From 72c1b248442fb05ef2ef1e8fbf3399cb06188013 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 15 May 2017 14:33:27 +0200 Subject: [PATCH] Check whether the $_SERVER['REQUEST_*'] vars exist before using them Signed-off-by: Joas Schilling --- core/Middleware/TwoFactorMiddleware.php | 8 +++++--- lib/base.php | 6 +++--- .../Middleware/Security/SecurityMiddleware.php | 11 +++++------ lib/private/Route/Router.php | 2 +- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php index c4c3b724eb5..e35c53d4049 100644 --- a/core/Middleware/TwoFactorMiddleware.php +++ b/core/Middleware/TwoFactorMiddleware.php @@ -124,9 +124,11 @@ class TwoFactorMiddleware extends Middleware { public function afterException($controller, $methodName, Exception $exception) { if ($exception instanceof TwoFactorAuthRequiredException) { - return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', [ - 'redirect_url' => urlencode($this->request->server['REQUEST_URI']), - ])); + $params = []; + if (isset($this->request->server['REQUEST_URI'])) { + $params['redirect_url'] = $this->request->server['REQUEST_URI']; + } + return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params)); } if ($exception instanceof UserAlreadyLoggedInException) { return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index')); diff --git a/lib/base.php b/lib/base.php index 483cd656916..bddd6a92cc8 100644 --- a/lib/base.php +++ b/lib/base.php @@ -132,7 +132,7 @@ class OC { OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT))); /** - * FIXME: The following lines are required because we can't yet instantiiate + * FIXME: The following lines are required because we can't yet instantiate * \OC::$server->getRequest() since \OC::$server does not yet exist. */ $params = [ @@ -174,7 +174,7 @@ class OC { // Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing // slash which is required by URL generation. - if($_SERVER['REQUEST_URI'] === \OC::$WEBROOT && + if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT && substr($_SERVER['REQUEST_URI'], -1) !== '/') { header('Location: '.\OC::$WEBROOT.'/'); exit(); @@ -1005,7 +1005,7 @@ class OC { } // Handle WebDAV - if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') { + if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PROPFIND') { // not allowed any more to prevent people // mounting this root directly. // Users need to mount remote.php/webdav instead. diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index e420a9dacc0..4e41c946432 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -246,12 +246,11 @@ class SecurityMiddleware extends Middleware { ); } else { if($exception instanceof NotLoggedInException) { - $url = $this->urlGenerator->linkToRoute( - 'core.login.showLoginForm', - [ - 'redirect_url' => $this->request->server['REQUEST_URI'], - ] - ); + $params = []; + if (isset($this->request->server['REQUEST_URI'])) { + $params['redirect_url'] = $this->request->server['REQUEST_URI']; + } + $url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params); $response = new RedirectResponse($url); } else { $response = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest'); diff --git a/lib/private/Route/Router.php b/lib/private/Route/Router.php index fd15400dad4..71aabe15c51 100644 --- a/lib/private/Route/Router.php +++ b/lib/private/Route/Router.php @@ -75,7 +75,7 @@ class Router implements IRouter { if(!(\OC::$server->getConfig()->getSystemValue('htaccess.IgnoreFrontController', false) === true || getenv('front_controller_active') === 'true')) { $baseUrl = \OC::$server->getURLGenerator()->linkTo('', 'index.php'); } - if (!\OC::$CLI) { + if (!\OC::$CLI && isset($_SERVER['REQUEST_METHOD'])) { $method = $_SERVER['REQUEST_METHOD']; } else { $method = 'GET'; -- 2.39.5