Merge pull request #21144 from owncloud/dav-auth-checkduplicateheader

Properly check X-Requested-With header in case of multiple values
10 years ago · f799b27f0e
parent 6317ba8cb4 13ec2bda2d
commit f799b27f0e
1 changed files with 1 additions and 1 deletions
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@ -160,7 +160,7 @@ class Auth extends AbstractBasic {
 			return [true, $this->principalPrefix . $user];
 		}

-		if (!$this->userSession->isLoggedIn() && $request->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+		if (!$this->userSession->isLoggedIn() && in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With')))) {
 			// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
 			$response->addHeader('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
 			$response->setStatus(401);