From 0f434e0b9b2762de663f9a0a2930f9fdc3c23ab4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?= <thomas.mueller@tmit.eu>
Date: Tue, 10 Nov 2015 07:54:35 +0100
Subject: [PATCH] Implement CSRF protection

---
 apps/dav/lib/carddav/sharing/plugin.php | 24 ++++++++++++++++++++++++
 apps/dav/lib/connector/sabre/auth.php   |  2 +-
 apps/dav/lib/server.php                 |  1 +
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/apps/dav/lib/carddav/sharing/plugin.php b/apps/dav/lib/carddav/sharing/plugin.php
index edc1a5fc11..eeb5abc6d2 100644
--- a/apps/dav/lib/carddav/sharing/plugin.php
+++ b/apps/dav/lib/carddav/sharing/plugin.php
@@ -2,6 +2,9 @@
 
 namespace OCA\DAV\CardDAV\Sharing;
 
+use OCA\DAV\Connector\Sabre\Auth;
+use OCP\IRequest;
+use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
@@ -11,6 +14,11 @@ use Sabre\HTTP\ResponseInterface;
 
 class Plugin extends ServerPlugin {
 
+	public function __construct(Auth $authBackEnd, IRequest $request) {
+		$this->auth = $authBackEnd;
+		$this->request = $request;
+	}
+
 	/**
 	 * Reference to SabreDAV server object.
 	 *
@@ -87,6 +95,9 @@ class Plugin extends ServerPlugin {
 			return;
 		}
 
+		// CSRF protection
+		$this->protectAgainstCSRF();
+
 		$requestBody = $request->getBodyAsString();
 
 		// If this request handler could not deal with this POST request, it
@@ -190,5 +201,18 @@ class Plugin extends ServerPlugin {
 
 	}
 
+	private function protectAgainstCSRF() {
+		$user = $this->auth->getCurrentUser();
+		if ($this->auth->isDavAuthenticated($user)) {
+			return true;
+		}
+
+		if ($this->request->passesCSRFCheck()) {
+			return true;
+		}
+
+		throw new BadRequest();
+	}
+
 
 }
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 39a7df31b7..0394bfd677 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -65,7 +65,7 @@ class Auth extends AbstractBasic {
 	 * @param string $username
 	 * @return bool
 	 */
-	protected function isDavAuthenticated($username) {
+	public function isDavAuthenticated($username) {
 		return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
 		$this->session->get(self::DAV_AUTHENTICATED) === $username;
 	}
diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php
index 229f33858d..44afcf23df 100644
--- a/apps/dav/lib/server.php
+++ b/apps/dav/lib/server.php
@@ -50,6 +50,7 @@ class Server {
 		$this->server->addPlugin(new \Sabre\CalDAV\SharingPlugin());
 		$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
 		$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
+		$this->server->addPlugin(new CardDAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));
 
 		// addressbook plugins
 		$this->server->addPlugin(new \Sabre\CardDAV\Plugin());