upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 28

Merge pull request #36396 from nextcloud/fix/cors

Browse source
This commit is contained in:
Julius Härtl 2023-02-17 09:42:08 +01:00 committed by GitHub
commit 90d2cb09b1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
View file

@ -83,7 +83,7 @@ class CORSMiddleware extends Middleware {
public function beforeController($controller, $methodName) {
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') || $this->session->isLoggedIn())) {
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;

36
tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
View file

@ -123,10 +123,12 @@ class CORSMiddlewareTest extends \Test\TestCase {
}
/**
* CORS must not be enforced for anonymous users on public pages
*
* @CORS
* @PublicPage
*/
public function testNoCORSShouldAllowCookieAuth() {
public function testNoCORSOnAnonymousPublicPage() {
$request = new Request(
[],
$this->createMock(IRequestId::class),
@ -134,6 +136,9 @@ class CORSMiddlewareTest extends \Test\TestCase {
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$this->session->expects($this->once())
->method('isLoggedIn')
->willReturn(false);
$this->session->expects($this->never())
->method('logout');
$this->session->expects($this->never())
@ -145,6 +150,35 @@ class CORSMiddlewareTest extends \Test\TestCase {
$middleware->beforeController($this->controller, __FUNCTION__);
}
/**
* Even on public pages users logged in using session cookies,
* that do not provide a valid CSRF token are disallowed
*
* @CORS
* @PublicPage
*/
public function testCORSShouldNeverAllowCookieAuth() {
$request = new Request(
[],
$this->createMock(IRequestId::class),
$this->createMock(IConfig::class)
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session, $this->throttler);
$this->session->expects($this->once())
->method('isLoggedIn')
->willReturn(true);
$this->session->expects($this->once())
->method('logout');
$this->session->expects($this->never())
->method('logClientIn')
->with($this->equalTo('user'), $this->equalTo('pass'))
->willReturn(true);
$this->expectException(SecurityException::class);
$middleware->beforeController($this->controller, __FUNCTION__);
}
/**
* @CORS
*/