework/Http/TemplateResponse.php
@@ -35,9 +35,9 @@
  * Response for a normal template
  * @since 6.0.0
  *
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class TemplateResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/TextPlainResponse.php b/lib/public/AppFramework/Http/TextPlainResponse.php
@@ -31,9 +31,9 @@
 /**
  * A renderer for text responses
  * @since 22.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class TextPlainResponse extends Response {
 	/** @var string */
diff --git a/lib/public/AppFramework/Http/TooManyRequestsResponse.php b/lib/public/AppFramework/Http/TooManyRequestsResponse.php
@@ -32,9 +32,9 @@
 /**
  * A generic 429 response showing an 404 error page as well to the end-user
  * @since 19.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class TooManyRequestsResponse extends Response {
 	/**
diff --git a/lib/public/AppFramework/Http/ZipResponse.php b/lib/public/AppFramework/Http/ZipResponse.php
@@ -37,9 +37,9 @@
  * Public library to send several files in one zip archive.
  *
  * @since 15.0.0
- * @template S of int
+ * @template S of Http::STATUS_*
  * @template H of array<string, mixed>
- * @template-extends Response<int, array<string, mixed>>
+ * @template-extends Response<Http::STATUS_*, array<string, mixed>>
  */
 class ZipResponse extends Response implements ICallbackResponse {
 	/** @var array{internalName: string, resource: resource, size: int, time: int}[] Files to be added to the zip response */

Original file line number	Diff line number	Diff line change
`@@ -48,21 +48,21 @@ public function __construct(string $appName, IRequest $request, Log $logger) {`
`48`	`48`	`*`
`49`	`49`	`* @NoCSRFRequired`
`50`	`50`	`*`
`51`		`- * @psalm-suppress MoreSpecificReturnType The value of Content-Disposition is not relevant`
`52`		`- * @psalm-suppress LessSpecificReturnStatement The value of Content-Disposition is not relevant`
`53`		`- * @return StreamResponse<Http::STATUS_OK, array{Content-Type: 'application/octet-stream', 'Content-Disposition': string}>`
	`51`	`+ * @return StreamResponse<Http::STATUS_OK, array{Content-Type: 'application/octet-stream', 'Content-Disposition': 'attachment; filename="nextcloud.log"'}>`
`54`	`52`	`*`
`55`	`53`	`* 200: Logfile returned`
`56`	`54`	`*/`
`57`	`55`	`public function download() {`
`58`	`56`	`if (!$this->log instanceof Log) {`
`59`	`57`	`throw new \UnexpectedValueException('Log file not available');`
`60`	`58`	`}`
`61`		`- $resp = new StreamResponse($this->log->getLogPath());`
`62`		`- $resp->setHeaders([`
`63`		`- 'Content-Type' => 'application/octet-stream',`
`64`		`- 'Content-Disposition' => 'attachment; filename="nextcloud.log"',`
`65`		`- ]);`
`66`		`- return $resp;`
	`59`	`+ return new StreamResponse(`
	`60`	`+ $this->log->getLogPath(),`
	`61`	`+ Http::STATUS_OK,`
	`62`	`+ [`
	`63`	`+ 'Content-Type' => 'application/octet-stream',`
	`64`	`+ 'Content-Disposition' => 'attachment; filename="nextcloud.log"',`
	`65`	`+ ],`
	`66`	`+ );`
`67`	`67`	`}`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,10 @@`
`44`	`44`	`"headers": {`
`45`	`45`	`"Content-Disposition": {`
`46`	`46`	`"schema": {`
`47`		`- "type": "string"`
	`47`	`+ "type": "string",`
	`48`	`+ "enum": [`
	`49`	`+ "attachment; filename=\"nextcloud.log\""`
	`50`	`+ ]`
`48`	`51`	`}`
`49`	`52`	`}`
`50`	`53`	`},`