mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Implement CSRF protection

This commit is contained in:
Thomas Müller 2015-11-10 07:54:35 +01:00
parent 4eb15885c9
commit 0f434e0b9b
3 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
apps/dav/lib/carddav/sharing/plugin.php
View File

@ -2,6 +2,9 @@
namespace OCA\DAV\CardDAV\Sharing; namespace OCA\DAV\CardDAV\Sharing;
use OCA\DAV\Connector\Sabre\Auth;
use OCP\IRequest;
use Sabre\DAV\Exception\BadRequest;
use Sabre\DAV\Exception\NotFound; use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\Server; use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin; use Sabre\DAV\ServerPlugin;
@ -11,6 +14,11 @@ use Sabre\HTTP\ResponseInterface;
class Plugin extends ServerPlugin { class Plugin extends ServerPlugin {
public function __construct(Auth $authBackEnd, IRequest $request) {
$this->auth = $authBackEnd;
$this->request = $request;
}
/** /**
* Reference to SabreDAV server object. * Reference to SabreDAV server object.
* *
@ -87,6 +95,9 @@ class Plugin extends ServerPlugin {
return; return;
} }
// CSRF protection
$this->protectAgainstCSRF();
$requestBody = $request->getBodyAsString(); $requestBody = $request->getBodyAsString();
// If this request handler could not deal with this POST request, it // If this request handler could not deal with this POST request, it
@ -190,5 +201,18 @@ class Plugin extends ServerPlugin {
} }
private function protectAgainstCSRF() {
$user = $this->auth->getCurrentUser();
if ($this->auth->isDavAuthenticated($user)) {
return true;
}
if ($this->request->passesCSRFCheck()) {
return true;
}
throw new BadRequest();
}
} }

2
apps/dav/lib/connector/sabre/auth.php
View File

@ -65,7 +65,7 @@ class Auth extends AbstractBasic {
* @param string $username * @param string $username
* @return bool * @return bool
*/ */
protected function isDavAuthenticated($username) { public function isDavAuthenticated($username) {
return !is_null($this->session->get(self::DAV_AUTHENTICATED)) && return !is_null($this->session->get(self::DAV_AUTHENTICATED)) &&
$this->session->get(self::DAV_AUTHENTICATED) === $username; $this->session->get(self::DAV_AUTHENTICATED) === $username;
} }

1
apps/dav/lib/server.php
View File

@ -50,6 +50,7 @@ class Server {
$this->server->addPlugin(new \Sabre\CalDAV\SharingPlugin()); $this->server->addPlugin(new \Sabre\CalDAV\SharingPlugin());
$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin()); $this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin()); $this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
$this->server->addPlugin(new CardDAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));
// addressbook plugins // addressbook plugins
$this->server->addPlugin(new \Sabre\CardDAV\Plugin()); $this->server->addPlugin(new \Sabre\CardDAV\Plugin());