Merge pull request #18644 from nextcloud/harden/csrf_endpoint

Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
author: Roeland Jago Douma <rullzer@users.noreply.github.com> 2020-01-07 13:43:46 +0100
committer: GitHub <noreply@github.com> 2020-01-07 13:43:46 +0100
commit: 52e4ecd66e2269dd47f2fa7b9e99babc96308713 (patch)
tree: d394124c609511f9667dd9157d952a1a316d84a2 /core
parent: 33039a4c97a6deb7b0a2c1e38111e4eaa50a2818 (diff)
parent: da81b71f9337621a60def04c304cb301321163b7 (diff)
download: nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.tar.gz
nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 1ae4dce6a13..b4b04ba2669 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -28,6 +28,7 @@ namespace OC\Core\Controller;
 
 use OC\Security\CSRF\CsrfTokenManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
 	 * @return JSONResponse
 	 */
 	public function index(): JSONResponse {
+		if (!$this->request->passesStrictCookieCheck()) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$requestToken = $this->tokenManager->getToken();
 
 		return new JSONResponse([
author	Roeland Jago Douma <rullzer@users.noreply.github.com>	2020-01-07 13:43:46 +0100
committer	GitHub <noreply@github.com>	2020-01-07 13:43:46 +0100
commit	52e4ecd66e2269dd47f2fa7b9e99babc96308713 (patch)
tree	d394124c609511f9667dd9157d952a1a316d84a2 /core
parent	33039a4c97a6deb7b0a2c1e38111e4eaa50a2818 (diff)
parent	da81b71f9337621a60def04c304cb301321163b7 (diff)
download	nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.tar.gz nextcloud-server-52e4ecd66e2269dd47f2fa7b9e99babc96308713.zip