Merge pull request #1331 from nextcloud/osx-problems-stable10

[stable10] Fix OS X and OVH problems
This commit is contained in:
Roeland Jago Douma 2016-09-09 08:19:40 +02:00 committed by GitHub
commit b9100da2e8
3 changed files with 107 additions and 4 deletions

View File

@ -506,8 +506,22 @@ class OC {
* also we can't directly interfere with PHP's session mechanism.
*/
private static function performSameSiteCookieProtection() {
$request = \OC::$server->getRequest();
// Some user agents are notorious and don't really properly follow HTTP
// specifications. For those, have an automated opt-out. Since the protection
// for remote.php is applied in base.php as starting point we need to opt out
// here.
$incompatibleUserAgents = [
// OS X Finder
'/^WebDAVFS/',
];
if($request->isUserAgent($incompatibleUserAgents)) {
return;
}
if(count($_COOKIE) > 0) {
$request = \OC::$server->getRequest();
$requestUri = $request->getScriptName();
$processingScript = explode('/', $requestUri);
$processingScript = $processingScript[count($processingScript)-1];

View File

@ -485,6 +485,19 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return $this->csrfTokenManager->isTokenValid($token);
}
/**
* Whether the cookie checks are required
*
* @return bool
*/
private function cookieCheckRequired() {
if($this->getCookie(session_name()) === null && $this->getCookie('oc_token') === null) {
return false;
}
return true;
}
/**
* Checks if the strict cookie has been sent with the request if the request
* is including any cookies.
@ -493,7 +506,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* @since 9.1.0
*/
public function passesStrictCookieCheck() {
if(count($this->cookies) === 0) {
if(!$this->cookieCheckRequired()) {
return true;
}
if($this->getCookie('nc_sameSiteCookiestrict') === 'true'
@ -511,7 +524,7 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* @since 9.1.0
*/
public function passesLaxCookieCheck() {
if(count($this->cookies) === 0) {
if(!$this->cookieCheckRequired()) {
return true;
}
if($this->getCookie('nc_sameSiteCookielax') === 'true') {

View File

@ -1469,6 +1469,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookiestrict' => 'true',
],
],
@ -1495,6 +1496,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookiestrict' => 'true',
'nc_sameSiteCookielax' => 'true',
],
@ -1509,7 +1511,76 @@ class RequestTest extends \Test\TestCase {
$this->assertTrue($request->passesStrictCookieCheck());
}
public function testFailsSRFCheckWithPostAndWithCookies() {
public function testPassesStrictCookieCheckWithRandomCookies() {
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
'RandomCookie' => 'asdf',
],
],
$this->secureRandom,
$this->config,
$this->csrfTokenManager,
$this->stream
])
->getMock();
$this->assertTrue($request->passesStrictCookieCheck());
}
public function testFailsStrictCookieCheckWithSessionCookie() {
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
],
],
$this->secureRandom,
$this->config,
$this->csrfTokenManager,
$this->stream
])
->getMock();
$this->assertFalse($request->passesStrictCookieCheck());
}
public function testFailsStrictCookieCheckWithRememberMeCookie() {
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
'oc_token' => 'asdf',
],
],
$this->secureRandom,
$this->config,
$this->csrfTokenManager,
$this->stream
])
->getMock();
$this->assertFalse($request->passesStrictCookieCheck());
}
public function testFailsCSRFCheckWithPostAndWithCookies() {
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
@ -1519,6 +1590,7 @@ class RequestTest extends \Test\TestCase {
'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'foo' => 'bar',
],
],
@ -1545,6 +1617,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookielax' => 'true',
],
],
@ -1568,6 +1641,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookiestrict' => 'true',
],
],
@ -1591,6 +1665,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookielax' => 'true',
],
],
@ -1614,6 +1689,7 @@ class RequestTest extends \Test\TestCase {
'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
],
'cookies' => [
session_name() => 'asdf',
'nc_sameSiteCookiestrict' => 'true',
],
],