diff options
| author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-05-22 13:17:27 +0200 |
|---|---|---|
| committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-05-22 14:06:26 +0200 |
| commit | c8e3599cad9c5174260fc1dbe340efac65f1d646 (patch) | |
| tree | 59fba6db45b3c84f2a4d4c7b4ee68529e5424d37 /lib/private/appframework/middleware | |
| parent | b82d902e184960877110bc45124ed2399f779cac (diff) | |
| download | nextcloud-server-c8e3599cad9c5174260fc1dbe340efac65f1d646.tar.gz nextcloud-server-c8e3599cad9c5174260fc1dbe340efac65f1d646.zip | |
disallow cookie auth for cors requests
testing ...
fixes
fix test
add php doc
fix small mistake
add another phpdoc
remove not working cors annotations from files app
Diffstat (limited to 'lib/private/appframework/middleware')
| -rw-r--r-- | lib/private/appframework/middleware/security/corsmiddleware.php | 49 |
1 files changed, 44 insertions, 5 deletions
diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php index 983742858db..600eb2318cf 100644 --- a/lib/private/appframework/middleware/security/corsmiddleware.php +++ b/lib/private/appframework/middleware/security/corsmiddleware.php @@ -24,30 +24,69 @@ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Utility\ControllerMethodReflector; use OCP\IRequest; +use OCP\IUserSession; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; /** - * This middleware sets the correct CORS headers on a response if the + * This middleware sets the correct CORS headers on a response if the * controller has the @CORS annotation. This is needed for webapps that want - * to access an API and dont run on the same domain, see + * to access an API and dont run on the same domain, see * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS */ class CORSMiddleware extends Middleware { + /** + * @var IRequest + */ private $request; + + /** + * @var ControllerMethodReflector + */ private $reflector; /** + * @var IUserSession + */ + private $session; + + /** * @param IRequest $request * @param ControllerMethodReflector $reflector + * @param IUserSession $session */ - public function __construct(IRequest $request, - ControllerMethodReflector $reflector) { + public function __construct(IRequest $request, + ControllerMethodReflector $reflector, + IUserSession $session) { $this->request = $request; $this->reflector = $reflector; + $this->session = $session; } + /** + * This is being run in normal order before the controller is being + * called which allows several modifications and checks + * + * @param Controller $controller the controller that is being called + * @param string $methodName the name of the method that will be called on + * the controller + * @since 6.0.0 + */ + public function beforeController($controller, $methodName){ + // ensure that @CORS annotated API routes are not used in conjunction + // with session authentication since this enables CSRF attack vectors + if ($this->reflector->hasAnnotation('CORS') && + !$this->reflector->hasAnnotation('PublicPage')) { + $user = $this->request->server['PHP_AUTH_USER']; + $pass = $this->request->server['PHP_AUTH_PW']; + + $this->session->logout(); + if(!$this->session->login($user, $pass)) { + throw new SecurityException('CORS requires basic auth'); + } + } + } /** * This is being run after a successful controllermethod call and allows @@ -65,7 +104,7 @@ class CORSMiddleware extends Middleware { if(isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) { - // allow credentials headers must not be true or CSRF is possible + // allow credentials headers must not be true or CSRF is possible // otherwise foreach($response->getHeaders() as $header => $value ) { if(strtolower($header) === 'access-control-allow-credentials' && |