summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <213943+nickvergessen@users.noreply.github.com>2022-09-21 13:50:59 +0200
committerGitHub <noreply@github.com>2022-09-21 13:50:59 +0200
commitd0ead94aea9e568075bba5aec1b12d959bd67ff1 (patch)
tree10b828e6676a9016ba74eef3e3560a8bcefb9950
parent48def620cb2132258be7eaf2495f67a5d88a1932 (diff)
parentc8b7a233a5b05fd4402936a343b0dc1f6442c5ed (diff)
downloadnextcloud-server-d0ead94aea9e568075bba5aec1b12d959bd67ff1.tar.gz
nextcloud-server-d0ead94aea9e568075bba5aec1b12d959bd67ff1.zip
Merge pull request #31807 from nextcloud/fix/cors_csrf
Accept CSRF on CORS routes
-rw-r--r--lib/private/AppFramework/Middleware/Security/CORSMiddleware.php4
-rw-r--r--lib/public/AppFramework/OCSController.php2
2 files changed, 5 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 1490b69f534..dd964915006 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -87,6 +87,10 @@ class CORSMiddleware extends Middleware {
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
+ // Allow to use the current session if a CSRF token is provided
+ if ($this->request->passesCSRFCheck()) {
+ return;
+ }
$this->session->logout();
try {
if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
diff --git a/lib/public/AppFramework/OCSController.php b/lib/public/AppFramework/OCSController.php
index 09c28667dcd..11bac9effd5 100644
--- a/lib/public/AppFramework/OCSController.php
+++ b/lib/public/AppFramework/OCSController.php
@@ -61,7 +61,7 @@ abstract class OCSController extends ApiController {
public function __construct($appName,
IRequest $request,
$corsMethods = 'PUT, POST, GET, DELETE, PATCH',
- $corsAllowedHeaders = 'Authorization, Content-Type, Accept',
+ $corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest',
$corsMaxAge = 1728000) {
parent::__construct($appName, $request, $corsMethods,
$corsAllowedHeaders, $corsMaxAge);