From 72c1b248442fb05ef2ef1e8fbf3399cb06188013 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 15 May 2017 14:33:27 +0200
Subject: [PATCH] Check whether the $_SERVER['REQUEST_*'] vars exist before
 using them

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 core/Middleware/TwoFactorMiddleware.php               |  8 +++++---
 lib/base.php                                          |  6 +++---
 .../Middleware/Security/SecurityMiddleware.php        | 11 +++++------
 lib/private/Route/Router.php                          |  2 +-
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
index c4c3b724eb..e35c53d404 100644
--- a/core/Middleware/TwoFactorMiddleware.php
+++ b/core/Middleware/TwoFactorMiddleware.php
@@ -124,9 +124,11 @@ class TwoFactorMiddleware extends Middleware {
 
 	public function afterException($controller, $methodName, Exception $exception) {
 		if ($exception instanceof TwoFactorAuthRequiredException) {
-			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', [
-					'redirect_url' => urlencode($this->request->server['REQUEST_URI']),
-			]));
+			$params = [];
+			if (isset($this->request->server['REQUEST_URI'])) {
+				$params['redirect_url'] = $this->request->server['REQUEST_URI'];
+			}
+			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge', $params));
 		}
 		if ($exception instanceof UserAlreadyLoggedInException) {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
diff --git a/lib/base.php b/lib/base.php
index 483cd65691..bddd6a92cc 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -132,7 +132,7 @@ class OC {
 
 		OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT)));
 		/**
-		 * FIXME: The following lines are required because we can't yet instantiiate
+		 * FIXME: The following lines are required because we can't yet instantiate
 		 *        \OC::$server->getRequest() since \OC::$server does not yet exist.
 		 */
 		$params = [
@@ -174,7 +174,7 @@ class OC {
 
 			// Resolve /nextcloud to /nextcloud/ to ensure to always have a trailing
 			// slash which is required by URL generation.
-			if($_SERVER['REQUEST_URI'] === \OC::$WEBROOT &&
+			if (isset($_SERVER['REQUEST_URI']) && $_SERVER['REQUEST_URI'] === \OC::$WEBROOT &&
 					substr($_SERVER['REQUEST_URI'], -1) !== '/') {
 				header('Location: '.\OC::$WEBROOT.'/');
 				exit();
@@ -1005,7 +1005,7 @@ class OC {
 		}
 
 		// Handle WebDAV
-		if ($_SERVER['REQUEST_METHOD'] == 'PROPFIND') {
+		if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PROPFIND') {
 			// not allowed any more to prevent people
 			// mounting this root directly.
 			// Users need to mount remote.php/webdav instead.
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index e420a9dacc..4e41c94643 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -246,12 +246,11 @@ class SecurityMiddleware extends Middleware {
 				);
 			} else {
 				if($exception instanceof NotLoggedInException) {
-					$url = $this->urlGenerator->linkToRoute(
-						'core.login.showLoginForm',
-						[
-							'redirect_url' => $this->request->server['REQUEST_URI'],
-						]
-					);
+					$params = [];
+					if (isset($this->request->server['REQUEST_URI'])) {
+						$params['redirect_url'] = $this->request->server['REQUEST_URI'];
+					}
+					$url = $this->urlGenerator->linkToRoute('core.login.showLoginForm', $params);
 					$response = new RedirectResponse($url);
 				} else {
 					$response = new TemplateResponse('core', '403', ['file' => $exception->getMessage()], 'guest');
diff --git a/lib/private/Route/Router.php b/lib/private/Route/Router.php
index fd15400dad..71aabe15c5 100644
--- a/lib/private/Route/Router.php
+++ b/lib/private/Route/Router.php
@@ -75,7 +75,7 @@ class Router implements IRouter {
 		if(!(\OC::$server->getConfig()->getSystemValue('htaccess.IgnoreFrontController', false) === true || getenv('front_controller_active') === 'true')) {
 			$baseUrl = \OC::$server->getURLGenerator()->linkTo('', 'index.php');
 		}
-		if (!\OC::$CLI) {
+		if (!\OC::$CLI && isset($_SERVER['REQUEST_METHOD'])) {
 			$method = $_SERVER['REQUEST_METHOD'];
 		} else {
 			$method = 'GET';