nextcloud /
server
@@ -36,77 +36,77 @@ |
||
| 36 | 36 | * @since 8.1.0 |
| 37 | 37 | */ |
| 38 | 38 | abstract class OCSController extends ApiController { |
| 39 | - public const RESPOND_UNAUTHORISED = 997; |
|
| 40 | - public const RESPOND_SERVER_ERROR = 996; |
|
| 41 | - public const RESPOND_NOT_FOUND = 998; |
|
| 42 | - public const RESPOND_UNKNOWN_ERROR = 999; |
|
| 39 | + public const RESPOND_UNAUTHORISED = 997; |
|
| 40 | + public const RESPOND_SERVER_ERROR = 996; |
|
| 41 | + public const RESPOND_NOT_FOUND = 998; |
|
| 42 | + public const RESPOND_UNKNOWN_ERROR = 999; |
|
| 43 | 43 | |
| 44 | - /** @var int */ |
|
| 45 | - private $ocsVersion; |
|
| 44 | + /** @var int */ |
|
| 45 | + private $ocsVersion; |
|
| 46 | 46 | |
| 47 | - /** |
|
| 48 | - * constructor of the controller |
|
| 49 | - * @param string $appName the name of the app |
|
| 50 | - * @param IRequest $request an instance of the request |
|
| 51 | - * @param string $corsMethods comma separated string of HTTP verbs which |
|
| 52 | - * should be allowed for websites or webapps when calling your API, defaults to |
|
| 53 | - * 'PUT, POST, GET, DELETE, PATCH' |
|
| 54 | - * @param string $corsAllowedHeaders comma separated string of HTTP headers |
|
| 55 | - * which should be allowed for websites or webapps when calling your API, |
|
| 56 | - * defaults to 'Authorization, Content-Type, Accept' |
|
| 57 | - * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS |
|
| 58 | - * request should be cached, defaults to 1728000 seconds |
|
| 59 | - * @since 8.1.0 |
|
| 60 | - */ |
|
| 61 | - public function __construct($appName, |
|
| 62 | - IRequest $request, |
|
| 63 | - $corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
|
| 64 | - $corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest', |
|
| 65 | - $corsMaxAge = 1728000) { |
|
| 66 | - parent::__construct($appName, $request, $corsMethods, |
|
| 67 | - $corsAllowedHeaders, $corsMaxAge); |
|
| 68 | - $this->registerResponder('json', function ($data) { |
|
| 69 | - return $this->buildOCSResponse('json', $data); |
|
| 70 | - }); |
|
| 71 | - $this->registerResponder('xml', function ($data) { |
|
| 72 | - return $this->buildOCSResponse('xml', $data); |
|
| 73 | - }); |
|
| 74 | - } |
|
| 47 | + /** |
|
| 48 | + * constructor of the controller |
|
| 49 | + * @param string $appName the name of the app |
|
| 50 | + * @param IRequest $request an instance of the request |
|
| 51 | + * @param string $corsMethods comma separated string of HTTP verbs which |
|
| 52 | + * should be allowed for websites or webapps when calling your API, defaults to |
|
| 53 | + * 'PUT, POST, GET, DELETE, PATCH' |
|
| 54 | + * @param string $corsAllowedHeaders comma separated string of HTTP headers |
|
| 55 | + * which should be allowed for websites or webapps when calling your API, |
|
| 56 | + * defaults to 'Authorization, Content-Type, Accept' |
|
| 57 | + * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS |
|
| 58 | + * request should be cached, defaults to 1728000 seconds |
|
| 59 | + * @since 8.1.0 |
|
| 60 | + */ |
|
| 61 | + public function __construct($appName, |
|
| 62 | + IRequest $request, |
|
| 63 | + $corsMethods = 'PUT, POST, GET, DELETE, PATCH', |
|
| 64 | + $corsAllowedHeaders = 'Authorization, Content-Type, Accept, OCS-APIRequest', |
|
| 65 | + $corsMaxAge = 1728000) { |
|
| 66 | + parent::__construct($appName, $request, $corsMethods, |
|
| 67 | + $corsAllowedHeaders, $corsMaxAge); |
|
| 68 | + $this->registerResponder('json', function ($data) { |
|
| 69 | + return $this->buildOCSResponse('json', $data); |
|
| 70 | + }); |
|
| 71 | + $this->registerResponder('xml', function ($data) { |
|
| 72 | + return $this->buildOCSResponse('xml', $data); |
|
| 73 | + }); |
|
| 74 | + } |
|
| 75 | 75 | |
| 76 | - /** |
|
| 77 | - * @param int $version |
|
| 78 | - * @since 11.0.0 |
|
| 79 | - * @internal |
|
| 80 | - */ |
|
| 81 | - public function setOCSVersion($version) { |
|
| 82 | - $this->ocsVersion = $version; |
|
| 83 | - } |
|
| 76 | + /** |
|
| 77 | + * @param int $version |
|
| 78 | + * @since 11.0.0 |
|
| 79 | + * @internal |
|
| 80 | + */ |
|
| 81 | + public function setOCSVersion($version) { |
|
| 82 | + $this->ocsVersion = $version; |
|
| 83 | + } |
|
| 84 | 84 | |
| 85 | - /** |
|
| 86 | - * Since the OCS endpoints default to XML we need to find out the format |
|
| 87 | - * again |
|
| 88 | - * @param mixed $response the value that was returned from a controller and |
|
| 89 | - * is not a Response instance |
|
| 90 | - * @param string $format the format for which a formatter has been registered |
|
| 91 | - * @throws \DomainException if format does not match a registered formatter |
|
| 92 | - * @return Response |
|
| 93 | - * @since 9.1.0 |
|
| 94 | - */ |
|
| 95 | - public function buildResponse($response, $format = 'xml') { |
|
| 96 | - return parent::buildResponse($response, $format); |
|
| 97 | - } |
|
| 85 | + /** |
|
| 86 | + * Since the OCS endpoints default to XML we need to find out the format |
|
| 87 | + * again |
|
| 88 | + * @param mixed $response the value that was returned from a controller and |
|
| 89 | + * is not a Response instance |
|
| 90 | + * @param string $format the format for which a formatter has been registered |
|
| 91 | + * @throws \DomainException if format does not match a registered formatter |
|
| 92 | + * @return Response |
|
| 93 | + * @since 9.1.0 |
|
| 94 | + */ |
|
| 95 | + public function buildResponse($response, $format = 'xml') { |
|
| 96 | + return parent::buildResponse($response, $format); |
|
| 97 | + } |
|
| 98 | 98 | |
| 99 | - /** |
|
| 100 | - * Unwrap data and build ocs response |
|
| 101 | - * @param string $format json or xml |
|
| 102 | - * @param DataResponse $data the data which should be transformed |
|
| 103 | - * @since 8.1.0 |
|
| 104 | - * @return \OC\AppFramework\OCS\BaseResponse |
|
| 105 | - */ |
|
| 106 | - private function buildOCSResponse($format, DataResponse $data) { |
|
| 107 | - if ($this->ocsVersion === 1) { |
|
| 108 | - return new \OC\AppFramework\OCS\V1Response($data, $format); |
|
| 109 | - } |
|
| 110 | - return new \OC\AppFramework\OCS\V2Response($data, $format); |
|
| 111 | - } |
|
| 99 | + /** |
|
| 100 | + * Unwrap data and build ocs response |
|
| 101 | + * @param string $format json or xml |
|
| 102 | + * @param DataResponse $data the data which should be transformed |
|
| 103 | + * @since 8.1.0 |
|
| 104 | + * @return \OC\AppFramework\OCS\BaseResponse |
|
| 105 | + */ |
|
| 106 | + private function buildOCSResponse($format, DataResponse $data) { |
|
| 107 | + if ($this->ocsVersion === 1) { |
|
| 108 | + return new \OC\AppFramework\OCS\V1Response($data, $format); |
|
| 109 | + } |
|
| 110 | + return new \OC\AppFramework\OCS\V2Response($data, $format); |
|
| 111 | + } |
|
| 112 | 112 | } |
@@ -45,118 +45,118 @@ |
||
| 45 | 45 | * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS |
| 46 | 46 | */ |
| 47 | 47 | class CORSMiddleware extends Middleware { |
| 48 | - /** @var IRequest */ |
|
| 49 | - private $request; |
|
| 50 | - /** @var ControllerMethodReflector */ |
|
| 51 | - private $reflector; |
|
| 52 | - /** @var Session */ |
|
| 53 | - private $session; |
|
| 54 | - /** @var Throttler */ |
|
| 55 | - private $throttler; |
|
| 48 | + /** @var IRequest */ |
|
| 49 | + private $request; |
|
| 50 | + /** @var ControllerMethodReflector */ |
|
| 51 | + private $reflector; |
|
| 52 | + /** @var Session */ |
|
| 53 | + private $session; |
|
| 54 | + /** @var Throttler */ |
|
| 55 | + private $throttler; |
|
| 56 | 56 | |
| 57 | - /** |
|
| 58 | - * @param IRequest $request |
|
| 59 | - * @param ControllerMethodReflector $reflector |
|
| 60 | - * @param Session $session |
|
| 61 | - * @param Throttler $throttler |
|
| 62 | - */ |
|
| 63 | - public function __construct(IRequest $request, |
|
| 64 | - ControllerMethodReflector $reflector, |
|
| 65 | - Session $session, |
|
| 66 | - Throttler $throttler) { |
|
| 67 | - $this->request = $request; |
|
| 68 | - $this->reflector = $reflector; |
|
| 69 | - $this->session = $session; |
|
| 70 | - $this->throttler = $throttler; |
|
| 71 | - } |
|
| 57 | + /** |
|
| 58 | + * @param IRequest $request |
|
| 59 | + * @param ControllerMethodReflector $reflector |
|
| 60 | + * @param Session $session |
|
| 61 | + * @param Throttler $throttler |
|
| 62 | + */ |
|
| 63 | + public function __construct(IRequest $request, |
|
| 64 | + ControllerMethodReflector $reflector, |
|
| 65 | + Session $session, |
|
| 66 | + Throttler $throttler) { |
|
| 67 | + $this->request = $request; |
|
| 68 | + $this->reflector = $reflector; |
|
| 69 | + $this->session = $session; |
|
| 70 | + $this->throttler = $throttler; |
|
| 71 | + } |
|
| 72 | 72 | |
| 73 | - /** |
|
| 74 | - * This is being run in normal order before the controller is being |
|
| 75 | - * called which allows several modifications and checks |
|
| 76 | - * |
|
| 77 | - * @param Controller $controller the controller that is being called |
|
| 78 | - * @param string $methodName the name of the method that will be called on |
|
| 79 | - * the controller |
|
| 80 | - * @throws SecurityException |
|
| 81 | - * @since 6.0.0 |
|
| 82 | - */ |
|
| 83 | - public function beforeController($controller, $methodName) { |
|
| 84 | - // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | - // with session authentication since this enables CSRF attack vectors |
|
| 86 | - if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 87 | - $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; |
|
| 88 | - $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |
|
| 73 | + /** |
|
| 74 | + * This is being run in normal order before the controller is being |
|
| 75 | + * called which allows several modifications and checks |
|
| 76 | + * |
|
| 77 | + * @param Controller $controller the controller that is being called |
|
| 78 | + * @param string $methodName the name of the method that will be called on |
|
| 79 | + * the controller |
|
| 80 | + * @throws SecurityException |
|
| 81 | + * @since 6.0.0 |
|
| 82 | + */ |
|
| 83 | + public function beforeController($controller, $methodName) { |
|
| 84 | + // ensure that @CORS annotated API routes are not used in conjunction |
|
| 85 | + // with session authentication since this enables CSRF attack vectors |
|
| 86 | + if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) { |
|
| 87 | + $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null; |
|
| 88 | + $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null; |
|
| 89 | 89 | |
| 90 | - // Allow to use the current session if a CSRF token is provided |
|
| 91 | - if ($this->request->passesCSRFCheck()) { |
|
| 92 | - return; |
|
| 93 | - } |
|
| 94 | - $this->session->logout(); |
|
| 95 | - try { |
|
| 96 | - if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 97 | - throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 98 | - } |
|
| 99 | - } catch (PasswordLoginForbiddenException $ex) { |
|
| 100 | - throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 101 | - } |
|
| 102 | - } |
|
| 103 | - } |
|
| 90 | + // Allow to use the current session if a CSRF token is provided |
|
| 91 | + if ($this->request->passesCSRFCheck()) { |
|
| 92 | + return; |
|
| 93 | + } |
|
| 94 | + $this->session->logout(); |
|
| 95 | + try { |
|
| 96 | + if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) { |
|
| 97 | + throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED); |
|
| 98 | + } |
|
| 99 | + } catch (PasswordLoginForbiddenException $ex) { |
|
| 100 | + throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED); |
|
| 101 | + } |
|
| 102 | + } |
|
| 103 | + } |
|
| 104 | 104 | |
| 105 | - /** |
|
| 106 | - * This is being run after a successful controllermethod call and allows |
|
| 107 | - * the manipulation of a Response object. The middleware is run in reverse order |
|
| 108 | - * |
|
| 109 | - * @param Controller $controller the controller that is being called |
|
| 110 | - * @param string $methodName the name of the method that will be called on |
|
| 111 | - * the controller |
|
| 112 | - * @param Response $response the generated response from the controller |
|
| 113 | - * @return Response a Response object |
|
| 114 | - * @throws SecurityException |
|
| 115 | - */ |
|
| 116 | - public function afterController($controller, $methodName, Response $response) { |
|
| 117 | - // only react if its a CORS request and if the request sends origin and |
|
| 105 | + /** |
|
| 106 | + * This is being run after a successful controllermethod call and allows |
|
| 107 | + * the manipulation of a Response object. The middleware is run in reverse order |
|
| 108 | + * |
|
| 109 | + * @param Controller $controller the controller that is being called |
|
| 110 | + * @param string $methodName the name of the method that will be called on |
|
| 111 | + * the controller |
|
| 112 | + * @param Response $response the generated response from the controller |
|
| 113 | + * @return Response a Response object |
|
| 114 | + * @throws SecurityException |
|
| 115 | + */ |
|
| 116 | + public function afterController($controller, $methodName, Response $response) { |
|
| 117 | + // only react if its a CORS request and if the request sends origin and |
|
| 118 | 118 | |
| 119 | - if (isset($this->request->server['HTTP_ORIGIN']) && |
|
| 120 | - $this->reflector->hasAnnotation('CORS')) { |
|
| 119 | + if (isset($this->request->server['HTTP_ORIGIN']) && |
|
| 120 | + $this->reflector->hasAnnotation('CORS')) { |
|
| 121 | 121 | |
| 122 | - // allow credentials headers must not be true or CSRF is possible |
|
| 123 | - // otherwise |
|
| 124 | - foreach ($response->getHeaders() as $header => $value) { |
|
| 125 | - if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 126 | - strtolower(trim($value)) === 'true') { |
|
| 127 | - $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 128 | - 'set to true in order to prevent CSRF'; |
|
| 129 | - throw new SecurityException($msg); |
|
| 130 | - } |
|
| 131 | - } |
|
| 122 | + // allow credentials headers must not be true or CSRF is possible |
|
| 123 | + // otherwise |
|
| 124 | + foreach ($response->getHeaders() as $header => $value) { |
|
| 125 | + if (strtolower($header) === 'access-control-allow-credentials' && |
|
| 126 | + strtolower(trim($value)) === 'true') { |
|
| 127 | + $msg = 'Access-Control-Allow-Credentials must not be '. |
|
| 128 | + 'set to true in order to prevent CSRF'; |
|
| 129 | + throw new SecurityException($msg); |
|
| 130 | + } |
|
| 131 | + } |
|
| 132 | 132 | |
| 133 | - $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 134 | - $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 135 | - } |
|
| 136 | - return $response; |
|
| 137 | - } |
|
| 133 | + $origin = $this->request->server['HTTP_ORIGIN']; |
|
| 134 | + $response->addHeader('Access-Control-Allow-Origin', $origin); |
|
| 135 | + } |
|
| 136 | + return $response; |
|
| 137 | + } |
|
| 138 | 138 | |
| 139 | - /** |
|
| 140 | - * If an SecurityException is being caught return a JSON error response |
|
| 141 | - * |
|
| 142 | - * @param Controller $controller the controller that is being called |
|
| 143 | - * @param string $methodName the name of the method that will be called on |
|
| 144 | - * the controller |
|
| 145 | - * @param \Exception $exception the thrown exception |
|
| 146 | - * @throws \Exception the passed in exception if it can't handle it |
|
| 147 | - * @return Response a Response object or null in case that the exception could not be handled |
|
| 148 | - */ |
|
| 149 | - public function afterException($controller, $methodName, \Exception $exception) { |
|
| 150 | - if ($exception instanceof SecurityException) { |
|
| 151 | - $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 152 | - if ($exception->getCode() !== 0) { |
|
| 153 | - $response->setStatus($exception->getCode()); |
|
| 154 | - } else { |
|
| 155 | - $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 156 | - } |
|
| 157 | - return $response; |
|
| 158 | - } |
|
| 139 | + /** |
|
| 140 | + * If an SecurityException is being caught return a JSON error response |
|
| 141 | + * |
|
| 142 | + * @param Controller $controller the controller that is being called |
|
| 143 | + * @param string $methodName the name of the method that will be called on |
|
| 144 | + * the controller |
|
| 145 | + * @param \Exception $exception the thrown exception |
|
| 146 | + * @throws \Exception the passed in exception if it can't handle it |
|
| 147 | + * @return Response a Response object or null in case that the exception could not be handled |
|
| 148 | + */ |
|
| 149 | + public function afterException($controller, $methodName, \Exception $exception) { |
|
| 150 | + if ($exception instanceof SecurityException) { |
|
| 151 | + $response = new JSONResponse(['message' => $exception->getMessage()]); |
|
| 152 | + if ($exception->getCode() !== 0) { |
|
| 153 | + $response->setStatus($exception->getCode()); |
|
| 154 | + } else { |
|
| 155 | + $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR); |
|
| 156 | + } |
|
| 157 | + return $response; |
|
| 158 | + } |
|
| 159 | 159 | |
| 160 | - throw $exception; |
|
| 161 | - } |
|
| 160 | + throw $exception; |
|
| 161 | + } |
|
| 162 | 162 | } |
