use new controllermethodreflector for corsmiddleware
This commit is contained in:
Bernhard Posselt
parent
474b8f071d
commit
63f2f16b85
|
|
@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
|
|||
});
|
||||
|
||||
$this['CORSMiddleware'] = $this->share(function($c) {
|
||||
return new CORSMiddleware($c['Request']);
|
||||
return new CORSMiddleware(
|
||||
$c['Request'],
|
||||
$c['ControllerMethodReflector']
|
||||
);
|
||||
});
|
||||
|
||||
$middleWares = &$this->middleWares;
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
namespace OC\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\AppFramework\Utility\MethodAnnotationReader;
|
||||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||
use OCP\IRequest;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
use OCP\AppFramework\Middleware;
|
||||
|
|
@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
|
|||
class CORSMiddleware extends Middleware {
|
||||
|
||||
private $request;
|
||||
private $reflector;
|
||||
|
||||
/**
|
||||
* @param IRequest $request
|
||||
* @param ControllerMethodReflector $reflector
|
||||
*/
|
||||
public function __construct(IRequest $request) {
|
||||
public function __construct(IRequest $request,
|
||||
ControllerMethodReflector $reflector) {
|
||||
$this->request = $request;
|
||||
$this->reflector = $reflector;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
|
|||
*/
|
||||
public function afterController($controller, $methodName, Response $response){
|
||||
// only react if its a CORS request and if the request sends origin and
|
||||
$reflector = new MethodAnnotationReader($controller, $methodName);
|
||||
|
||||
if(isset($this->request->server['HTTP_ORIGIN']) &&
|
||||
$reflector->hasAnnotation('CORS')) {
|
||||
$this->reflector->hasAnnotation('CORS')) {
|
||||
|
||||
// allow credentials headers must not be true or CSRF is possible
|
||||
// otherwise
|
||||
|
|
@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
|
|||
if(strtolower($header) === 'access-control-allow-credentials' &&
|
||||
strtolower(trim($value)) === 'true') {
|
||||
$msg = 'Access-Control-Allow-Credentials must not be '.
|
||||
'set to true in order to prevent CSRF';
|
||||
'set to true in order to prevent CSRF';
|
||||
throw new SecurityException($msg);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,11 +13,19 @@
|
|||
namespace OC\AppFramework\Middleware\Security;
|
||||
|
||||
use OC\AppFramework\Http\Request;
|
||||
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||
|
||||
use OCP\AppFramework\Http\Response;
|
||||
|
||||
|
||||
class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||
|
||||
private $reflector;
|
||||
|
||||
protected function setUp() {
|
||||
$this->reflector = new ControllerMethodReflector();
|
||||
}
|
||||
|
||||
/**
|
||||
* @CORS
|
||||
*/
|
||||
|
|
@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
|||
$request = new Request(
|
||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||
);
|
||||
$this->reflector->reflect($this, __FUNCTION__);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||
|
||||
$middleware = new CORSMiddleware($request);
|
||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
|
||||
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
|
||||
}
|
||||
|
||||
|
|
@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
|||
$request = new Request(
|
||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||
);
|
||||
$middleware = new CORSMiddleware($request);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||
|
||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
|
|
@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
|||
*/
|
||||
public function testNoOriginHeaderNoCORSHEADER() {
|
||||
$request = new Request();
|
||||
$this->reflector->reflect($this, __FUNCTION__);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||
|
||||
$middleware = new CORSMiddleware($request);
|
||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||
$headers = $response->getHeaders();
|
||||
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
||||
|
|
@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
|||
$request = new Request(
|
||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||
);
|
||||
$middleware = new CORSMiddleware($request);
|
||||
$this->reflector->reflect($this, __FUNCTION__);
|
||||
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||
|
||||
$response = new Response();
|
||||
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
||||
|
|
|
|||
Loading…
Reference in New Issue