aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Müller <thomas.mueller@tmit.eu>2015-11-10 07:54:35 +0100
committerThomas Müller <thomas.mueller@tmit.eu>2015-11-19 11:34:59 +0100
commit0f434e0b9b2762de663f9a0a2930f9fdc3c23ab4 (patch)
tree6c9ca5af6a8f2fa23fa29cf7dff706fbcd903ec7
parent4eb15885c9a7e930670ed58af2e566c1928bc059 (diff)
downloadnextcloud-server-0f434e0b9b2762de663f9a0a2930f9fdc3c23ab4.tar.gz
nextcloud-server-0f434e0b9b2762de663f9a0a2930f9fdc3c23ab4.zip
Implement CSRF protection
-rw-r--r--apps/dav/lib/carddav/sharing/plugin.php24
-rw-r--r--apps/dav/lib/connector/sabre/auth.php2
-rw-r--r--apps/dav/lib/server.php1
3 files changed, 26 insertions, 1 deletions
diff --git a/apps/dav/lib/carddav/sharing/plugin.php b/apps/dav/lib/carddav/sharing/plugin.php
index edc1a5fc117..eeb5abc6d23 100644
--- a/apps/dav/lib/carddav/sharing/plugin.php
+++ b/apps/dav/lib/carddav/sharing/plugin.php
@@ -2,6 +2,9 @@
namespace OCA\DAV\CardDAV\Sharing;
+use OCA\DAV\Connector\Sabre\Auth;
+use OCP\IRequest;
+use Sabre\DAV\Exception\BadRequest;
use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin;
@@ -11,6 +14,11 @@ use Sabre\HTTP\ResponseInterface;
class Plugin extends ServerPlugin {
+ public function __construct(Auth $authBackEnd, IRequest $request) {
+ $this->auth = $authBackEnd;
+ $this->request = $request;
+ }
+
/**
* Reference to SabreDAV server object.
*
@@ -87,6 +95,9 @@ class Plugin extends ServerPlugin {
return;
}
+ // CSRF protection
+ $this->protectAgainstCSRF();
+
$requestBody = $request->getBodyAsString();
// If this request handler could not deal with this POST request, it
@@ -190,5 +201,18 @@ class Plugin extends ServerPlugin {
}
+ private function protectAgainstCSRF() {
+ $user = $this->auth->getCurrentUser();
+ if ($this->auth->isDavAuthenticated($user)) {
+ return true;
+ }
+
+ if ($this->request->passesCSRFCheck()) {
+ return true;
+ }
+
+ throw new BadRequest();
+ }
+
}
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 39a7df31b7f..0394bfd6772 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -65,7 +65,7 @@ class Auth extends AbstractBasic {
* @param string $username
* @return bool
*/
- protected function isDavAuthenticated($username) {
+ public function isDavAuthenticated($username) {
return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
$this->session->get(self::DAV_AUTHENTICATED) === $username;
}
diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php
index 229f33858d9..44afcf23df6 100644
--- a/apps/dav/lib/server.php
+++ b/apps/dav/lib/server.php
@@ -50,6 +50,7 @@ class Server {
$this->server->addPlugin(new \Sabre\CalDAV\SharingPlugin());
$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
+ $this->server->addPlugin(new CardDAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));
// addressbook plugins
$this->server->addPlugin(new \Sabre\CardDAV\Plugin());