ownCloud Server 10.3.0 RC1 is available

micbar · September 30, 2019, 1:20pm

We’re aiming at having the final release by the beginning of October after confirming that there are no critical issues to fix.

Please note that since 10.2.0 we’ve switched to using a release branch( release-10.3.0 ).

This means that any changes for 10.3.0 must be based on this branch and should also target the release branch.

Download

https://download.owncloud.org/community/testing/owncloud-10.3.0RC1.tar.bz2

If you are upgrading manually, please make sure to properly remove the old source code as mentioned in the update instructions

Changelog

The changelog is available at https://github.com/owncloud/core/blob/release-10.3.0/CHANGELOG.md

Testing

Please help testing and report issues in the core repository 1 for platform issues or any of the app repositories 1 if the bug is in an app.

If this version works for you, you can post a comment too to say so!

Code freeze

The code on the branch release-10.3.0 is frozen. We’ll only accept Pull Requests for critical issues.

cs35 · October 2, 2019, 1:38pm

Hello,

after further reading of the changelog for the brand upcoming 10.3.0, I didn’t find an update for jquery wich seems to be outdated. A few other components seems outdated, is it possible to upgrade them all ?
Also PHP7.3 is “SameSite cookie ready”, is it possible to add it in the code ? I’d suggest also to add the __Host- prefix.
In my case I added workarounds for a few things such as cookies or security headers but I’d rather prefer it native.
By the way, do you have a 10.3.0 RC1 running instances as a demo ? It could be nice to test it this way, and I’m guessing one would try it out and give feedback rather than installing it.
Thanks.

tom42 · October 2, 2019, 2:21pm

Hey,

i think such suggestions / feature requests are better placed into the github issue tracker of ownCloud

cs35 · October 3, 2019, 6:44am

Hey,

thanks for your suggestion tom42, I’m a bit of a slowpoke but there it goes for anyone interested.
Cheers.

cortho · October 3, 2019, 9:14am

@micbar
Thank you for this post, since at https://owncloud.org/download/ alpha2 is still the latest testing version.

micbar · October 4, 2019, 9:20am

thank you for the hint!

micbar · October 4, 2019, 9:21am

@cs35
I answered your questions in the core ticket.

See the output of a real 10.3.0RC1 here
(demo.owncloud.com is still on 10.2.1)

cs35 · October 4, 2019, 9:45am

Hi @micbar,
thanks and sorry for the fuzz on this topic !

micbar · November 13, 2019, 9:14am

Hi cs35,
you mentioned improvements for the Cookie handling.

Did you change owncloud core for you local improvements?

cs35 · November 13, 2019, 9:52am

Hi micbar,

nope actually I preferred not to modify the sources since the integrity checks would be triggered and I didn’t want to disable the whole integrity checks.

First, ownCloud requires two cookies to work. One for the PHP session (ocxxxxxx) and an other one named oc_sessionPassphrase whose role is yet uncertain for me.

So my wishes was:

Use cookie prefix such as __Host
Use SameSite with the Strict value

Basically I wanted to secure as much as possible the cookies for my ownCloud instances, following some advices from this article.

I can tell you what I used for my own tests since I took it off and don’t use it for my customers (it was too messy as you could judge). I use HAProxy as a reverse proxy for several ownCloud instances.

In a specific frontend here’s what I do:

    # 1
    http-response   replace-value   set-cookie                              "(.*)"                              "__Host-\1; SameSite=Strict"
    # 2 // not a typo below, required two times !
    http-request    replace-value   cookie                                  (.*)__Host-(.*)                     "\1\2"
    http-request    replace-value   cookie                                  (.*)__Host-(.*)                     "\1\2"

So 1) simply rewrite the cookies coming from the ownCloud
2) Rewrite the cookie to be conform to ownCloud, I had to do it twice since there are two cookies and I didn’t spend much time to make it nice :'D

Anyway this was for ownCloud 10.2.1.

In ownCloud 10.3.0, comes PHP7.3.0 which also gives some plus on the cookie side, the support of the SameSite cookie parameter.

Now I modify the PHP configuration like that:

php_value[session.cookie_samesite] = Strict
php_value[session.cookie_secure] = on
php_value[session.cookie_httponly] = on
php_value[session.use_strict_mode] = on

Actually it only works on the PHP session cookie and not on the oc_sessionPassphrase for the SameSite parameter. I didn’t check the code but I suppose it’s forced somewhere with a setcookie. Prefix is not possible there since it’s the setcookie that creates it.

For security purposes, I’d suggest to add the SameSite and __Host parameters to the whole setcookie in ownCloud.