Skip to content

Commit 0ae83d6

Browse files
authored
Merge pull request #46760 from nextcloud/fix/appframework/csrf-custom-header
2 parents 0f953c5 + 9d17052 commit 0ae83d6

2 files changed

Lines changed: 24 additions & 0 deletions

File tree

lib/private/AppFramework/Http/Request.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -426,6 +426,10 @@ public function passesCSRFCheck(): bool {
426426
return false;
427427
}
428428

429+
if ($this->getHeader('OCS-APIRequest') !== '') {
430+
return true;
431+
}
432+
429433
if (isset($this->items['get']['requesttoken'])) {
430434
$token = $this->items['get']['requesttoken'];
431435
} elseif (isset($this->items['post']['requesttoken'])) {

tests/lib/AppFramework/Http/RequestTest.php

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2256,4 +2256,24 @@ public function testPassesCSRFCheckWithoutTokenFail() {
22562256

22572257
$this->assertFalse($request->passesCSRFCheck());
22582258
}
2259+
2260+
public function testPassesCSRFCheckWithOCSAPIRequestHeader() {
2261+
/** @var Request $request */
2262+
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
2263+
->setMethods(['getScriptName'])
2264+
->setConstructorArgs([
2265+
[
2266+
'server' => [
2267+
'HTTP_OCS_APIREQUEST' => 'true',
2268+
],
2269+
],
2270+
$this->requestId,
2271+
$this->config,
2272+
$this->csrfTokenManager,
2273+
$this->stream
2274+
])
2275+
->getMock();
2276+
2277+
$this->assertTrue($request->passesCSRFCheck());
2278+
}
22592279
}

0 commit comments

Comments
 (0)