diff options
author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2021-05-19 10:51:28 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-19 10:51:28 +0300 |
commit | 4a02726f372dcb50eda197da73e10a70ae19887b (patch) | |
tree | 6c532cec169cc3548e157c6d30b27af7bb04c519 | |
parent | aa785d266d04d067e227905e523ff08e03478f57 (diff) | |
parent | b38e8678e42bcdacc4d7408d6683e43a5a427b7b (diff) |
Merge pull request #26852 from nextcloud/fix-noauth-cors
fix error when using CORS with no auth credentials
-rw-r--r-- | lib/private/AppFramework/Middleware/Security/CORSMiddleware.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php index 765311858de..392259fd20f 100644 --- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php @@ -83,14 +83,13 @@ class CORSMiddleware extends Middleware { public function beforeController($controller, $methodName) { // ensure that @CORS annotated API routes are not used in conjunction // with session authentication since this enables CSRF attack vectors - if ($this->reflector->hasAnnotation('CORS') && - !$this->reflector->hasAnnotation('PublicPage')) { - $user = $this->request->server['PHP_AUTH_USER']; - $pass = $this->request->server['PHP_AUTH_PW']; + if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { + $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; + $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; $this->session->logout(); try { - if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { + if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); } } catch (PasswordLoginForbiddenException $ex) { |