diff options
| author | Jonas Rittershofer <jotoeri@users.noreply.github.com> | 2022-04-02 18:04:41 +0200 |
|---|---|---|
| committer | Joas Schilling (Rebase PR Action) <nickvergessen@users.noreply.github.com> | 2022-09-21 10:42:00 +0000 |
| commit | c8b7a233a5b05fd4402936a343b0dc1f6442c5ed (patch) | |
| tree | 10b828e6676a9016ba74eef3e3560a8bcefb9950 /lib/private/AppFramework/Middleware | |
| parent | 48def620cb2132258be7eaf2495f67a5d88a1932 (diff) | |
| download | nextcloud-server-c8b7a233a5b05fd4402936a343b0dc1f6442c5ed.tar.gz nextcloud-server-c8b7a233a5b05fd4402936a343b0dc1f6442c5ed.zip | |
Allow CSRF on CORS routes
Co-authored-by: Julius Härtl <jus@bitgrid.net>
Co-authored-by: Andreas Brinner <andreas@everlanes.net>
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
Diffstat (limited to 'lib/private/AppFramework/Middleware')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index 1490b69f534..dd964915006 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -87,6 +87,10 @@ class CORSMiddleware extends Middleware { $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; + // Allow to use the current session if a CSRF token is provided + if ($this->request->passesCSRFCheck()) { + return; + } $this->session->logout(); try { if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |