diff options
author | Joas Schilling <coding@schilljs.com> | 2023-08-22 16:00:39 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2023-08-23 06:44:09 +0200 |
commit | 26832ec5da999068ef838f570c7a3ba912c47cdf (patch) | |
tree | 7454c0162b11ae7be1c79c5a1d15c0ccbb6996c7 /lib | |
parent | 866a8a236861a5d1dff26458da04637099877e5e (diff) | |
download | nextcloud-server-26832ec5da999068ef838f570c7a3ba912c47cdf.tar.gz nextcloud-server-26832ec5da999068ef838f570c7a3ba912c47cdf.zip |
fix(middleware): Fix header injection for bruteforce middleware
Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons
So shifting back to old standard practise for now
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php index 6a943af2a1f..a0b915588ad 100644 --- a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php @@ -130,11 +130,7 @@ class BruteForceMiddleware extends Middleware { } if ($this->delaySlept) { - $headers = $response->getHeaders(); - if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) { - $headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms'; - $response->setHeaders($headers); - } + $response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms'); } return parent::afterController($controller, $methodName, $response); |