We should properly check for 'true' instaed of the bool

author Roeland Jago Douma <roeland@famdouma.nl>

Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)

committer Roeland Jago Douma <roeland@famdouma.nl>

Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)
author Roeland Jago Douma <roeland@famdouma.nl>
Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)
committer Roeland Jago Douma <roeland@famdouma.nl>
Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

index 08af42b521650c2c72d8151f1be6925479920377..3bfef2df025206175c675709e6f431b4978d691b 100644 (file)
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -153,7 +153,7 @@ class SecurityMiddleware extends Middleware {
                          */
                         if(!$this->request->passesCSRFCheck() && !(
                                         $controller instanceof OCSController &&
-                                       $this->request->getHeader('OCS_APIREQUEST') === true)) {
+                                       $this->request->getHeader('OCS-APIREQUEST') === 'true')) {
                                 throw new CrossSiteRequestForgeryException();
                         }
                 }
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php

index 6f6759321352cf164f8648848b292fe1b4bf1329..bfd810bc6b991235474440058361c1c0b46945b8 100644 (file)
--- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@@ -383,7 +383,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
                         [$controller, true,  true],
  
                         [$ocsController, false, true],
-                       [$ocsController, true,  true],
+                       [$ocsController, true,  false],
                 ];
         }
  
@@ -396,6 +396,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
         public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) {
                 $this->request
                         ->method('getHeader')
+                       ->with('OCS-APIREQUEST')
                         ->willReturn($hasOcsApiHeader ? 'true' : null);
                 $this->request->expects($this->once())
                         ->method('passesStrictCookieCheck')
author	Roeland Jago Douma <roeland@famdouma.nl>
	Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)
committer	Roeland Jago Douma <roeland@famdouma.nl>
	Mon, 1 Aug 2016 06:52:50 +0000 (08:52 +0200)
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php		patch \| blob \| history
tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php		patch \| blob \| history