mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Make SecurityMiddleware strict 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-03-08 10:11:47 +01:00
parent 7da0812186
commit 340e8ef16c
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View File

@ -1,4 +1,5 @@
<?php <?php
declare(strict_types=1);
/** /**
* @copyright Copyright (c) 2016, ownCloud, Inc. * @copyright Copyright (c) 2016, ownCloud, Inc.
* *
@ -111,9 +112,9 @@ class SecurityMiddleware extends Middleware {
INavigationManager $navigationManager, INavigationManager $navigationManager,
IURLGenerator $urlGenerator, IURLGenerator $urlGenerator,
ILogger $logger, ILogger $logger,
$appName, string $appName,
$isLoggedIn, bool $isLoggedIn,
$isAdminUser, bool $isAdminUser,
ContentSecurityPolicyManager $contentSecurityPolicyManager, ContentSecurityPolicyManager $contentSecurityPolicyManager,
CsrfTokenManager $csrfTokenManager, CsrfTokenManager $csrfTokenManager,
ContentSecurityPolicyNonceManager $cspNonceManager, ContentSecurityPolicyNonceManager $cspNonceManager,
@ -156,10 +157,8 @@ class SecurityMiddleware extends Middleware {
throw new NotLoggedInException(); throw new NotLoggedInException();
} }
if(!$this->reflector->hasAnnotation('NoAdminRequired')) { if(!$this->reflector->hasAnnotation('NoAdminRequired') && !$this->isAdminUser) {
if(!$this->isAdminUser) { throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
throw new NotAdminException($this->l10n->t('Logged in user must be an admin'));
}
} }
} }
@ -212,7 +211,7 @@ class SecurityMiddleware extends Middleware {
* @param Response $response * @param Response $response
* @return Response * @return Response
*/ */
public function afterController($controller, $methodName, Response $response) { public function afterController($controller, $methodName, Response $response): Response {
$policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy(); $policy = !is_null($response->getContentSecurityPolicy()) ? $response->getContentSecurityPolicy() : new ContentSecurityPolicy();
if (get_class($policy) === EmptyContentSecurityPolicy::class) { if (get_class($policy) === EmptyContentSecurityPolicy::class) {
@ -241,14 +240,14 @@ class SecurityMiddleware extends Middleware {
* @throws \Exception the passed in exception if it can't handle it * @throws \Exception the passed in exception if it can't handle it
* @return Response a Response object or null in case that the exception could not be handled * @return Response a Response object or null in case that the exception could not be handled
*/ */
public function afterException($controller, $methodName, \Exception $exception) { public function afterException($controller, $methodName, \Exception $exception): Response {
if($exception instanceof SecurityException) { if($exception instanceof SecurityException) {
if($exception instanceof StrictCookieMissingException) { if($exception instanceof StrictCookieMissingException) {
return new RedirectResponse(\OC::$WEBROOT); return new RedirectResponse(\OC::$WEBROOT);
} }
if (stripos($this->request->getHeader('Accept'),'html') === false) { if (stripos($this->request->getHeader('Accept'),'html') === false) {
$response = new JSONResponse( $response = new JSONResponse(
array('message' => $exception->getMessage()), ['message' => $exception->getMessage()],
$exception->getCode() $exception->getCode()
); );
} else { } else {