upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-09 08:44:07 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

fix(middleware): Fix header injection for bruteforce middleware

Browse source 
Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons
So shifting back to old standard practise for now

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2023-08-22 16:00:39 +02:00
parent e42d82fe13
commit 381c35080d
No known key found for this signature in database
GPG key ID: 74434EFE0D2E2205
1 changed files with 1 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
View file

@ -130,11 +130,7 @@ class BruteForceMiddleware extends Middleware {
}
if ($this->delaySlept) {
$headers = $response->getHeaders();
if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
$headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
$response->setHeaders($headers);
}
$response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');
}
return parent::afterController($controller, $methodName, $response);