fix error when using CORS with no auth credentials

diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 765311858de8fb123940a2a73efe817da7951c3e..392259fd20f7daa47b0f5e53d0f30b6a943e7541 100644 (file)
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -83,14 +83,13 @@ class CORSMiddleware extends Middleware {
        public function beforeController($controller, $methodName) {
                // ensure that @CORS annotated API routes are not used in conjunction
                // with session authentication since this enables CSRF attack vectors
-               if ($this->reflector->hasAnnotation('CORS') &&
-                       !$this->reflector->hasAnnotation('PublicPage')) {
-                       $user = $this->request->server['PHP_AUTH_USER'];
-                       $pass = $this->request->server['PHP_AUTH_PW'];
+               if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
+                       $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
+                       $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
                        $this->session->logout();
                        try {
-                               if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+                               if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
                                        throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
                                }
                        } catch (PasswordLoginForbiddenException $ex) {