diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2025-03-13 12:04:30 +0100 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2025-03-13 12:04:30 +0100 |
| commit | fa63e646d4bb78609d5cc6eaa06a94804d34f5f1 (patch) | |
| tree | e347156c54fea76f8d9842f590842e6f60de120d /apps | |
| parent | 9dea6185ada1f9f891f2c64d256551c6ad171d29 (diff) | |
| download | nextcloud-server-fix/dav-csrf.tar.gz nextcloud-server-fix/dav-csrf.zip | |
fix(dav): do not require CSRF for safe and indempotent HTTP methodsfix/dav-csrf
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/Auth.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php index 1d509d0d6f2..d977721bdfa 100644 --- a/apps/dav/lib/Connector/Sabre/Auth.php +++ b/apps/dav/lib/Connector/Sabre/Auth.php @@ -118,8 +118,9 @@ class Auth extends AbstractBasic { * Checks whether a CSRF check is required on the request */ private function requiresCSRFCheck(): bool { - // GET requires no check at all - if ($this->request->getMethod() === 'GET') { + + $methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS']; + if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) { return false; } |