open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

use new controllermethodreflector for corsmiddleware

Browse Source
remotes/origin/ldap_group_count
Bernhard Posselt 11 years ago
parent 474b8f071d
commit 63f2f16b85
3 changed files with 27 additions and 11 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 5
      lib/private/appframework/dependencyinjection/dicontainer.php
  2. 13
      lib/private/appframework/middleware/security/corsmiddleware.php
  3. 20
      tests/lib/appframework/middleware/security/CORSMiddlewareTest.php

5
lib/private/appframework/dependencyinjection/dicontainer.php
Unescape View File

@ -104,7 +104,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
});
$this['CORSMiddleware'] = $this->share(function($c) {
return new CORSMiddleware($c['Request']);
return new CORSMiddleware(
$c['Request'],
$c['ControllerMethodReflector']
);
});
$middleWares = &$this->middleWares;

13
lib/private/appframework/middleware/security/corsmiddleware.php
Unescape View File

@ -11,7 +11,7 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Utility\MethodAnnotationReader;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\IRequest;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Middleware;
@ -25,12 +25,16 @@ use OCP\AppFramework\Middleware;
class CORSMiddleware extends Middleware {
private $request;
private $reflector;
/**
* @param IRequest $request
* @param ControllerMethodReflector $reflector
*/
public function __construct(IRequest $request) {
public function __construct(IRequest $request,
ControllerMethodReflector $reflector) {
$this->request = $request;
$this->reflector = $reflector;
}
@ -46,10 +50,9 @@ class CORSMiddleware extends Middleware {
*/
public function afterController($controller, $methodName, Response $response){
// only react if its a CORS request and if the request sends origin and
$reflector = new MethodAnnotationReader($controller, $methodName);
if(isset($this->request->server['HTTP_ORIGIN']) &&
$reflector->hasAnnotation('CORS')) {
$this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
@ -57,7 +60,7 @@ class CORSMiddleware extends Middleware {
if(strtolower($header) === 'access-control-allow-credentials' &&
strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be '.
'set to true in order to prevent CSRF';
'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}

20
tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
Unescape View File

@ -13,11 +13,19 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Http\Request;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCP\AppFramework\Http\Response;
class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
private $reflector;
protected function setUp() {
$this->reflector = new ControllerMethodReflector();
}
/**
* @CORS
*/
@ -25,11 +33,11 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$middleware = new CORSMiddleware($request);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
}
@ -38,7 +46,7 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$middleware = new CORSMiddleware($request);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
@ -51,8 +59,9 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
*/
public function testNoOriginHeaderNoCORSHEADER() {
$request = new Request();
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$middleware = new CORSMiddleware($request);
$response = $middleware->afterController($this, __FUNCTION__, new Response());
$headers = $response->getHeaders();
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
@ -67,7 +76,8 @@ class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
$request = new Request(
array('server' => array('HTTP_ORIGIN' => 'test'))
);
$middleware = new CORSMiddleware($request);
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');

Write Preview
Loading…
Cancel
Save