aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjoern Schiessle <bjoern@schiessle.org>2017-05-12 12:44:22 +0200
committerLukas Reschke <lukas@statuscode.ch>2017-05-18 20:49:06 +0200
commita74d67b69c986f1703567bc5986daed9f82f4571 (patch)
tree68fba0accd636890b4c2471c1e0dc72eb424b786
parent1a8965b488e436099bf6e1bbd025d652e9791fe7 (diff)
downloadnextcloud-server-a74d67b69c986f1703567bc5986daed9f82f4571.tar.gz
nextcloud-server-a74d67b69c986f1703567bc5986daed9f82f4571.zip
show error page if no valid client identifier is given and if it is not a API request
Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
-rw-r--r--core/Controller/ClientFlowLoginController.php29
1 files changed, 24 insertions, 5 deletions
diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php
index 70cf8e8cebc..996ae34b0f2 100644
--- a/core/Controller/ClientFlowLoginController.php
+++ b/core/Controller/ClientFlowLoginController.php
@@ -151,18 +151,37 @@ class ClientFlowLoginController extends Controller {
*/
public function showAuthPickerPage($clientIdentifier = '',
$oauthState = '') {
- $stateToken = $this->random->generate(
- 64,
- ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
- );
- $this->session->set(self::stateName, $stateToken);
+
$clientName = $this->getClientName();
+ $client = null;
if($clientIdentifier !== '') {
$client = $this->clientMapper->getByIdentifier($clientIdentifier);
$clientName = $client->getName();
}
+ $validClient = $client !== null && $client->getClientIdentifier() !== null;
+ $cookieCheckSuccessful = $this->request->passesStrictCookieCheck();
+
+ // no valid clientIdentifier given and no valid API Request (APIRequest header not set)
+ if ($cookieCheckSuccessful === false && $validClient === false) {
+ return new TemplateResponse(
+ $this->appName,
+ 'error',
+ ['errors' =>
+ [
+ ['error' => 'Access Forbidden', 'hint' => 'Invalid request']
+ ]
+ ]
+ );
+ }
+
+ $stateToken = $this->random->generate(
+ 64,
+ ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_DIGITS
+ );
+ $this->session->set(self::stateName, $stateToken);
+
return new TemplateResponse(
$this->appName,
'loginflow/authpicker',