From b53ea18ea59c76368b28198968c59b783f17122f Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 9 Aug 2016 19:09:53 +0200
Subject: Match only for actual session cookie

OVH has implemented load balancing in a very questionable way where the reverse proxy actually internally adds some cookies which would trigger a security exception. To work around this, this change only checks for the session cookie.
---
 lib/private/AppFramework/Http/Request.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'lib/private')

diff --git a/lib/private/AppFramework/Http/Request.php b/lib/private/AppFramework/Http/Request.php
index 8fb19f2d9b2..679ee5bc27c 100644
--- a/lib/private/AppFramework/Http/Request.php
+++ b/lib/private/AppFramework/Http/Request.php
@@ -485,6 +485,19 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 		return $this->csrfTokenManager->isTokenValid($token);
 	}
 
+	/**
+	 * Whether the cookie checks are required
+	 *
+	 * @return bool
+	 */
+	private function cookieCheckRequired() {
+		if($this->getCookie(session_name()) === null && $this->getCookie('oc_token') === null) {
+			return false;
+		}
+
+		return true;
+	}
+
 	/**
 	 * Checks if the strict cookie has been sent with the request if the request
 	 * is including any cookies.
@@ -493,7 +506,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 * @since 9.1.0
 	 */
 	public function passesStrictCookieCheck() {
-		if(count($this->cookies) === 0) {
+		if(!$this->cookieCheckRequired()) {
 			return true;
 		}
 		if($this->getCookie('nc_sameSiteCookiestrict') === 'true'
@@ -511,7 +524,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
 	 * @since 9.1.0
 	 */
 	public function passesLaxCookieCheck() {
-		if(count($this->cookies) === 0) {
+		if(!$this->cookieCheckRequired()) {
 			return true;
 		}
 		if($this->getCookie('nc_sameSiteCookielax') === 'true') {
-- 
cgit v1.2.3