diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2016-07-29 13:41:30 +0200 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2016-07-29 15:49:27 +0200 |
commit | f7f5216aa33469268f5631b73a84bfa8cf4f2db3 (patch) | |
tree | 799bb3491a9a5d3940d768756b0ecc53b185f671 /lib | |
parent | 54ae8eede39e58c890a42b44505a254fc5f94765 (diff) | |
download | nextcloud-server-f7f5216aa33469268f5631b73a84bfa8cf4f2db3.tar.gz nextcloud-server-f7f5216aa33469268f5631b73a84bfa8cf4f2db3.zip |
Dark hackery to not always disable CSRF for OCS controllers
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index daac36606f2..08af42b5216 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -42,6 +42,7 @@ use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Middleware; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\JSONResponse; +use OCP\AppFramework\OCSController; use OCP\INavigationManager; use OCP\IURLGenerator; use OCP\IRequest; @@ -112,7 +113,7 @@ class SecurityMiddleware extends Middleware { * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations - * @param string $controller the controllername or string + * @param Controller $controller the controller * @param string $methodName the name of the method * @throws SecurityException when a security check fails */ @@ -145,7 +146,14 @@ class SecurityMiddleware extends Middleware { // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); if(!$this->reflector->hasAnnotation('NoCSRFRequired')) { - if(!$this->request->passesCSRFCheck()) { + /* + * Only allow the CSRF check to fail on OCS Requests. This kind of + * hacks around that we have no full token auth in place yet and we + * do want to offer CSRF checks for web requests. + */ + if(!$this->request->passesCSRFCheck() && !( + $controller instanceof OCSController && + $this->request->getHeader('OCS_APIREQUEST') === true)) { throw new CrossSiteRequestForgeryException(); } } |