diff options
Diffstat (limited to 'lib/private/appframework/middleware/security')
-rw-r--r-- | lib/private/appframework/middleware/security/exceptions/strictcookiemissingexception.php | 36 | ||||
-rw-r--r-- | lib/private/appframework/middleware/security/securitymiddleware.php | 11 |
2 files changed, 47 insertions, 0 deletions
diff --git a/lib/private/appframework/middleware/security/exceptions/strictcookiemissingexception.php b/lib/private/appframework/middleware/security/exceptions/strictcookiemissingexception.php new file mode 100644 index 00000000000..c45cc400d72 --- /dev/null +++ b/lib/private/appframework/middleware/security/exceptions/strictcookiemissingexception.php @@ -0,0 +1,36 @@ +<?php +/** + * @author Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OC\Appframework\Middleware\Security\Exceptions; + +use OCP\AppFramework\Http; + +/** + * Class StrictCookieMissingException is thrown when the strict cookie has not + * been sent with the request but is required. + * + * @package OC\Appframework\Middleware\Security\Exceptions + */ +class StrictCookieMissingException extends SecurityException { + public function __construct() { + parent::__construct('Strict Cookie has not been found in request.', Http::STATUS_PRECONDITION_FAILED); + } +} diff --git a/lib/private/appframework/middleware/security/securitymiddleware.php b/lib/private/appframework/middleware/security/securitymiddleware.php index f3bc06217cd..fe67aca9b2b 100644 --- a/lib/private/appframework/middleware/security/securitymiddleware.php +++ b/lib/private/appframework/middleware/security/securitymiddleware.php @@ -30,6 +30,7 @@ use OC\Appframework\Middleware\Security\Exceptions\AppNotEnabledException; use OC\Appframework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException; use OC\Appframework\Middleware\Security\Exceptions\NotAdminException; use OC\Appframework\Middleware\Security\Exceptions\NotLoggedInException; +use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Security\CSP\ContentSecurityPolicyManager; use OCP\AppFramework\Http\ContentSecurityPolicy; @@ -132,6 +133,13 @@ class SecurityMiddleware extends Middleware { } } + // Check for strict cookie requirement + if($this->reflector->hasAnnotation('StrictCookieRequired') || !$this->reflector->hasAnnotation('NoCSRFRequired')) { + if(!$this->request->passesStrictCookieCheck()) { + throw new StrictCookieMissingException(); + } + } + // CSRF check - also registers the CSRF token since the session may be closed later Util::callRegister(); if(!$this->reflector->hasAnnotation('NoCSRFRequired')) { @@ -184,6 +192,9 @@ class SecurityMiddleware extends Middleware { */ public function afterException($controller, $methodName, \Exception $exception) { if($exception instanceof SecurityException) { + if($exception instanceof StrictCookieMissingException) { + return new RedirectResponse(\OC::$WEBROOT); + } if (stripos($this->request->getHeader('Accept'),'html') === false) { $response = new JSONResponse( |