3 files changed, 27 insertions, 11 deletions

diff --git a/lib/private/appframework/dependencyinjection/dicontainer.php b/lib/private/appframework/dependencyinjection/dicontainer.php
index 00181694135..97a6569a0f6 100644
--- a/lib/private/appframework/dependencyinjection/dicontainer.php
+++ b/lib/private/appframework/dependencyinjection/dicontainer.php
@@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
 		});
 
 		$this['CORSMiddleware'] = $this->share(function($c) {
-			return new CORSMiddleware($c['Request']);
+			return new CORSMiddleware(
+				$c['Request'],
+				$c['ControllerMethodReflector']
+			);
 		});
 
 		$middleWares = &$this->middleWares;
diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php
index e32c5d42875..dca3996ea2e 100644
--- a/lib/private/appframework/middleware/security/corsmiddleware.php
+++ b/lib/private/appframework/middleware/security/corsmiddleware.php
@@ -11,7 +11,7 @@
 
 namespace OC\AppFramework\Middleware\Security;
 
-use OC\AppFramework\Utility\MethodAnnotationReader;
+use OC\AppFramework\Utility\ControllerMethodReflector;
 use OCP\IRequest;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
@@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
 class CORSMiddleware extends Middleware {
 
 	private $request;
+	private $reflector;
 
 	/**
 	 * @param IRequest $request
+	 * @param ControllerMethodReflector $reflector
 	 */
-	public function __construct(IRequest $request) {
+	public function __construct(IRequest $request, 
+	                            ControllerMethodReflector $reflector) {
 		$this->request = $request;
+		$this->reflector = $reflector;
 	}
 
 
@@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
 	 */
 	public function afterController($controller, $methodName, Response $response){
 		// only react if its a CORS request and if the request sends origin and
-		$reflector = new MethodAnnotationReader($controller, $methodName);
 
 		if(isset($this->request->server['HTTP_ORIGIN']) &&
-			$reflector->hasAnnotation('CORS')) {
+			$this->reflector->hasAnnotation('CORS')) {
 
 			// allow credentials headers must not be true or CSRF is possible 
 			// otherwise
@@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
 				if(strtolower($header) === 'access-control-allow-credentials' &&
 				   strtolower(trim($value)) === 'true') {
 					$msg = 'Access-Control-Allow-Credentials must not be '.
-					       'set to true in order to prevent CSRF';
+						   'set to true in order to prevent CSRF';
 					throw new SecurityException($msg);
 				}
 			}
diff --git a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
index 8224e9b4aa6..79cd3b278af 100644
--- a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
+++ b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
@@ -13,11 +13,19 @@
 namespace OC\AppFramework\Middleware\Security;
 
 use OC\AppFramework\Http\Request;
+use OC\AppFramework\Utility\ControllerMethodReflector;
+
 use OCP\AppFramework\Http\Response;
 
 
 class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
 
+	private $reflector;
+
+	protected function setUp() {
+		$this->reflector = new ControllerMethodReflector();
+	}
+
 	/**
 	 * @CORS
 	 */
@@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
 		$request = new Request(
 			array('server' => array('HTTP_ORIGIN' => 'test'))
 		);
+		$this->reflector->reflect($this, __FUNCTION__);
+		$middleware = new CORSMiddleware($request, $this->reflector);
 
-		$middleware = new CORSMiddleware($request);
 		$response = $middleware->afterController($this, __FUNCTION__, new Response());
 		$headers = $response->getHeaders();
-
 		$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
 	}
 
@@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
 		$request = new Request(
 			array('server' => array('HTTP_ORIGIN' => 'test'))
 		);
-		$middleware = new CORSMiddleware($request);
+		$middleware = new CORSMiddleware($request, $this->reflector);
 
 		$response = $middleware->afterController($this, __FUNCTION__, new Response());
 		$headers = $response->getHeaders();
@@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
 	 */
 	public function testNoOriginHeaderNoCORSHEADER() {
 		$request = new Request();
+		$this->reflector->reflect($this, __FUNCTION__);
+		$middleware = new CORSMiddleware($request, $this->reflector);
 
-		$middleware = new CORSMiddleware($request);
 		$response = $middleware->afterController($this, __FUNCTION__, new Response());
 		$headers = $response->getHeaders();
 		$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
@@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
 		$request = new Request(
 			array('server' => array('HTTP_ORIGIN' => 'test'))
 		);
-		$middleware = new CORSMiddleware($request);
+		$this->reflector->reflect($this, __FUNCTION__);
+		$middleware = new CORSMiddleware($request, $this->reflector);
 
 		$response = new Response();
 		$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');