From f655f83c840f30781999cd84d800cb2cc27983bf Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <rpm@fthiessen.de>
Date: Thu, 26 Jan 2023 21:08:10 +0100
Subject: fix(CORS): CORS should only be bypassed on `PublicPage` if not logged
 in to prevent CSRF attack vectors

Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
---
 lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/private/AppFramework/Middleware')

diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 2476f4ec9b3..30ba8d8d6e4 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -83,7 +83,7 @@ class CORSMiddleware extends Middleware {
 	public function beforeController($controller, $methodName) {
 		// ensure that @CORS annotated API routes are not used in conjunction
 		// with session authentication since this enables CSRF attack vectors
-		if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
+		if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') || $this->session->isLoggedIn())) {
 			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
 			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
-- 
cgit v1.2.3