mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix error when using CORS with no auth credentials

This commit is contained in:
korelstar 2021-05-01 15:48:35 +02:00 committed by backportbot[bot]
parent 739bbc27c0
commit 9cfd0b123d
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
View File

@ -83,14 +83,13 @@ class CORSMiddleware extends Middleware {
public function beforeController($controller, $methodName) { public function beforeController($controller, $methodName) {
// ensure that @CORS annotated API routes are not used in conjunction // ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors // with session authentication since this enables CSRF attack vectors
if ($this->reflector->hasAnnotation('CORS') && if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
!$this->reflector->hasAnnotation('PublicPage')) { $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$user = $this->request->server['PHP_AUTH_USER']; $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
$pass = $this->request->server['PHP_AUTH_PW'];
$this->session->logout(); $this->session->logout();
try { try {
if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
} }
} catch (PasswordLoginForbiddenException $ex) { } catch (PasswordLoginForbiddenException $ex) {