mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't perform CSRF check on OCS routes with Bearer auth 

Fixes #5694

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-01-15 22:05:06 +01:00
parent 202dd62951
commit f1cd334281
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
View File

@ -170,10 +170,16 @@ class SecurityMiddleware extends Middleware {
* Only allow the CSRF check to fail on OCS Requests. This kind of * Only allow the CSRF check to fail on OCS Requests. This kind of
* hacks around that we have no full token auth in place yet and we * hacks around that we have no full token auth in place yet and we
* do want to offer CSRF checks for web requests. * do want to offer CSRF checks for web requests.
*
* Additionally we allow Bearer authenticated requests to pass on OCS routes.
* This allows oauth apps (e.g. moodle) to use the OCS endpoints
*/ */
if(!$this->request->passesCSRFCheck() && !( if(!$this->request->passesCSRFCheck() && !(
$controller instanceof OCSController && $controller instanceof OCSController && (
$this->request->getHeader('OCS-APIREQUEST') === 'true')) { $this->request->getHeader('OCS-APIREQUEST') === 'true' ||
strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
)
)) {
throw new CrossSiteRequestForgeryException(); throw new CrossSiteRequestForgeryException();
} }
} }