sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #684 from nextcloud/fix_csrf_ocs 

Fix OCS CSRF
pull/695/head
Lukas Reschke 2016-08-01 11:52:56 +07:00 committed by GitHub
parent 368e1c3f2b 5c718b13b8
commit 8a7d450fb5
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
Unescape Escape View File

@ -153,7 +153,7 @@ class SecurityMiddleware extends Middleware {
*/
if(!$this->request->passesCSRFCheck() && !(
$controller instanceof OCSController &&
$this->request->getHeader('OCS_APIREQUEST') === true)) {
$this->request->getHeader('OCS-APIREQUEST') === 'true')) {
throw new CrossSiteRequestForgeryException();
}
}

3
tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
Unescape Escape View File

@ -383,7 +383,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
[$controller, true, true],
[$ocsController, false, true],
[$ocsController, true, true],
[$ocsController, true, false],
];
}
@ -396,6 +396,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
public function testCsrfOcsController(Controller $controller, $hasOcsApiHeader, $exception) {
$this->request
->method('getHeader')
->with('OCS-APIREQUEST')
->willReturn($hasOcsApiHeader ? 'true' : null);
$this->request->expects($this->once())
->method('passesStrictCookieCheck')