diff options
| author | jld3103 <jld3103yt@gmail.com> | 2023-07-03 18:59:51 +0200 |
|---|---|---|
| committer | jld3103 <jld3103yt@gmail.com> | 2023-08-16 15:52:36 +0200 |
| commit | 12f85438157b7153f51581485fc24ef4090139b7 (patch) | |
| tree | acc2b4f51807a49851b7efeace5894a5f5f0bc02 /lib/private/AppFramework | |
| parent | f3fa006484c6dc7f3dd2504ea005dc3689ed4d44 (diff) | |
| download | nextcloud-server-12f85438157b7153f51581485fc24ef4090139b7.tar.gz nextcloud-server-12f85438157b7153f51581485fc24ef4090139b7.zip | |
Rewrite OCS CSRF check to be readable
Signed-off-by: jld3103 <jld3103yt@gmail.com>
Diffstat (limited to 'lib/private/AppFramework')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index 04f79361bc8..db6c7a02c77 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -206,7 +206,7 @@ class SecurityMiddleware extends Middleware { } // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); - if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { + if ($this->isInvalidCSRFRequired($reflectionMethod)) { /* * Only allow the CSRF check to fail on OCS Requests. This kind of * hacks around that we have no full token auth in place yet and we @@ -215,12 +215,7 @@ class SecurityMiddleware extends Middleware { * Additionally we allow Bearer authenticated requests to pass on OCS routes. * This allows oauth apps (e.g. moodle) to use the OCS endpoints */ - if (!$this->request->passesCSRFCheck() && !( - $controller instanceof OCSController && ( - $this->request->getHeader('OCS-APIREQUEST') === 'true' || - str_starts_with($this->request->getHeader('Authorization'), 'Bearer ') - ) - )) { + if (!$controller instanceof OCSController || !$this->isValidOCSRequest()) { throw new CrossSiteRequestForgeryException(); } } @@ -242,6 +237,19 @@ class SecurityMiddleware extends Middleware { } } + private function isInvalidCSRFRequired(ReflectionMethod $reflectionMethod): bool { + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) { + return false; + } + + return !$this->request->passesCSRFCheck(); + } + + private function isValidOCSRequest(): bool { + return $this->request->getHeader('OCS-APIREQUEST') === 'true' + || str_starts_with($this->request->getHeader('Authorization'), 'Bearer '); + } + /** * @template T * |