upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-21 10:00:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 30

fix(dav): do not require CSRF for safe and indempotent HTTP methods

Browse source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen 2025-03-13 12:04:30 +01:00
parent 9dea6185ad
commit fa63e646d4
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apps/dav/lib/Connector/Sabre/Auth.php
View file

@ -118,8 +118,9 @@ class Auth extends AbstractBasic {
* Checks whether a CSRF check is required on the request
*/
private function requiresCSRFCheck(): bool {
// GET requires no check at all
if ($this->request->getMethod() === 'GET') {
$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
return false;
}