Skip to content

Commit

Permalink
fix error when using CORS with no auth credentials
Browse files Browse the repository at this point in the history
  • Loading branch information
@korelstar
korelstar committed Jun 23, 2021
1 parent 6a40ed4 commit 7b8d4b2
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,13 @@ public function __construct(IRequest $request,
public function beforeController($controller, $methodName) {
// ensure that @CORS annotated API routes are not used in conjunction
// with session authentication since this enables CSRF attack vectors
if ($this->reflector->hasAnnotation('CORS') &&
!$this->reflector->hasAnnotation('PublicPage')) {
$user = $this->request->server['PHP_AUTH_USER'];
$pass = $this->request->server['PHP_AUTH_PW'];
if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;

$this->session->logout();
try {
if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
}
} catch (PasswordLoginForbiddenException $ex) {
Expand Down

0 comments on commit 7b8d4b2

Please sign in to comment.