Allow CSRF on CORS routes

author Jonas Rittershofer <jotoeri@users.noreply.github.com>

Sat, 2 Apr 2022 16:04:41 +0000 (18:04 +0200)

committer Joas Schilling (Rebase PR Action) <nickvergessen@users.noreply.github.com>

Wed, 21 Sep 2022 10:42:00 +0000 (10:42 +0000)
author Jonas Rittershofer <jotoeri@users.noreply.github.com>
Sat, 2 Apr 2022 16:04:41 +0000 (18:04 +0200)
committer Joas Schilling (Rebase PR Action) <nickvergessen@users.noreply.github.com>
Wed, 21 Sep 2022 10:42:00 +0000 (10:42 +0000)
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php

index 1490b69f53493e2269f11b8ea361b2d043f8fa53..dd9649150069994a66a0247972073ed9d592a0ee 100644 (file)
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -87,6 +87,10 @@ class CORSMiddleware extends Middleware {
                         $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
                         $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
  
+                       // Allow to use the current session if a CSRF token is provided
+                       if ($this->request->passesCSRFCheck()) {
+                               return;
+                       }
                         $this->session->logout();
                         try {
                                 if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
diff --git a/lib/public/AppFramework/OCSController.php b/lib/public/AppFramework/OCSController.php

index 09c28667dcda39464ba992933a820baa61203a2a..11bac9effd58054fb6d54a1f58203c3af4d34158 100644 (file)
--- a/lib/public/AppFramework/OCSController.php
+++ b/lib/public/AppFramework/OCSController.php
@@ -61,7 +61,7 @@ abstract class OCSController extends ApiController {
         public function __construct($appName,
                                                                 IRequest $request,
                                                                 $corsMethods = 'PUT, POST, GET, DELETE, PATCH',
-                                                               $corsAllowedHeaders = 'Authorization, Content-Type, Accept',
+                                                               $corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest',
                                                                 $corsMaxAge = 1728000) {
                 parent::__construct($appName, $request, $corsMethods,
                                                         $corsAllowedHeaders, $corsMaxAge);
author	Jonas Rittershofer <jotoeri@users.noreply.github.com>
	Sat, 2 Apr 2022 16:04:41 +0000 (18:04 +0200)
committer	Joas Schilling (Rebase PR Action) <nickvergessen@users.noreply.github.com>
	Wed, 21 Sep 2022 10:42:00 +0000 (10:42 +0000)
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php		patch \| blob \| history
lib/public/AppFramework/OCSController.php		patch \| blob \| history