Browse Source
Merge pull request #51457 from nextcloud/fix/dav-csrf
fix(dav): do not require CSRF for safe and indempotent HTTP methods
pull/51495/head
Ferdinand Thiessen
9 months ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with
3 additions and
2 deletions
-
apps/dav/lib/Connector/Sabre/Auth.php
|
|
|
@ -118,8 +118,9 @@ class Auth extends AbstractBasic { |
|
|
|
* Checks whether a CSRF check is required on the request |
|
|
|
*/ |
|
|
|
private function requiresCSRFCheck(): bool { |
|
|
|
// GET requires no check at all
|
|
|
|
if ($this->request->getMethod() === 'GET') { |
|
|
|
|
|
|
|
$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS']; |
|
|
|
if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
|
