Merge pull request #7873 from nextcloud/fix_5694

Don't perform CSRF check on OCS routes with Bearer auth
This commit is contained in:
Roeland Jago Douma 2018-01-29 15:02:22 +01:00 committed by GitHub
commit 6d86dcb265
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 9 deletions

View File

@ -170,10 +170,16 @@ class SecurityMiddleware extends Middleware {
* Only allow the CSRF check to fail on OCS Requests. This kind of * Only allow the CSRF check to fail on OCS Requests. This kind of
* hacks around that we have no full token auth in place yet and we * hacks around that we have no full token auth in place yet and we
* do want to offer CSRF checks for web requests. * do want to offer CSRF checks for web requests.
*
* Additionally we allow Bearer authenticated requests to pass on OCS routes.
* This allows oauth apps (e.g. moodle) to use the OCS endpoints
*/ */
if(!$this->request->passesCSRFCheck() && !( if(!$this->request->passesCSRFCheck() && !(
$controller instanceof OCSController && $controller instanceof OCSController && (
$this->request->getHeader('OCS-APIREQUEST') === 'true')) { $this->request->getHeader('OCS-APIREQUEST') === 'true' ||
strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
)
)) {
throw new CrossSiteRequestForgeryException(); throw new CrossSiteRequestForgeryException();
} }
} }

View File

@ -387,11 +387,15 @@ class SecurityMiddlewareTest extends \Test\TestCase {
->getMock(); ->getMock();
return [ return [
[$controller, false, true], [$controller, false, false, true],
[$controller, true, true], [$controller, false, true, true],
[$controller, true, false, true],
[$controller, true, true, true],
[$ocsController, false, true], [$ocsController, false, false, true],
[$ocsController, true, false], [$ocsController, false, true, false],
[$ocsController, true, false, false],
[$ocsController, true, true, false],
]; ];
} }
@ -399,13 +403,21 @@ class SecurityMiddlewareTest extends \Test\TestCase {
* @dataProvider dataCsrfOcsController * @dataProvider dataCsrfOcsController
* @param Controller $controller * @param Controller $controller
* @param bool $hasOcsApiHeader * @param bool $hasOcsApiHeader
* @param bool $hasBearerAuth
* @param bool $exception * @param bool $exception
*/ */
public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) { public function testCsrfOcsController(Controller $controller, bool $hasOcsApiHeader, bool $hasBearerAuth, bool $exception) {
$this->request $this->request
->method('getHeader') ->method('getHeader')
->with('OCS-APIREQUEST') ->will(self::returnCallback(function ($header) use ($hasOcsApiHeader, $hasBearerAuth) {
->willReturn($hasOcsApiHeader ? 'true' : null); if ($header === 'OCS-APIREQUEST' && $hasOcsApiHeader) {
return 'true';
}
if ($header === 'Authorization' && $hasBearerAuth) {
return 'Bearer TOKEN!';
}
return '';
}));
$this->request->expects($this->once()) $this->request->expects($this->once())
->method('passesStrictCookieCheck') ->method('passesStrictCookieCheck')
->willReturn(true); ->willReturn(true);