Merge pull request #40856 from owncloud/fix/header-evaluation

phil-davis · DeepDiver1975 · commit 3398ae09e674 · 2023-08-04T10:16:38.000+02:00
fix: use empty() to check if header exists
diff --git a/apps/files_sharing/lib/Controller/Share20OcsController.php b/apps/files_sharing/lib/Controller/Share20OcsController.php
@@ -281,6 +281,7 @@ protected function formatShare(IShare $share, $received = false) {
 	 * Get a specific share by id
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @param string $id
 	 * @return Result
@@ -664,6 +665,7 @@ private function getSharedWithMe($node = null, $includeTags, $requestedShareType
 	 * the function will return an empty list.
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * - Get shares by the current user
 	 * - Get shares by the current user and reshares (?reshares=true)
diff --git a/changelog/unreleased/40856 b/changelog/unreleased/40856
@@ -0,0 +1,6 @@
+Bugfix: Request header can hold an empty string if not set
+
+Due to Apache rewrite rules originally not existing headers can hold an empty
+string.
+
+https://github.com/owncloud/core/pull/40856
diff --git a/core/Controller/OcsController.php b/core/Controller/OcsController.php
@@ -110,6 +110,7 @@ public function checkPerson($login, $password) {
 	 * test: curl http://login:passwd@oc/core/ocs/v1.php/privatedata/getattribute
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @return Result
 	 */
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -143,7 +143,8 @@ public function beforeController($controller, $methodName) {
 		// CSRF check - also registers the CSRF token since the session may be closed later
 		Util::callRegister();
 		if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {
+			$hasNoAuthHeader = ($this->request->getHeader("Authorization") === null || trim($this->request->getHeader("Authorization")) === '');
+			if (!$this->request->passesCSRFCheck() && $hasNoAuthHeader) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php
@@ -79,33 +79,33 @@ protected function setUp(): void {
 
 		$this->controller = $this->getMockBuilder(Controller::class)
 			->disableOriginalConstructor()
-				->getMock();
+			->getMock();
 		$this->reader = new ControllerMethodReflector();
 		$this->logger = $this->getMockBuilder(
 			ILogger::class
 		)
-				->disableOriginalConstructor()
-				->getMock();
+			->disableOriginalConstructor()
+			->getMock();
 		$this->navigationManager = $this->getMockBuilder(
 			INavigationManager::class
 		)
-				->disableOriginalConstructor()
-				->getMock();
+			->disableOriginalConstructor()
+			->getMock();
 		$this->urlGenerator = $this->getMockBuilder(
 			IURLGenerator::class
 		)
-				->disableOriginalConstructor()
-				->getMock();
+			->disableOriginalConstructor()
+			->getMock();
 		$this->request = $this->getMockBuilder(
 			IRequest::class
 		)
-				->disableOriginalConstructor()
-				->getMock();
+			->disableOriginalConstructor()
+			->getMock();
 		$this->contentSecurityPolicyManager = $this->getMockBuilder(
 			ContentSecurityPolicyManager::class
 		)
-				->disableOriginalConstructor()
-				->getMock();
+			->disableOriginalConstructor()
+			->getMock();
 		$this->middleware = $this->getMiddleware(true, true);
 		$this->secException = new SecurityException('hey', false);
 		$this->secAjaxException = new SecurityException('hey', true);
@@ -252,8 +252,8 @@ public function testAjaxStatusAllGood() {
 	 */
 	public function testNoChecks() {
 		$this->request->expects($this->never())
-				->method('passesCSRFCheck')
-				->will($this->returnValue(false));
+			->method('passesCSRFCheck')
+			->will($this->returnValue(false));
 
 		$sec = $this->getMiddleware(false, false);
 
@@ -388,30 +388,30 @@ public function testAfterExceptionNotCaughtThrowsItAgain() {
 	public function testAfterExceptionReturnsRedirectForNotLoggedInUser() {
 		$this->request = new Request(
 			[
-						'server' =>
-								[
-										'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-										'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
-								]
-				],
+				'server' =>
+					[
+						'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+						'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
+					]
+			],
 			$this->createMock(ISecureRandom::class),
 			$this->createMock(IConfig::class)
 		);
 		$this->middleware = $this->getMiddleware(false, false);
 		$this->urlGenerator
-				->expects($this->once())
-				->method('linkToRoute')
-				->with(
-					'core.login.showLoginForm',
-					[
-						'redirect_url' => 'owncloud%2Findex.php%2Fapps%2Fspecialapp',
-					]
-				)
-				->will($this->returnValue('http://localhost/index.php/login?redirect_url=owncloud%2Findex.php%2Fapps%2Fspecialapp'));
+			->expects($this->once())
+			->method('linkToRoute')
+			->with(
+				'core.login.showLoginForm',
+				[
+					'redirect_url' => 'owncloud%2Findex.php%2Fapps%2Fspecialapp',
+				]
+			)
+			->will($this->returnValue('http://localhost/index.php/login?redirect_url=owncloud%2Findex.php%2Fapps%2Fspecialapp'));
 		$this->logger
-				->expects($this->once())
-				->method('debug')
-				->with('Current user is not logged in');
+			->expects($this->once())
+			->method('debug')
+			->with('Current user is not logged in');
 		$response = $this->middleware->afterException(
 			$this->controller,
 			'test',
@@ -447,20 +447,20 @@ public function exceptionProvider() {
 	public function testAfterExceptionReturnsTemplateResponse(SecurityException $exception) {
 		$this->request = new Request(
 			[
-						'server' =>
-								[
-										'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-										'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
-								]
-				],
+				'server' =>
+					[
+						'HTTP_ACCEPT' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+						'REQUEST_URI' => 'owncloud/index.php/apps/specialapp'
+					]
+			],
 			$this->createMock(ISecureRandom::class),
 			$this->createMock(IConfig::class)
 		);
 		$this->middleware = $this->getMiddleware(false, false);
 		$this->logger
-				->expects($this->once())
-				->method('debug')
-				->with($exception->getMessage());
+			->expects($this->once())
+			->method('debug')
+			->with($exception->getMessage());
 		$response = $this->middleware->afterException(
 			$this->controller,
 			'test',
@@ -628,10 +628,10 @@ public function testAfterController() {
 			->method('getDefaultPolicy')
 			->willReturn($defaultPolicy);
 		$this->contentSecurityPolicyManager
-				->expects($this->once())
-				->method('mergePolicies')
-				->with($defaultPolicy, $currentPolicy)
-				->willReturn($mergedPolicy);
+			->expects($this->once())
+			->method('mergePolicies')
+			->with($defaultPolicy, $currentPolicy)
+			->willReturn($mergedPolicy);
 		$response->expects($this->once())
 			->method('setContentSecurityPolicy')
 			->with($mergedPolicy);
diff --git a/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest1.php b/tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest1.php

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,7 @@ protected function formatShare(IShare $share, $received = false) {`
`281`	`281`	`* Get a specific share by id`
`282`	`282`	`*`
`283`	`283`	`* @NoAdminRequired`
	`284`	`+ * @NoCSRFRequired`
`284`	`285`	`*`
`285`	`286`	`* @param string $id`
`286`	`287`	`* @return Result`
`@@ -664,6 +665,7 @@ private function getSharedWithMe($node = null, $includeTags, $requestedShareType`
`664`	`665`	`* the function will return an empty list.`
`665`	`666`	`*`
`666`	`667`	`* @NoAdminRequired`
	`668`	`+ * @NoCSRFRequired`
`667`	`669`	`*`
`668`	`670`	`* - Get shares by the current user`
`669`	`671`	`* - Get shares by the current user and reshares (?reshares=true)`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ public function checkPerson($login, $password) {`
`110`	`110`	`* test: curl http://login:passwd@oc/core/ocs/v1.php/privatedata/getattribute`
`111`	`111`	`*`
`112`	`112`	`* @NoAdminRequired`
	`113`	`+ * @NoCSRFRequired`
`113`	`114`	`*`
`114`	`115`	`* @return Result`
`115`	`116`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,8 @@ public function beforeController($controller, $methodName) {`
`143`	`143`	`// CSRF check - also registers the CSRF token since the session may be closed later`
`144`	`144`	`Util::callRegister();`
`145`	`145`	`if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {`
`146`		`- if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {`
	`146`	`+ $hasNoAuthHeader = ($this->request->getHeader("Authorization") === null \|\| trim($this->request->getHeader("Authorization")) === '');`
	`147`	`+ if (!$this->request->passesCSRFCheck() && $hasNoAuthHeader) {`
`147`	`148`	`throw new CrossSiteRequestForgeryException();`
`148`	`149`	`}`
`149`	`150`	`}`