From a06898a2d0c4403494747dbb4094dc21b6524348 Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Tue, 21 Mar 2023 09:11:00 +0100
Subject: [PATCH] fix(security)!: Use consistent HTTP status for strict cookie
 checks

Before: 503/412
Now: 412 + json body explaining the error

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 lib/base.php                                                  | 4 +++-
 .../Security/Exceptions/StrictCookieMissingException.php      | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/base.php b/lib/base.php
index f619864acb6..aebe2764be1 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -570,7 +570,9 @@ class OC {
 				// Debug mode gets access to the resources without strict cookie
 				// due to the fact that the SabreDAV browser also lives there.
 				if (!$config->getSystemValue('debug', false)) {
-					http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE);
+					http_response_code(\OCP\AppFramework\Http::STATUS_PRECONDITION_FAILED);
+					header('Content-Type: application/json');
+					echo json_encode(['error' => 'Strict Cookie has not been found in request']);
 					exit();
 				}
 			}
diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php
index eca03896953..28092331a22 100644
--- a/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php
+++ b/lib/private/AppFramework/Middleware/Security/Exceptions/StrictCookieMissingException.php
@@ -1,4 +1,7 @@
 <?php
+
+declare(strict_types=1);
+
 /**
  * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
  *
-- 
2.39.5