upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-04-20 22:00:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

fix(AppFramework): Allow requests with OCS-APIRequest header to pass CSRF checks

Browse source 
Signed-off-by: provokateurin <kate@provokateurin.de>
This commit is contained in:
provokateurin 2024-03-14 13:06:32 +01:00
parent d5bb37ab0d
commit 9d1705259c
No known key found for this signature in database
2 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/private/AppFramework/Http/Request.php
View file

@ -426,6 +426,10 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return false;
}
if ($this->getHeader('OCS-APIRequest') !== '') {
return true;
}
if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {

20
tests/lib/AppFramework/Http/RequestTest.php
View file

@ -2256,4 +2256,24 @@ class RequestTest extends \Test\TestCase {
$this->assertFalse($request->passesCSRFCheck());
}
public function testPassesCSRFCheckWithOCSAPIRequestHeader() {
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_OCS_APIREQUEST' => 'true',
],
],
$this->requestId,
$this->config,
$this->csrfTokenManager,
$this->stream
])
->getMock();
$this->assertTrue($request->passesCSRFCheck());
}
}