From a299fa38a9172f16e4bc48d4bd4f9807cec2f737 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Wed, 20 Jul 2016 17:37:30 +0200
Subject: [master] Port Same-Site Cookies to master

Fixes https://github.com/nextcloud/server/issues/50
---
 lib/private/legacy/eventsource.php | 4 ++++
 lib/private/legacy/json.php        | 5 +++++
 2 files changed, 9 insertions(+)

(limited to 'lib/private/legacy')

diff --git a/lib/private/legacy/eventsource.php b/lib/private/legacy/eventsource.php
index 51040e7be7d..70e9847d237 100644
--- a/lib/private/legacy/eventsource.php
+++ b/lib/private/legacy/eventsource.php
@@ -76,6 +76,10 @@ class OC_EventSource implements \OCP\IEventSource {
 		} else {
 			header("Content-Type: text/event-stream");
 		}
+		if(!\OC::$server->getRequest()->passesStrictCookieCheck()) {
+			header('Location: '.\OC::$WEBROOT);
+			exit();
+		}
 		if (!(\OC::$server->getRequest()->passesCSRFCheck())) {
 			$this->send('error', 'Possible CSRF attack. Connection will be closed.');
 			$this->close();
diff --git a/lib/private/legacy/json.php b/lib/private/legacy/json.php
index 1dde63602b1..557e1d77012 100644
--- a/lib/private/legacy/json.php
+++ b/lib/private/legacy/json.php
@@ -79,6 +79,11 @@ class OC_JSON{
 	 * @deprecated Use annotation based CSRF checks from the AppFramework instead
 	 */
 	public static function callCheck() {
+		if(!\OC::$server->getRequest()->passesStrictCookieCheck()) {
+			header('Location: '.\OC::$WEBROOT);
+			exit();
+		}
+
 		if( !(\OC::$server->getRequest()->passesCSRFCheck())) {
 			$l = \OC::$server->getL10N('lib');
 			self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.'), 'error' => 'token_expired' )));
-- 
cgit v1.2.3