mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Properly check for empty basic auth when trying to log in a user on CORS annotated endpoints 

Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl 2020-02-07 16:03:55 +01:00
parent cf5b33fd6e
commit f1b387686a
No known key found for this signature in database
GPG Key ID: 4C614C6ED2CDE6DF
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
View File

@ -26,7 +26,6 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException;
use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
@ -95,7 +94,7 @@ class CORSMiddleware extends Middleware {
}
$this->session->logout();
try {
if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
if (!empty($user) && !empty($pass) && !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
} catch (PasswordLoginForbiddenException $ex) {