mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Configurable list for opt out from same site cookie protection 

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
jaltek 2018-01-31 14:17:56 +01:00 committed by Roeland Jago Douma
parent ebdd3fb64a
commit c79dc0e08f
No known key found for this signature in database
GPG Key ID: F941078878347C0C
2 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
config/config.sample.php
View File

@ -1595,4 +1595,14 @@ $CONFIG = array(
*/ */
'gs.federation' => 'internal', 'gs.federation' => 'internal',
/**
* List of incompatible user agents opted out from Same Site Cookie Protection.
* Some user agents are notorious and don't really properly follow HTTP
* specifications. For those, have an opt-out.
*/
'csrf.optout' => array(
'/^WebDAVFS/', // OS X Finder
'/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive
),
); );

17
lib/base.php
View File

@ -523,11 +523,18 @@ class OC {
// specifications. For those, have an automated opt-out. Since the protection // specifications. For those, have an automated opt-out. Since the protection
// for remote.php is applied in base.php as starting point we need to opt out // for remote.php is applied in base.php as starting point we need to opt out
// here. // here.
$incompatibleUserAgents = [ $incompatibleUserAgents = \OC::$server->getConfig()->getSystemValue('csrf.optout');
// OS X Finder
'/^WebDAVFS/', // Fallback, if csrf.optout is unset
'/^Microsoft-WebDAV-MiniRedir/', if (!is_array($incompatibleUserAgents)) {
]; $incompatibleUserAgents = [
// OS X Finder
'/^WebDAVFS/',
// Windows webdav drive
'/^Microsoft-WebDAV-MiniRedir/',
];
}
if($request->isUserAgent($incompatibleUserAgents)) { if($request->isUserAgent($incompatibleUserAgents)) {
return; return;
} }