summaryrefslogtreecommitdiffstats
path: root/lib/private/AppFramework/Middleware
diff options
context:
space:
mode:
authorkorelstar <korelstar@users.noreply.github.com>2021-05-01 15:48:35 +0200
committerkorelstar <korelstar@users.noreply.github.com>2021-05-18 07:11:10 +0200
commitb38e8678e42bcdacc4d7408d6683e43a5a427b7b (patch)
tree13304195c66ad5e4b8f8f7957dd1db82f63f9fc6 /lib/private/AppFramework/Middleware
parent44a638f9617aa53da9e38378b1f62923cf2d2514 (diff)
downloadnextcloud-server-b38e8678e42bcdacc4d7408d6683e43a5a427b7b.tar.gz
nextcloud-server-b38e8678e42bcdacc4d7408d6683e43a5a427b7b.zip
fix error when using CORS with no auth credentials
Diffstat (limited to 'lib/private/AppFramework/Middleware')
-rw-r--r--lib/private/AppFramework/Middleware/Security/CORSMiddleware.php9
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 765311858de..392259fd20f 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -83,14 +83,13 @@ class CORSMiddleware extends Middleware {
public function beforeController($controller, $methodName) {
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
- if ($this->reflector->hasAnnotation('CORS') &&
- !$this->reflector->hasAnnotation('PublicPage')) {
- $user = $this->request->server['PHP_AUTH_USER'];
- $pass = $this->request->server['PHP_AUTH_PW'];
+ if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
+ $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
+ $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
$this->session->logout();
try {
- if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+ if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
} catch (PasswordLoginForbiddenException $ex) {