Implement CSRF protection

1 files changed, 24 insertions, 0 deletions

diff --git a/apps/dav/lib/carddav/sharing/plugin.php b/apps/dav/lib/carddav/sharing/plugin.php
index edc1a5fc117..eeb5abc6d23 100644
--- a/apps/dav/lib/carddav/sharing/plugin.php
+++ b/apps/dav/lib/carddav/sharing/plugin.php
@@ -2,6 +2,9 @@
 
 namespace OCA\DAV\CardDAV\Sharing;
 
+use OCA\DAV\Connector\Sabre\Auth;
+use OCP\IRequest;
+use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
@@ -11,6 +14,11 @@ use Sabre\HTTP\ResponseInterface;
 
 class Plugin extends ServerPlugin {
 
+	public function __construct(Auth $authBackEnd, IRequest $request) {
+		$this->auth = $authBackEnd;
+		$this->request = $request;
+	}
+
 	/**
 	 * Reference to SabreDAV server object.
 	 *
@@ -87,6 +95,9 @@ class Plugin extends ServerPlugin {
 			return;
 		}
 
+		// CSRF protection
+		$this->protectAgainstCSRF();
+
 		$requestBody = $request->getBodyAsString();
 
 		// If this request handler could not deal with this POST request, it
@@ -190,5 +201,18 @@ class Plugin extends ServerPlugin {
 
 	}
 
+	private function protectAgainstCSRF() {
+		$user = $this->auth->getCurrentUser();
+		if ($this->auth->isDavAuthenticated($user)) {
+			return true;
+		}
+
+		if ($this->request->passesCSRFCheck()) {
+			return true;
+		}
+
+		throw new BadRequest();
+	}
+
 
 }