diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-12-21 22:57:31 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-21 22:57:31 +0100 |
| commit | d56ee818ccb415c582689bb4f3d8f0fa906bff4a (patch) | |
| tree | 0678cb82fa36fb639fd5d905b4b7843296a2c3d0 | |
| parent | c1a99ca58ffdcf37c7f9aaffdb336de45de98231 (diff) | |
| parent | 6abb37317f9a5e0dd4744b0c4a221ee04ffc700f (diff) | |
| download | nextcloud-server-d56ee818ccb415c582689bb4f3d8f0fa906bff4a.tar.gz nextcloud-server-d56ee818ccb415c582689bb4f3d8f0fa906bff4a.zip | |
Merge pull request #28311 from nextcloud/enh/http-auth-session
Do not setup a session when not required on API requests
| -rw-r--r-- | apps/files/lib/Controller/ViewController.php | 1 | ||||
| -rw-r--r-- | lib/base.php | 20 | ||||
| -rw-r--r-- | lib/private/Authentication/TwoFactorAuth/Manager.php | 3 |
3 files changed, 18 insertions, 6 deletions
diff --git a/apps/files/lib/Controller/ViewController.php b/apps/files/lib/Controller/ViewController.php index cfbc9afce2b..1da9814d7e8 100644 --- a/apps/files/lib/Controller/ViewController.php +++ b/apps/files/lib/Controller/ViewController.php @@ -175,6 +175,7 @@ class ViewController extends Controller { /** * @NoCSRFRequired * @NoAdminRequired + * @UseSession * * @param string $dir * @param string $view diff --git a/lib/base.php b/lib/base.php index a847373ea2b..a7c36bcd3fe 100644 --- a/lib/base.php +++ b/lib/base.php @@ -73,6 +73,7 @@ use OC\Share20\Hooks; use OCP\EventDispatcher\IEventDispatcher; use OCP\Group\Events\UserRemovedEvent; use OCP\ILogger; +use OCP\IRequest; use OCP\IURLGenerator; use OCP\IUserSession; use OCP\Server; @@ -408,7 +409,16 @@ class OC { } public static function initSession(): void { - if (Server::get(\OCP\IRequest::class)->getServerProtocol() === 'https') { + $request = Server::get(IRequest::class); + $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) { + setcookie('cookie_test', 'test', time() + 3600); + // Do not initialize the session if a request is authenticated directly + // unless there is a session cookie already sent along + return; + } + + if ($request->getServerProtocol() === 'https') { ini_set('session.cookie_secure', 'true'); } @@ -516,7 +526,7 @@ class OC { * also we can't directly interfere with PHP's session mechanism. */ private static function performSameSiteCookieProtection(\OCP\IConfig $config): void { - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); // Some user agents are notorious and don't really properly follow HTTP // specifications. For those, have an automated opt-out. Since the protection @@ -778,7 +788,7 @@ class OC { return; } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $host = $request->getInsecureServerHost(); /** * if the host passed in headers isn't trusted @@ -840,7 +850,7 @@ class OC { if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) { // reset brute force delay for this IP address and username $uid = $userSession->getUser()->getUID(); - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $throttler = Server::get(\OC\Security\Bruteforce\Throttler::class); $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]); } @@ -970,7 +980,7 @@ class OC { exit(); } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $requestPath = $request->getRawPathInfo(); if ($requestPath === '/heartbeat') { return; diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 37a9f03d073..ce732384987 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -42,6 +42,7 @@ use OCP\EventDispatcher\IEventDispatcher; use OCP\IConfig; use OCP\ISession; use OCP\IUser; +use OCP\Session\Exceptions\SessionNotAvailableException; use Psr\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\GenericEvent; @@ -362,7 +363,7 @@ class Manager { $this->session->set(self::SESSION_UID_DONE, $user->getUID()); return false; } - } catch (InvalidTokenException $e) { + } catch (InvalidTokenException|SessionNotAvailableException $e) { } } |