From c8b7a233a5b05fd4402936a343b0dc1f6442c5ed Mon Sep 17 00:00:00 2001
From: Jonas Rittershofer <jotoeri@users.noreply.github.com>
Date: Sat, 2 Apr 2022 18:04:41 +0200
Subject: Allow CSRF on CORS routes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Julius Härtl <jus@bitgrid.net>
Co-authored-by: Andreas Brinner <andreas@everlanes.net>
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
---
 lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib/private/AppFramework/Middleware')

diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 1490b69f534..dd964915006 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -87,6 +87,10 @@ class CORSMiddleware extends Middleware {
 			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
 			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
+			// Allow to use the current session if a CSRF token is provided
+			if ($this->request->passesCSRFCheck()) {
+				return;
+			}
 			$this->session->logout();
 			try {
 				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
-- 
cgit v1.2.3