Only allow requesting new CSRF tokens if it passes the SameSite Cookie test

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2020-01-03 13:08:37 +0100
committer: Roeland Jago Douma <roeland@famdouma.nl> 2020-01-03 13:12:03 +0100
commit: da81b71f9337621a60def04c304cb301321163b7 (patch)
tree: 516138a4646d0cfd69e634a15aa21395517c0eb3 /core/Controller/CSRFTokenController.php
parent: 7976cb7e94d2d73173d1774534c1ae636dc4e17f (diff)
download: nextcloud-server-da81b71f9337621a60def04c304cb301321163b7.tar.gz
nextcloud-server-da81b71f9337621a60def04c304cb301321163b7.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 1ae4dce6a13..b4b04ba2669 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -28,6 +28,7 @@ namespace OC\Core\Controller;
 
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
 	 * @return JSONResponse
 	 */
 	public function index(): JSONResponse {
+		if (!$this->request->passesStrictCookieCheck()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$requestToken = $this->tokenManager->getToken();
 
 		return new JSONResponse([
author	Roeland Jago Douma <roeland@famdouma.nl>	2020-01-03 13:08:37 +0100
committer	Roeland Jago Douma <roeland@famdouma.nl>	2020-01-03 13:12:03 +0100
commit	da81b71f9337621a60def04c304cb301321163b7 (patch)
tree	516138a4646d0cfd69e634a15aa21395517c0eb3 /core/Controller/CSRFTokenController.php
parent	7976cb7e94d2d73173d1774534c1ae636dc4e17f (diff)
download	nextcloud-server-da81b71f9337621a60def04c304cb301321163b7.tar.gz nextcloud-server-da81b71f9337621a60def04c304cb301321163b7.zip