fix(middleware): Fix header injection for bruteforce middleware

Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons
So shifting back to old standard practise for now

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
index 6a943af2a1f0a13d4e877ff9f340893f866f72ca..a0b915588ad1609886246db424633b426f8dedc1 100644 (file)
--- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -130,11 +130,7 @@ class BruteForceMiddleware extends Middleware {
                }
 
                if ($this->delaySlept) {
-                       $headers = $response->getHeaders();
-                       if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
-                               $headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
-                               $response->setHeaders($headers);
-                       }
+                       $response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');
                }
 
                return parent::afterController($controller, $methodName, $response);