2 files changed, 12 insertions, 6 deletions

diff --git a/lib/private/appframework/dependencyinjection/dicontainer.php b/lib/private/appframework/dependencyinjection/dicontainer.php
index 00181694135..97a6569a0f6 100644
--- a/lib/private/appframework/dependencyinjection/dicontainer.php
+++ b/lib/private/appframework/dependencyinjection/dicontainer.php
@@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
 		});
 
 		$this['CORSMiddleware'] = $this->share(function($c) {
-			return new CORSMiddleware($c['Request']);
+			return new CORSMiddleware(
+				$c['Request'],
+				$c['ControllerMethodReflector']
+			);
 		});
 
 		$middleWares = &$this->middleWares;
diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php
index e32c5d42875..dca3996ea2e 100644
--- a/lib/private/appframework/middleware/security/corsmiddleware.php
+++ b/lib/private/appframework/middleware/security/corsmiddleware.php
@@ -11,7 +11,7 @@
 
 namespace OC\AppFramework\Middleware\Security;
 
-use OC\AppFramework\Utility\MethodAnnotationReader;
+use OC\AppFramework\Utility\ControllerMethodReflector;
 use OCP\IRequest;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
@@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
 class CORSMiddleware extends Middleware {
 
 	private $request;
+	private $reflector;
 
 	/**
 	 * @param IRequest $request
+	 * @param ControllerMethodReflector $reflector
 	 */
-	public function __construct(IRequest $request) {
+	public function __construct(IRequest $request, 
+	                            ControllerMethodReflector $reflector) {
 		$this->request = $request;
+		$this->reflector = $reflector;
 	}
 
 
@@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
 	 */
 	public function afterController($controller, $methodName, Response $response){
 		// only react if its a CORS request and if the request sends origin and
-		$reflector = new MethodAnnotationReader($controller, $methodName);
 
 		if(isset($this->request->server['HTTP_ORIGIN']) &&
-			$reflector->hasAnnotation('CORS')) {
+			$this->reflector->hasAnnotation('CORS')) {
 
 			// allow credentials headers must not be true or CSRF is possible 
 			// otherwise
@@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
 				if(strtolower($header) === 'access-control-allow-credentials' &&
 				   strtolower(trim($value)) === 'true') {
 					$msg = 'Access-Control-Allow-Credentials must not be '.
-					       'set to true in order to prevent CSRF';
+						   'set to true in order to prevent CSRF';
 					throw new SecurityException($msg);
 				}
 			}