From a52d2066841e43ea0f0cb5072788afdc0217872e Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Wed, 30 May 2018 20:03:41 +0200 Subject: Make sure the log doesn't try to read from PUT if it can't If a PUT request comes in that is not JSON or from encoded. Then we can only read it (exactly) once. If that is the case we must assume no shared secret is set. If we don't then we either are the first to read it, thus causing the real read of the data to fail. Or we are later and then it throws an exception (also failing the request). Signed-off-by: Roeland Jago Douma --- lib/private/Log.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'lib/private') diff --git a/lib/private/Log.php b/lib/private/Log.php index 69705c49e87..4170acbb69a 100644 --- a/lib/private/Log.php +++ b/lib/private/Log.php @@ -233,8 +233,16 @@ class Log implements ILogger { if (isset($logCondition['shared_secret'])) { $request = \OC::$server->getRequest(); + if ($request->getMethod() === 'PUT' && + strpos($request->getHeader('Content-Type'), 'application/x-www-form-urlencoded') === false && + strpos($request->getHeader('Content-Type'), 'application/json') === false) { + $logSecretRequest = ''; + } else { + $logSecretRequest = $request->getParam('log_secret', ''); + } + // if token is found in the request change set the log condition to satisfied - if ($request && hash_equals($logCondition['shared_secret'], $request->getParam('log_secret', ''))) { + if ($request && hash_equals($logCondition['shared_secret'], $logSecretRequest)) { $this->logConditionSatisfied = true; } } -- cgit v1.2.3