Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorRoeland Jago Douma <rullzer@users.noreply.github.com>2020-01-07 15:43:46 +0300
committerGitHub <noreply@github.com>2020-01-07 15:43:46 +0300
commit52e4ecd66e2269dd47f2fa7b9e99babc96308713 (patch)
treed394124c609511f9667dd9157d952a1a316d84a2 /core
parent33039a4c97a6deb7b0a2c1e38111e4eaa50a2818 (diff)
parentda81b71f9337621a60def04c304cb301321163b7 (diff)
Merge pull request #18644 from nextcloud/harden/csrf_endpoint
Only allow requesting new CSRF tokens if it passes the SameSite Cooki…
Diffstat (limited to 'core')
-rw-r--r--core/Controller/CSRFTokenController.php5
1 files changed, 5 insertions, 0 deletions
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 1ae4dce6a13..b4b04ba2669 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -28,6 +28,7 @@ namespace OC\Core\Controller;
use OC\Security\CSRF\CsrfTokenManager;
use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
use OCP\AppFramework\Http\JSONResponse;
use OCP\IRequest;
@@ -54,6 +55,10 @@ class CSRFTokenController extends Controller {
* @return JSONResponse
*/
public function index(): JSONResponse {
+ if (!$this->request->passesStrictCookieCheck()) {
+ return new JSONResponse([], Http::STATUS_FORBIDDEN);
+ }
+
$requestToken = $this->tokenManager->getToken();
return new JSONResponse([
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-03 02:30:22 +0300