Merge pull request #21144 from owncloud/dav-auth-checkduplicateheader

Properly check X-Requested-With header in case of multiple values
author: Thomas Müller <thomas.mueller@tmit.eu> 2015-12-11 11:44:43 +0100
committer: Thomas Müller <thomas.mueller@tmit.eu> 2015-12-11 11:44:43 +0100
commit: f799b27f0e1f1021ddd2baea8f932d05af780596 (patch)
tree: d4e8e57d144c5d8478640c1bb61d8aa9bc717b8c /apps
parent: 6317ba8cb4fef328bf828eab5197cc58f7057221 (diff)
parent: 13ec2bda2d1eb826951e9e5336ecac6ff6d1d199 (diff)
download: nextcloud-server-f799b27f0e1f1021ddd2baea8f932d05af780596.tar.gz
nextcloud-server-f799b27f0e1f1021ddd2baea8f932d05af780596.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 4f319770234..7f4f4a531b1 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -160,7 +160,7 @@ class Auth extends AbstractBasic {
 			return [true, $this->principalPrefix . $user];
 		}
 
-		if (!$this->userSession->isLoggedIn() && $request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+		if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
 			// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
 			$response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
 			$response->setStatus(401);
author	Thomas Müller <thomas.mueller@tmit.eu>	2015-12-11 11:44:43 +0100
committer	Thomas Müller <thomas.mueller@tmit.eu>	2015-12-11 11:44:43 +0100
commit	f799b27f0e1f1021ddd2baea8f932d05af780596 (patch)
tree	d4e8e57d144c5d8478640c1bb61d8aa9bc717b8c /apps
parent	6317ba8cb4fef328bf828eab5197cc58f7057221 (diff)
parent	13ec2bda2d1eb826951e9e5336ecac6ff6d1d199 (diff)
download	nextcloud-server-f799b27f0e1f1021ddd2baea8f932d05af780596.tar.gz nextcloud-server-f799b27f0e1f1021ddd2baea8f932d05af780596.zip