Merge pull request #684 from nextcloud/fix_csrf_ocs

Fix OCS CSRF

2 files changed, 3 insertions, 2 deletions

diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 08af42b5216..3bfef2df025 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -153,7 +153,7 @@ class SecurityMiddleware extends Middleware {
 			 */
 			if(!$this->request->passesCSRFCheck() && !(
 					$controller instanceof OCSController &&
-					$this->request->getHeader('OCS_APIREQUEST') === true)) {
+					$this->request->getHeader('OCS-APIREQUEST') === 'true')) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
index 6f675932135..bfd810bc6b9 100644
--- a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
+++ b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@@ -383,7 +383,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 			[$controller, true,  true],
 
 			[$ocsController, false, true],
-			[$ocsController, true,  true],
+			[$ocsController, true,  false],
 		];
 	}
 
@@ -396,6 +396,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
 	public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) {
 		$this->request
 			->method('getHeader')
+			->with('OCS-APIREQUEST')
 			->willReturn($hasOcsApiHeader ? 'true' : null);
 		$this->request->expects($this->once())
 			->method('passesStrictCookieCheck')