Merge pull request #40856 from owncloud/fix/header-evaluation

fix: use empty() to check if header exists

Author: phil-davis

apps/files_sharing/lib/Controller/Share20OcsController.php

@@ -281,6 +281,7 @@ protected function formatShare(IShare $share, $received = false) {
 	 * Get a specific share by id
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @param string $id
 	 * @return Result
@@ -664,6 +665,7 @@ private function getSharedWithMe($node = null, $includeTags, $requestedShareType
 	 * the function will return an empty list.
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * - Get shares by the current user
 	 * - Get shares by the current user and reshares (?reshares=true)

changelog/unreleased/40856

@@ -0,0 +1,6 @@
+Bugfix: Request header can hold an empty string if not set
+
+Due to Apache rewrite rules originally not existing headers can hold an empty
+string.
+
+https://github.com/owncloud/core/pull/40856

core/Controller/OcsController.php

@@ -110,6 +110,7 @@ public function checkPerson($login, $password) {
 	 * test: curl http://login:passwd@oc/core/ocs/v1.php/privatedata/getattribute
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @return Result
 	 */

lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php

@@ -143,7 +143,8 @@ public function beforeController($controller, $methodName) {
 		// CSRF check - also registers the CSRF token since the session may be closed later
 		Util::callRegister();
 		if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {
+			$hasNoAuthHeader = ($this->request->getHeader("Authorization") === null || trim($this->request->getHeader("Authorization")) === '');
+			if (!$this->request->passesCSRFCheck() && $hasNoAuthHeader) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}

tests/lib/AppFramework/Middleware/Security/SecurityMiddlewareTest.php

@@ -40,6 +40,7 @@
 use OCP\ISession;
 use OCP\AppFramework\Controller;
 use OCP\IUserSession;
+use ReflectionException;
 use Test\TestCase;
 use OCP\AppFramework\Http\Response;
 use OCP\IConfig;
@@ -136,7 +137,7 @@ private function getMiddleware($isLoggedIn, $isAdminUser) {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testSetNavigationEntry() {
 		$this->navigationManager->expects($this->once())
@@ -151,7 +152,7 @@ public function testSetNavigationEntry() {
 	 * @param string $method
 	 * @param string $test
 	 * @param $status
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	private function ajaxExceptionStatus($method, $test, $status) {
 		$isLoggedIn = false;
@@ -179,7 +180,7 @@ private function ajaxExceptionStatus($method, $test, $status) {
 	}
 
 	/**
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testAjaxStatusLoggedInCheck() {
 		$this->ajaxExceptionStatus(
@@ -191,7 +192,7 @@ public function testAjaxStatusLoggedInCheck() {
 
 	/**
 	 * @NoCSRFRequired
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testAjaxNotAdminCheck() {
 		$this->ajaxExceptionStatus(
@@ -203,7 +204,7 @@ public function testAjaxNotAdminCheck() {
 
 	/**
 	 * @PublicPage
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testAjaxStatusCSRFCheck() {
 		$this->ajaxExceptionStatus(
@@ -216,10 +217,7 @@ public function testAjaxStatusCSRFCheck() {
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
-	 * @throws \ReflectionException
-	 * @throws \ReflectionException
-	 * @throws \ReflectionException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testAjaxStatusAllGood() {
 		$this->ajaxExceptionStatus(
@@ -248,7 +246,7 @@ public function testAjaxStatusAllGood() {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testNoChecks() {
 		$this->request->expects($this->never())
@@ -266,7 +264,7 @@ public function testNoChecks() {
 	 * @param string $expects
 	 * @param bool $shouldFail
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	private function securityCheck($method, $expects, $shouldFail=false) {
 		// admin check requires login
@@ -293,10 +291,10 @@ private function securityCheck($method, $expects, $shouldFail=false) {
 	/**
 	 * @PublicPage
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testCsrfCheck() {
-		$this->expectException(\OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException::class);
+		$this->expectException(CrossSiteRequestForgeryException::class);
 
 		$this->request->expects($this->once())
 			->method('passesCSRFCheck')
@@ -310,7 +308,7 @@ public function testCsrfCheck() {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testNoCsrfCheck() {
 		$this->request->expects($this->never())
@@ -324,7 +322,7 @@ public function testNoCsrfCheck() {
 	/**
 	 * @PublicPage
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testFailCsrfCheck() {
 		$this->request->expects($this->once())
@@ -335,11 +333,29 @@ public function testFailCsrfCheck() {
 		$this->middleware->beforeController(__CLASS__, __FUNCTION__);
 	}
 
+	/**
+	 * @PublicPage
+	 * @throws SecurityException
+	 * @throws ReflectionException
+	 */
+	public function testFailCsrfCheckWithoutAuthHeader(): void {
+		$this->expectException(CrossSiteRequestForgeryException::class);
+		$this->request->expects($this->once())
+			->method('passesCSRFCheck')
+			->willReturn(false);
+		$this->request
+			->method('getHeader')
+			->willReturn('');
+
+		$this->reader->reflect(__CLASS__, __FUNCTION__);
+		$this->middleware->beforeController(__CLASS__, __FUNCTION__);
+	}
+
 	/**
 	 * @NoCSRFRequired
 	 * @NoAdminRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testLoggedInCheck() {
 		$this->securityCheck(__FUNCTION__, 'isLoggedIn');
@@ -349,7 +365,7 @@ public function testLoggedInCheck() {
 	 * @NoCSRFRequired
 	 * @NoAdminRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testFailLoggedInCheck() {
 		$this->securityCheck(__FUNCTION__, 'isLoggedIn', true);
@@ -358,7 +374,7 @@ public function testFailLoggedInCheck() {
 	/**
 	 * @NoCSRFRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testIsAdminCheck() {
 		$this->securityCheck(__FUNCTION__, 'isAdminUser');
@@ -367,7 +383,7 @@ public function testIsAdminCheck() {
 	/**
 	 * @NoCSRFRequired
 	 * @throws SecurityException
-	 * @throws \ReflectionException
+	 * @throws ReflectionException
 	 */
 	public function testFailIsAdminCheck() {
 		$this->securityCheck(__FUNCTION__, 'isAdminUser', true);