From a299fa38a9172f16e4bc48d4bd4f9807cec2f737 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 20 Jul 2016 17:37:30 +0200 Subject: [master] Port Same-Site Cookies to master Fixes https://github.com/nextcloud/server/issues/50 --- lib/private/AppFramework/Http/Request.php | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'lib/private/AppFramework/Http') diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php index d9cf1919252..8fc99f125b2 100644 --- a/lib/private/AppFramework/Http/Request.php +++ b/lib/private/AppFramework/Http/Request.php @@ -465,6 +465,10 @@ class Request implements \ArrayAccess, \Countable, IRequest { return false; } + if(!$this->passesStrictCookieCheck()) { + return false; + } + if (isset($this->items['get']['requesttoken'])) { $token = $this->items['get']['requesttoken']; } elseif (isset($this->items['post']['requesttoken'])) { @@ -480,6 +484,42 @@ class Request implements \ArrayAccess, \Countable, IRequest { return $this->csrfTokenManager->isTokenValid($token); } + /** + * Checks if the strict cookie has been sent with the request if the request + * is including any cookies. + * + * @return bool + * @since 9.1.0 + */ + public function passesStrictCookieCheck() { + if(count($this->cookies) === 0) { + return true; + } + if($this->getCookie('nc_sameSiteCookiestrict') === 'true' + && $this->passesLaxCookieCheck()) { + return true; + } + return false; + } + + /** + * Checks if the lax cookie has been sent with the request if the request + * is including any cookies. + * + * @return bool + * @since 9.1.0 + */ + public function passesLaxCookieCheck() { + if(count($this->cookies) === 0) { + return true; + } + if($this->getCookie('nc_sameSiteCookielax') === 'true') { + return true; + } + return false; + } + + /** * Returns an ID for the request, value is not guaranteed to be unique and is mostly meant for logging * If `mod_unique_id` is installed this value will be taken. -- cgit v1.2.3