Merge pull request #7873 from nextcloud/fix_5694
Don't perform CSRF check on OCS routes with Bearer auth
This commit is contained in:
commit
6d86dcb265
|
@ -170,10 +170,16 @@ class SecurityMiddleware extends Middleware {
|
||||||
* Only allow the CSRF check to fail on OCS Requests. This kind of
|
* Only allow the CSRF check to fail on OCS Requests. This kind of
|
||||||
* hacks around that we have no full token auth in place yet and we
|
* hacks around that we have no full token auth in place yet and we
|
||||||
* do want to offer CSRF checks for web requests.
|
* do want to offer CSRF checks for web requests.
|
||||||
|
*
|
||||||
|
* Additionally we allow Bearer authenticated requests to pass on OCS routes.
|
||||||
|
* This allows oauth apps (e.g. moodle) to use the OCS endpoints
|
||||||
*/
|
*/
|
||||||
if(!$this->request->passesCSRFCheck() && !(
|
if(!$this->request->passesCSRFCheck() && !(
|
||||||
$controller instanceof OCSController &&
|
$controller instanceof OCSController && (
|
||||||
$this->request->getHeader('OCS-APIREQUEST') === 'true')) {
|
$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
|
||||||
|
strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
|
||||||
|
)
|
||||||
|
)) {
|
||||||
throw new CrossSiteRequestForgeryException();
|
throw new CrossSiteRequestForgeryException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -387,11 +387,15 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
->getMock();
|
->getMock();
|
||||||
|
|
||||||
return [
|
return [
|
||||||
[$controller, false, true],
|
[$controller, false, false, true],
|
||||||
[$controller, true, true],
|
[$controller, false, true, true],
|
||||||
|
[$controller, true, false, true],
|
||||||
|
[$controller, true, true, true],
|
||||||
|
|
||||||
[$ocsController, false, true],
|
[$ocsController, false, false, true],
|
||||||
[$ocsController, true, false],
|
[$ocsController, false, true, false],
|
||||||
|
[$ocsController, true, false, false],
|
||||||
|
[$ocsController, true, true, false],
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -399,13 +403,21 @@ class SecurityMiddlewareTest extends \Test\TestCase {
|
||||||
* @dataProvider dataCsrfOcsController
|
* @dataProvider dataCsrfOcsController
|
||||||
* @param Controller $controller
|
* @param Controller $controller
|
||||||
* @param bool $hasOcsApiHeader
|
* @param bool $hasOcsApiHeader
|
||||||
|
* @param bool $hasBearerAuth
|
||||||
* @param bool $exception
|
* @param bool $exception
|
||||||
*/
|
*/
|
||||||
public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) {
|
public function testCsrfOcsController(Controller $controller, bool $hasOcsApiHeader, bool $hasBearerAuth, bool $exception) {
|
||||||
$this->request
|
$this->request
|
||||||
->method('getHeader')
|
->method('getHeader')
|
||||||
->with('OCS-APIREQUEST')
|
->will(self::returnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) {
|
||||||
->willReturn($hasOcsApiHeader ? 'true' : null);
|
if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) {
|
||||||
|
return 'true';
|
||||||
|
}
|
||||||
|
if ($header === 'Authorization' && $hasBearerAuth) {
|
||||||
|
return 'Bearer TOKEN!';
|
||||||
|
}
|
||||||
|
return '';
|
||||||
|
}));
|
||||||
$this->request->expects($this->once())
|
$this->request->expects($this->once())
|
||||||
->method('passesStrictCookieCheck')
|
->method('passesStrictCookieCheck')
|
||||||
->willReturn(true);
|
->willReturn(true);
|
||||||
|
|
Loading…
Reference in New Issue