From 63f2f16b852e126cbbf478f2d25232195c5a37e4 Mon Sep 17 00:00:00 2001 From: Bernhard Posselt Date: Sun, 11 May 2014 17:55:59 +0200 Subject: [PATCH] use new controllermethodreflector for corsmiddleware --- .../dependencyinjection/dicontainer.php | 5 ++++- .../middleware/security/corsmiddleware.php | 13 +++++++----- .../security/CORSMiddlewareTest.php | 20 ++++++++++++++----- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/lib/private/appframework/dependencyinjection/dicontainer.php b/lib/private/appframework/dependencyinjection/dicontainer.php index 0018169413..97a6569a0f 100644 --- a/lib/private/appframework/dependencyinjection/dicontainer.php +++ b/lib/private/appframework/dependencyinjection/dicontainer.php @@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{ }); $this['CORSMiddleware'] = $this->share(function($c) { - return new CORSMiddleware($c['Request']); + return new CORSMiddleware( + $c['Request'], + $c['ControllerMethodReflector'] + ); }); $middleWares = &$this->middleWares; diff --git a/lib/private/appframework/middleware/security/corsmiddleware.php b/lib/private/appframework/middleware/security/corsmiddleware.php index e32c5d4287..dca3996ea2 100644 --- a/lib/private/appframework/middleware/security/corsmiddleware.php +++ b/lib/private/appframework/middleware/security/corsmiddleware.php @@ -11,7 +11,7 @@ namespace OC\AppFramework\Middleware\Security; -use OC\AppFramework\Utility\MethodAnnotationReader; +use OC\AppFramework\Utility\ControllerMethodReflector; use OCP\IRequest; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; @@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware; class CORSMiddleware extends Middleware { private $request; + private $reflector; /** * @param IRequest $request + * @param ControllerMethodReflector $reflector */ - public function __construct(IRequest $request) { + public function __construct(IRequest $request, + ControllerMethodReflector $reflector) { $this->request = $request; + $this->reflector = $reflector; } @@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware { */ public function afterController($controller, $methodName, Response $response){ // only react if its a CORS request and if the request sends origin and - $reflector = new MethodAnnotationReader($controller, $methodName); if(isset($this->request->server['HTTP_ORIGIN']) && - $reflector->hasAnnotation('CORS')) { + $this->reflector->hasAnnotation('CORS')) { // allow credentials headers must not be true or CSRF is possible // otherwise @@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware { if(strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') { $msg = 'Access-Control-Allow-Credentials must not be '. - 'set to true in order to prevent CSRF'; + 'set to true in order to prevent CSRF'; throw new SecurityException($msg); } } diff --git a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php index 8224e9b4aa..79cd3b278a 100644 --- a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php +++ b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php @@ -13,11 +13,19 @@ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Http\Request; +use OC\AppFramework\Utility\ControllerMethodReflector; + use OCP\AppFramework\Http\Response; class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase { + private $reflector; + + protected function setUp() { + $this->reflector = new ControllerMethodReflector(); + } + /** * @CORS */ @@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase { $request = new Request( array('server' => array('HTTP_ORIGIN' => 'test')) ); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector); - $middleware = new CORSMiddleware($request); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); - $this->assertEquals('test', $headers['Access-Control-Allow-Origin']); } @@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase { $request = new Request( array('server' => array('HTTP_ORIGIN' => 'test')) ); - $middleware = new CORSMiddleware($request); + $middleware = new CORSMiddleware($request, $this->reflector); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); @@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase { */ public function testNoOriginHeaderNoCORSHEADER() { $request = new Request(); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector); - $middleware = new CORSMiddleware($request); $response = $middleware->afterController($this, __FUNCTION__, new Response()); $headers = $response->getHeaders(); $this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers)); @@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase { $request = new Request( array('server' => array('HTTP_ORIGIN' => 'test')) ); - $middleware = new CORSMiddleware($request); + $this->reflector->reflect($this, __FUNCTION__); + $middleware = new CORSMiddleware($request, $this->reflector); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');