use new controllermethodreflector for corsmiddleware
This commit is contained in:
Bernhard Posselt
parent
474b8f071d
commit
63f2f16b85
|
|
@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
|
||||||
});
|
});
|
||||||
|
|
||||||
$this['CORSMiddleware'] = $this->share(function($c) {
|
$this['CORSMiddleware'] = $this->share(function($c) {
|
||||||
return new CORSMiddleware($c['Request']);
|
return new CORSMiddleware(
|
||||||
|
$c['Request'],
|
||||||
|
$c['ControllerMethodReflector']
|
||||||
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
$middleWares = &$this->middleWares;
|
$middleWares = &$this->middleWares;
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
namespace OC\AppFramework\Middleware\Security;
|
namespace OC\AppFramework\Middleware\Security;
|
||||||
|
|
||||||
use OC\AppFramework\Utility\MethodAnnotationReader;
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
use OCP\AppFramework\Http\Response;
|
use OCP\AppFramework\Http\Response;
|
||||||
use OCP\AppFramework\Middleware;
|
use OCP\AppFramework\Middleware;
|
||||||
|
|
@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
|
||||||
class CORSMiddleware extends Middleware {
|
class CORSMiddleware extends Middleware {
|
||||||
|
|
||||||
private $request;
|
private $request;
|
||||||
|
private $reflector;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param IRequest $request
|
* @param IRequest $request
|
||||||
|
* @param ControllerMethodReflector $reflector
|
||||||
*/
|
*/
|
||||||
public function __construct(IRequest $request) {
|
public function __construct(IRequest $request,
|
||||||
|
ControllerMethodReflector $reflector) {
|
||||||
$this->request = $request;
|
$this->request = $request;
|
||||||
|
$this->reflector = $reflector;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
|
||||||
*/
|
*/
|
||||||
public function afterController($controller, $methodName, Response $response){
|
public function afterController($controller, $methodName, Response $response){
|
||||||
// only react if its a CORS request and if the request sends origin and
|
// only react if its a CORS request and if the request sends origin and
|
||||||
$reflector = new MethodAnnotationReader($controller, $methodName);
|
|
||||||
|
|
||||||
if(isset($this->request->server['HTTP_ORIGIN']) &&
|
if(isset($this->request->server['HTTP_ORIGIN']) &&
|
||||||
$reflector->hasAnnotation('CORS')) {
|
$this->reflector->hasAnnotation('CORS')) {
|
||||||
|
|
||||||
// allow credentials headers must not be true or CSRF is possible
|
// allow credentials headers must not be true or CSRF is possible
|
||||||
// otherwise
|
// otherwise
|
||||||
|
|
@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
|
||||||
if(strtolower($header) === 'access-control-allow-credentials' &&
|
if(strtolower($header) === 'access-control-allow-credentials' &&
|
||||||
strtolower(trim($value)) === 'true') {
|
strtolower(trim($value)) === 'true') {
|
||||||
$msg = 'Access-Control-Allow-Credentials must not be '.
|
$msg = 'Access-Control-Allow-Credentials must not be '.
|
||||||
'set to true in order to prevent CSRF';
|
'set to true in order to prevent CSRF';
|
||||||
throw new SecurityException($msg);
|
throw new SecurityException($msg);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -13,11 +13,19 @@
|
||||||
namespace OC\AppFramework\Middleware\Security;
|
namespace OC\AppFramework\Middleware\Security;
|
||||||
|
|
||||||
use OC\AppFramework\Http\Request;
|
use OC\AppFramework\Http\Request;
|
||||||
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
||||||
|
|
||||||
use OCP\AppFramework\Http\Response;
|
use OCP\AppFramework\Http\Response;
|
||||||
|
|
||||||
|
|
||||||
class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||||
|
|
||||||
|
private $reflector;
|
||||||
|
|
||||||
|
protected function setUp() {
|
||||||
|
$this->reflector = new ControllerMethodReflector();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @CORS
|
* @CORS
|
||||||
*/
|
*/
|
||||||
|
|
@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||||
$request = new Request(
|
$request = new Request(
|
||||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||||
);
|
);
|
||||||
|
$this->reflector->reflect($this, __FUNCTION__);
|
||||||
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||||
|
|
||||||
$middleware = new CORSMiddleware($request);
|
|
||||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||||
$headers = $response->getHeaders();
|
$headers = $response->getHeaders();
|
||||||
|
|
||||||
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
|
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||||
$request = new Request(
|
$request = new Request(
|
||||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||||
);
|
);
|
||||||
$middleware = new CORSMiddleware($request);
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||||
|
|
||||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||||
$headers = $response->getHeaders();
|
$headers = $response->getHeaders();
|
||||||
|
|
@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||||
*/
|
*/
|
||||||
public function testNoOriginHeaderNoCORSHEADER() {
|
public function testNoOriginHeaderNoCORSHEADER() {
|
||||||
$request = new Request();
|
$request = new Request();
|
||||||
|
$this->reflector->reflect($this, __FUNCTION__);
|
||||||
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||||
|
|
||||||
$middleware = new CORSMiddleware($request);
|
|
||||||
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
||||||
$headers = $response->getHeaders();
|
$headers = $response->getHeaders();
|
||||||
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
||||||
|
|
@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
|
||||||
$request = new Request(
|
$request = new Request(
|
||||||
array('server' => array('HTTP_ORIGIN' => 'test'))
|
array('server' => array('HTTP_ORIGIN' => 'test'))
|
||||||
);
|
);
|
||||||
$middleware = new CORSMiddleware($request);
|
$this->reflector->reflect($this, __FUNCTION__);
|
||||||
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
||||||
|
|
||||||
$response = new Response();
|
$response = new Response();
|
||||||
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue