summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoeland Jago Douma <roeland@famdouma.nl>2018-01-15 22:05:06 +0100
committerRoeland Jago Douma <roeland@famdouma.nl>2018-01-29 14:37:18 +0100
commitc0adfa437548a10a0542b6d36ab20011ddfdb93e (patch)
tree1e278c3cef05ae83f61b6cccc9bea67fb72b5af6
parent1d8b90b8d3c8a85104d223b7f1d5693280370774 (diff)
downloadnextcloud-server-c0adfa437548a10a0542b6d36ab20011ddfdb93e.tar.gz
nextcloud-server-c0adfa437548a10a0542b6d36ab20011ddfdb93e.zip
Don't perform CSRF check on OCS routes with Bearer auth
Fixes #5694 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r--lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php10
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 1c049fb3621..f45c8f8726c 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -170,10 +170,16 @@ class SecurityMiddleware extends Middleware {
* Only allow the CSRF check to fail on OCS Requests. This kind of
* hacks around that we have no full token auth in place yet and we
* do want to offer CSRF checks for web requests.
+ *
+ * Additionally we allow Bearer authenticated requests to pass on OCS routes.
+ * This allows oauth apps (e.g. moodle) to use the OCS endpoints
*/
if(!$this->request->passesCSRFCheck() && !(
- $controller instanceof OCSController &&
- $this->request->getHeader('OCS-APIREQUEST') === 'true')) {
+ $controller instanceof OCSController && (
+ $this->request->getHeader('OCS-APIREQUEST') === 'true' ||
+ strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
+ )
+ )) {
throw new CrossSiteRequestForgeryException();
}
}