diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2020-01-07 13:43:46 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-07 13:43:46 +0100 |
commit | 52e4ecd66e2269dd47f2fa7b9e99babc96308713 (patch) | |
tree | d394124c609511f9667dd9157d952a1a316d84a2 | |
parent | 33039a4c97a6deb7b0a2c1e38111e4eaa50a2818 (diff) | |
parent | da81b71f9337621a60def04c304cb301321163b7 (diff) | |
download | nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.tar.gz nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.zip |
Merge pull request #18644 from nextcloud/harden/csrf_endpoint
Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
-rw-r--r-- | core/Controller/CSRFTokenController.php | 5 | ||||
-rw-r--r-- | tests/Core/Controller/CSRFTokenControllerTest.php | 13 |
2 files changed, 17 insertions, 1 deletions
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php index 1ae4dce6a13..b4b04ba2669 100644 --- a/core/Controller/CSRFTokenController.php +++ b/core/Controller/CSRFTokenController.php @@ -28,6 +28,7 @@ namespace OC\Core\Controller; use OC\Security\CSRF\CsrfTokenManager; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; use OCP\IRequest; @@ -54,6 +55,10 @@ class CSRFTokenController extends Controller { * @return JSONResponse */ public function index(): JSONResponse { + if (!$this->request->passesStrictCookieCheck()) { + return new JSONResponse([], Http::STATUS_FORBIDDEN); + } + $requestToken = $this->tokenManager->getToken(); return new JSONResponse([ diff --git a/tests/Core/Controller/CSRFTokenControllerTest.php b/tests/Core/Controller/CSRFTokenControllerTest.php index 74eebf61749..a02f84832e5 100644 --- a/tests/Core/Controller/CSRFTokenControllerTest.php +++ b/tests/Core/Controller/CSRFTokenControllerTest.php @@ -54,7 +54,9 @@ class CSRFTokenControllerTest extends TestCase { $this->tokenManager); } - public function testGetToken() { + public function testGetToken(): void { + $this->request->method('passesStrictCookieCheck')->willReturn(true); + $token = $this->createMock(CsrfToken::class); $this->tokenManager->method('getToken')->willReturn($token); $token->method('getEncryptedValue')->willReturn('toktok123'); @@ -68,4 +70,13 @@ class CSRFTokenControllerTest extends TestCase { ], $response->getData()); } + public function testGetTokenNoStrictSameSiteCookie(): void { + $this->request->method('passesStrictCookieCheck')->willReturn(false); + + $response = $this->controller->index(); + + $this->assertInstanceOf(JSONResponse::class, $response); + $this->assertSame(Http::STATUS_FORBIDDEN, $response->getStatus()); + } + } |