From 13ec2bda2d1eb826951e9e5336ecac6ff6d1d199 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Fri, 11 Dec 2015 11:22:38 +0100 Subject: [PATCH] Properly check X-Requested-With header in case of multiple values Saw this happening in IE8... --- apps/dav/lib/connector/sabre/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php index 4f31977023..7f4f4a531b 100644 --- a/apps/dav/lib/connector/sabre/auth.php +++ b/apps/dav/lib/connector/sabre/auth.php @@ -160,7 +160,7 @@ class Auth extends AbstractBasic { return [true, $this->principalPrefix . $user]; } - if (!$this->userSession->isLoggedIn() && $request->getHeader('X-Requested-With') === 'XMLHttpRequest') { + if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup $response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"'); $response->setStatus(401);