open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #51457 from nextcloud/fix/dav-csrf

Browse Source 
fix(dav): do not require CSRF for safe and indempotent HTTP methods
pull/51495/head
Ferdinand Thiessen 7 months ago committed by GitHub
parent bf06b2552b fa63e646d4
commit 2e60c09817
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 2 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      apps/dav/lib/Connector/Sabre/Auth.php

5
apps/dav/lib/Connector/Sabre/Auth.php
Unescape View File

@ -118,8 +118,9 @@ class Auth extends AbstractBasic {
* Checks whether a CSRF check is required on the request
*/
private function requiresCSRFCheck(): bool {
// GET requires no check at all
if ($this->request->getMethod() === 'GET') {
$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
return false;
}

Write Preview
Loading…
Cancel
Save