Browse Source
Merge pull request #31807 from nextcloud/fix/cors_csrf
Accept CSRF on CORS routes
pull/34180/head
Joas Schilling
3 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
5 additions and
1 deletions
-
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
-
lib/public/AppFramework/OCSController.php
|
|
|
@ -87,6 +87,10 @@ class CORSMiddleware extends Middleware { |
|
|
|
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; |
|
|
|
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |
|
|
|
|
|
|
|
// Allow to use the current session if a CSRF token is provided
|
|
|
|
if ($this->request->passesCSRFCheck()) { |
|
|
|
return; |
|
|
|
} |
|
|
|
$this->session->logout(); |
|
|
|
try { |
|
|
|
if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
|
|
|
|
|
|
@ -61,7 +61,7 @@ abstract class OCSController extends ApiController { |
|
|
|
public function __construct($appName, |
|
|
|
IRequest $request, |
|
|
|
$corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
|
|
|
$corsAllowedHeaders = 'Authorization, Content-Type, Accept', |
|
|
|
$corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest', |
|
|
|
$corsMaxAge = 1728000) { |
|
|
|
parent::__construct($appName, $request, $corsMethods, |
|
|
|
$corsAllowedHeaders, $corsMaxAge); |
|
|
|
|
