From f56ea98993a6dec2f118b5e61c483d11075f7a24 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 29 Jun 2016 19:51:27 +0200 Subject: [PATCH] Add exemption for ACS endpoint In a SAML scenario we don't get any strict or lax cookie send for the ACS endpoint. Since we have some legacy code in Nextcloud (direct PHP files) the enforcement of lax cookies is performed here instead of the middleware. This means we cannot exclude some routes from the cookie validation, which normally is not a problem but is a little bit cumbersome for this use-case. Once the old legacy PHP endpoints have been removed we can move the verification into a middleware and also adds some exemptions. Not super awesome code to have but the best that I could come up with that doesn't add another ton of technical debt. --- lib/base.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/base.php b/lib/base.php index 84ec0c2c5f..2ad453189d 100644 --- a/lib/base.php +++ b/lib/base.php @@ -519,6 +519,23 @@ class OC { $processingScript = explode('/', $requestUri); $processingScript = $processingScript[count($processingScript)-1]; + // FIXME: In a SAML scenario we don't get any strict or lax cookie + // send for the ACS endpoint. Since we have some legacy code in Nextcloud + // (direct PHP files) the enforcement of lax cookies is performed here + // instead of the middleware. + // + // This means we cannot exclude some routes from the cookie validation, + // which normally is not a problem but is a little bit cumbersome for + // this use-case. + // Once the old legacy PHP endpoints have been removed we can move + // the verification into a middleware and also adds some exemptions. + // + // Questions about this code? Ask Lukas ;-) + $currentUrl = substr(explode('?',$request->getRequestUri(), 2)[0], strlen(\OC::$WEBROOT)); + if($currentUrl === '/index.php/apps/user_saml/saml/acs') { + return; + } + // For the "index.php" endpoint only a lax cookie is required. if($processingScript === 'index.php') { if(!$request->passesLaxCookieCheck()) {