aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBernhard Posselt <Raydiation@users.noreply.github.com>2015-07-20 18:03:25 +0200
committerBernhard Posselt <Raydiation@users.noreply.github.com>2015-07-20 18:03:25 +0200
commitd20e2002a6de9d472d29fb190867970a6f6b3b22 (patch)
tree037dbbabe03a2f7915fb6562839cdb02edfd7f27
parent89d6439445da8e1cf133bc2e1b6db9709ce4af8b (diff)
parent7dda86f371b66982dbade9532f5c4dc3a6fac3ac (diff)
downloadnextcloud-server-d20e2002a6de9d472d29fb190867970a6f6b3b22.tar.gz
nextcloud-server-d20e2002a6de9d472d29fb190867970a6f6b3b22.zip
Merge pull request #17743 from owncloud/return-proper-statuscodes
Return proper status code in case of a CORS exception
-rw-r--r--lib/private/appframework/middleware/security/corsmiddleware.php37
-rw-r--r--lib/private/appframework/middleware/security/securitymiddleware.php14
-rw-r--r--tests/lib/appframework/middleware/security/CORSMiddlewareTest.php51
3 files changed, 91 insertions, 11 deletions
diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php
index 600eb2318cf..d7c42cd9b13 100644
--- a/lib/private/appframework/middleware/security/corsmiddleware.php
+++ b/lib/private/appframework/middleware/security/corsmiddleware.php
@@ -2,6 +2,7 @@
/**
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Morris Jobke <hey@morrisjobke.de>
+ * @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
@@ -23,6 +24,9 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\ControllerMethodReflector;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\JSONResponse;
use OCP\IRequest;
use OCP\IUserSession;
use OCP\AppFramework\Http\Response;
@@ -57,8 +61,8 @@ class CORSMiddleware extends Middleware {
* @param IUserSession $session
*/
public function __construct(IRequest $request,
- ControllerMethodReflector $reflector,
- IUserSession $session) {
+ ControllerMethodReflector $reflector,
+ IUserSession $session) {
$this->request = $request;
$this->reflector = $reflector;
$this->session = $session;
@@ -71,6 +75,7 @@ class CORSMiddleware extends Middleware {
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
+ * @throws SecurityException
* @since 6.0.0
*/
public function beforeController($controller, $methodName){
@@ -83,7 +88,7 @@ class CORSMiddleware extends Middleware {
$this->session->logout();
if(!$this->session->login($user, $pass)) {
- throw new SecurityException('CORS requires basic auth');
+ throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
}
}
@@ -97,6 +102,7 @@ class CORSMiddleware extends Middleware {
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
+ * @throws SecurityException
*/
public function afterController($controller, $methodName, Response $response){
// only react if its a CORS request and if the request sends origin and
@@ -106,7 +112,7 @@ class CORSMiddleware extends Middleware {
// allow credentials headers must not be true or CSRF is possible
// otherwise
- foreach($response->getHeaders() as $header => $value ) {
+ foreach($response->getHeaders() as $header => $value) {
if(strtolower($header) === 'access-control-allow-credentials' &&
strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be '.
@@ -121,5 +127,28 @@ class CORSMiddleware extends Middleware {
return $response;
}
+ /**
+ * If an SecurityException is being caught return a JSON error response
+ *
+ * @param Controller $controller the controller that is being called
+ * @param string $methodName the name of the method that will be called on
+ * the controller
+ * @param \Exception $exception the thrown exception
+ * @throws \Exception the passed in exception if it cant handle it
+ * @return Response a Response object or null in case that the exception could not be handled
+ */
+ public function afterException($controller, $methodName, \Exception $exception){
+ if($exception instanceof SecurityException){
+ $response = new JSONResponse(['message' => $exception->getMessage()]);
+ if($exception->getCode() !== 0) {
+ $response->setStatus($exception->getCode());
+ } else {
+ $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
+ }
+ return $response;
+ }
+
+ throw $exception;
+ }
}
diff --git a/lib/private/appframework/middleware/security/securitymiddleware.php b/lib/private/appframework/middleware/security/securitymiddleware.php
index 715fb2457d2..34c626ce8be 100644
--- a/lib/private/appframework/middleware/security/securitymiddleware.php
+++ b/lib/private/appframework/middleware/security/securitymiddleware.php
@@ -69,13 +69,13 @@ class SecurityMiddleware extends Middleware {
* @param bool $isAdminUser
*/
public function __construct(IRequest $request,
- ControllerMethodReflector $reflector,
- INavigationManager $navigationManager,
- IURLGenerator $urlGenerator,
- ILogger $logger,
- $appName,
- $isLoggedIn,
- $isAdminUser){
+ ControllerMethodReflector $reflector,
+ INavigationManager $navigationManager,
+ IURLGenerator $urlGenerator,
+ ILogger $logger,
+ $appName,
+ $isLoggedIn,
+ $isAdminUser){
$this->navigationManager = $navigationManager;
$this->request = $request;
$this->reflector = $reflector;
diff --git a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
index 5c93c95e188..ca526fb859c 100644
--- a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
+++ b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
@@ -15,6 +15,8 @@ namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Http\Request;
use OC\AppFramework\Utility\ControllerMethodReflector;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
@@ -181,4 +183,53 @@ class CORSMiddlewareTest extends \Test\TestCase {
$middleware->beforeController($this, __FUNCTION__, new Response());
}
+ public function testAfterExceptionWithSecurityExceptionNoStatus() {
+ $request = new Request(
+ ['server' => [
+ 'PHP_AUTH_USER' => 'user',
+ 'PHP_AUTH_PW' => 'pass'
+ ]],
+ $this->getMock('\OCP\Security\ISecureRandom'),
+ $this->getMock('\OCP\IConfig')
+ );
+ $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
+ $response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception'));
+
+ $expected = new JSONResponse(['message' => 'A security exception'], 500);
+ $this->assertEquals($expected, $response);
+ }
+
+ public function testAfterExceptionWithSecurityExceptionWithStatus() {
+ $request = new Request(
+ ['server' => [
+ 'PHP_AUTH_USER' => 'user',
+ 'PHP_AUTH_PW' => 'pass'
+ ]],
+ $this->getMock('\OCP\Security\ISecureRandom'),
+ $this->getMock('\OCP\IConfig')
+ );
+ $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
+ $response = $middleware->afterException($this, __FUNCTION__, new SecurityException('A security exception', 501));
+
+ $expected = new JSONResponse(['message' => 'A security exception'], 501);
+ $this->assertEquals($expected, $response);
+ }
+
+ /**
+ * @expectedException \Exception
+ * @expectedExceptionMessage A regular exception
+ */
+ public function testAfterExceptionWithRegularException() {
+ $request = new Request(
+ ['server' => [
+ 'PHP_AUTH_USER' => 'user',
+ 'PHP_AUTH_PW' => 'pass'
+ ]],
+ $this->getMock('\OCP\Security\ISecureRandom'),
+ $this->getMock('\OCP\IConfig')
+ );
+ $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
+ $middleware->afterException($this, __FUNCTION__, new \Exception('A regular exception'));
+ }
+
}