diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2016-03-31 22:23:12 +0200 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2016-03-31 22:23:12 +0200 |
| commit | 1fac22c2c8abc4a31ca7a3dbb015fc29f0b5fae1 (patch) | |
| tree | 080348cfdeb78db6ce757cbd51e549e4539b7732 /apps | |
| parent | 3b4903a3ea0501f2553ad39d58253346d77f97cf (diff) | |
| parent | ba69a90ab5c7756d1a53c2871ed86b29a942bb85 (diff) | |
| download | nextcloud-server-1fac22c2c8abc4a31ca7a3dbb015fc29f0b5fae1.tar.gz nextcloud-server-1fac22c2c8abc4a31ca7a3dbb015fc29f0b5fae1.zip | |
Merge pull request #23564 from owncloud/public-ajaxbasicauth
Return 401 DummyBasicAuth in case of ajax call in public link page
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/dav/appinfo/v1/publicwebdav.php | 2 | ||||
| -rw-r--r-- | apps/dav/lib/connector/publicauth.php | 20 |
2 files changed, 20 insertions, 2 deletions
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php index b0ee264aac3..558a8238666 100644 --- a/apps/dav/appinfo/v1/publicwebdav.php +++ b/apps/dav/appinfo/v1/publicwebdav.php @@ -32,7 +32,7 @@ OC_App::loadApps($RUNTIME_APPTYPES); OC_Util::obEnd(); // Backends -$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig()); +$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig(), \OC::$server->getRequest()); $serverFactory = new OCA\DAV\Connector\Sabre\ServerFactory( \OC::$server->getConfig(), diff --git a/apps/dav/lib/connector/publicauth.php b/apps/dav/lib/connector/publicauth.php index f069a214fe8..0d75a4db493 100644 --- a/apps/dav/lib/connector/publicauth.php +++ b/apps/dav/lib/connector/publicauth.php @@ -26,6 +26,9 @@ namespace OCA\DAV\Connector; +use OCP\IConfig; +use OCP\IRequest; + class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { /** @@ -36,10 +39,18 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { private $share; /** + * @var IRequest + */ + private $request; + + /** * @param \OCP\IConfig $config + * @param IRequest $request */ - public function __construct($config) { + public function __construct(IConfig $config, + IRequest $request) { $this->config = $config; + $this->request = $request; } /** @@ -52,6 +63,7 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { * @param string $password * * @return bool + * @throws \Sabre\DAV\Exception\NotAuthenticated */ protected function validateUserPass($username, $password) { $linkItem = \OCP\Share::getShareByToken($username, false); @@ -92,6 +104,12 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { && \OC::$server->getSession()->get('public_link_authenticated') === $linkItem['id']) { return true; } else { + if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) { + // do not re-authenticate over ajax, use dummy auth name to prevent browser popup + http_response_code(401); + header('WWW-Authenticate', 'DummyBasic real="ownCloud"'); + throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); + } return false; } } else if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_REMOTE) { |