summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2023-08-22 16:00:39 +0200
committerJoas Schilling <coding@schilljs.com>2023-08-23 06:44:09 +0200
commit26832ec5da999068ef838f570c7a3ba912c47cdf (patch)
tree7454c0162b11ae7be1c79c5a1d15c0ccbb6996c7 /lib
parent866a8a236861a5d1dff26458da04637099877e5e (diff)
downloadnextcloud-server-26832ec5da999068ef838f570c7a3ba912c47cdf.tar.gz
nextcloud-server-26832ec5da999068ef838f570c7a3ba912c47cdf.zip
fix(middleware): Fix header injection for bruteforce middleware
Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php6
1 files changed, 1 insertions, 5 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
index 6a943af2a1f..a0b915588ad 100644
--- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -130,11 +130,7 @@ class BruteForceMiddleware extends Middleware {
}
if ($this->delaySlept) {
- $headers = $response->getHeaders();
- if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
- $headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
- $response->setHeaders($headers);
- }
+ $response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');
}
return parent::afterController($controller, $methodName, $response);