summaryrefslogtreecommitdiffstats
path: root/lib/base.php
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2017-09-25 16:17:12 +0200
committerGitHub <noreply@github.com>2017-09-25 16:17:12 +0200
commit1ad79e3039939285f6736a09f123fc95908ae201 (patch)
treee8f241e2f7ca427c1da8523061792a71f5b1b68c /lib/base.php
parente0a4c61350813ff7f501ac6917ea77d9943720b1 (diff)
parentc257cd57d46143b6007f3c2cb80576c7320dc19e (diff)
downloadnextcloud-server-1ad79e3039939285f6736a09f123fc95908ae201.tar.gz
nextcloud-server-1ad79e3039939285f6736a09f123fc95908ae201.zip
Merge pull request #6630 from nextcloud/same_site_cookie_middleware
Handle SameSiteCookie check for index.php in AppFramework Middleware
Diffstat (limited to 'lib/base.php')
-rw-r--r--lib/base.php26
1 files changed, 11 insertions, 15 deletions
diff --git a/lib/base.php b/lib/base.php
index 29778f02a45..76069303a52 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -559,24 +559,20 @@ class OC {
if($currentUrl === '/index.php/apps/user_saml/saml/acs' || $currentUrl === '/apps/user_saml/saml/acs') {
return;
}
- // For the "index.php" endpoint only a lax cookie is required.
+ // index.php routes are handled in the middleware
if($processingScript === 'index.php') {
- if(!$request->passesLaxCookieCheck()) {
- self::sendSameSiteCookies();
- header('Location: '.$_SERVER['REQUEST_URI']);
+ return;
+ }
+
+ // All other endpoints require the lax and the strict cookie
+ if(!$request->passesStrictCookieCheck()) {
+ self::sendSameSiteCookies();
+ // Debug mode gets access to the resources without strict cookie
+ // due to the fact that the SabreDAV browser also lives there.
+ if(!\OC::$server->getConfig()->getSystemValue('debug', false)) {
+ http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE);
exit();
}
- } else {
- // All other endpoints require the lax and the strict cookie
- if(!$request->passesStrictCookieCheck()) {
- self::sendSameSiteCookies();
- // Debug mode gets access to the resources without strict cookie
- // due to the fact that the SabreDAV browser also lives there.
- if(!\OC::$server->getConfig()->getSystemValue('debug', false)) {
- http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE);
- exit();
- }
- }
}
} elseif(!isset($_COOKIE['nc_sameSiteCookielax']) || !isset($_COOKIE['nc_sameSiteCookiestrict'])) {
self::sendSameSiteCookies();