summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoeland Jago Douma <rullzer@users.noreply.github.com>2019-08-12 08:24:53 +0200
committerGitHub <noreply@github.com>2019-08-12 08:24:53 +0200
commitfced73aa3779c9c38e2bb845c7496fc23c6f0391 (patch)
tree697a338118f3fb3cc65261e8369548ef48a98842
parentec03059bfc745e5c8c7547232afb51e9f44fd0e6 (diff)
parent6dc179ee12fe86a6e70ff53630d60da3e5aecc60 (diff)
downloadnextcloud-server-fced73aa3779c9c38e2bb845c7496fc23c6f0391.tar.gz
nextcloud-server-fced73aa3779c9c38e2bb845c7496fc23c6f0391.zip
Merge pull request #16711 from nextcloud/fix/csp/form_actions/loginflow
Fix login flow form actions
-rw-r--r--core/Controller/ClientFlowLoginController.php16
-rw-r--r--tests/Core/Controller/ClientFlowLoginControllerTest.php6
2 files changed, 20 insertions, 2 deletions
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 748139fe832..f049f282ce8 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -195,7 +195,10 @@ class ClientFlowLoginController extends Controller {
);
$this->session->set(self::stateName, $stateToken);
- return new StandaloneTemplateResponse(
+ $csp = new Http\ContentSecurityPolicy();
+ $csp->addAllowedFormActionDomain('nc://*');
+
+ $response = new StandaloneTemplateResponse(
$this->appName,
'loginflow/authpicker',
[
@@ -209,6 +212,9 @@ class ClientFlowLoginController extends Controller {
],
'guest'
);
+
+ $response->setContentSecurityPolicy($csp);
+ return $response;
}
/**
@@ -234,7 +240,10 @@ class ClientFlowLoginController extends Controller {
$clientName = $client->getName();
}
- return new StandaloneTemplateResponse(
+ $csp = new Http\ContentSecurityPolicy();
+ $csp->addAllowedFormActionDomain('nc://*');
+
+ $response = new StandaloneTemplateResponse(
$this->appName,
'loginflow/grant',
[
@@ -248,6 +257,9 @@ class ClientFlowLoginController extends Controller {
],
'guest'
);
+
+ $response->setContentSecurityPolicy($csp);
+ return $response;
}
/**
diff --git a/tests/Core/Controller/ClientFlowLoginControllerTest.php b/tests/Core/Controller/ClientFlowLoginControllerTest.php
index 73b8118a876..f35b616a68e 100644
--- a/tests/Core/Controller/ClientFlowLoginControllerTest.php
+++ b/tests/Core/Controller/ClientFlowLoginControllerTest.php
@@ -186,6 +186,9 @@ class ClientFlowLoginControllerTest extends TestCase {
],
'guest'
);
+ $csp = new Http\ContentSecurityPolicy();
+ $csp->addAllowedFormActionDomain('nc://*');
+ $expected->setContentSecurityPolicy($csp);
$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage());
}
@@ -245,6 +248,9 @@ class ClientFlowLoginControllerTest extends TestCase {
],
'guest'
);
+ $csp = new Http\ContentSecurityPolicy();
+ $csp->addAllowedFormActionDomain('nc://*');
+ $expected->setContentSecurityPolicy($csp);
$this->assertEquals($expected, $this->clientFlowLoginController->showAuthPickerPage('MyClientIdentifier'));
}