From fa63e646d4bb78609d5cc6eaa06a94804d34f5f1 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Thu, 13 Mar 2025 12:04:30 +0100
Subject: [PATCH] fix(dav): do not require CSRF for safe and indempotent HTTP
 methods

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 apps/dav/lib/Connector/Sabre/Auth.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
index 1d509d0d6f2..d977721bdfa 100644
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -118,8 +118,9 @@ class Auth extends AbstractBasic {
 	 * Checks whether a CSRF check is required on the request
 	 */
 	private function requiresCSRFCheck(): bool {
-		// GET requires no check at all
-		if ($this->request->getMethod() === 'GET') {
+		
+		$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
+		if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
 			return false;
 		}