Configurable list for opt out from same site cookie protection
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
ebdd3fb64a
commit
c79dc0e08f
2 changed files with 22 additions and 5 deletions
|
@ -1595,4 +1595,14 @@ $CONFIG = array(
|
|||
*/
|
||||
'gs.federation' => 'internal',
|
||||
|
||||
/**
|
||||
* List of incompatible user agents opted out from Same Site Cookie Protection.
|
||||
* Some user agents are notorious and don't really properly follow HTTP
|
||||
* specifications. For those, have an opt-out.
|
||||
*/
|
||||
'csrf.optout' => array(
|
||||
'/^WebDAVFS/', // OS X Finder
|
||||
'/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive
|
||||
),
|
||||
|
||||
);
|
||||
|
|
17
lib/base.php
17
lib/base.php
|
@ -523,11 +523,18 @@ class OC {
|
|||
// specifications. For those, have an automated opt-out. Since the protection
|
||||
// for remote.php is applied in base.php as starting point we need to opt out
|
||||
// here.
|
||||
$incompatibleUserAgents = [
|
||||
// OS X Finder
|
||||
'/^WebDAVFS/',
|
||||
'/^Microsoft-WebDAV-MiniRedir/',
|
||||
];
|
||||
$incompatibleUserAgents = \OC::$server->getConfig()->getSystemValue('csrf.optout');
|
||||
|
||||
// Fallback, if csrf.optout is unset
|
||||
if (!is_array($incompatibleUserAgents)) {
|
||||
$incompatibleUserAgents = [
|
||||
// OS X Finder
|
||||
'/^WebDAVFS/',
|
||||
// Windows webdav drive
|
||||
'/^Microsoft-WebDAV-MiniRedir/',
|
||||
];
|
||||
}
|
||||
|
||||
if($request->isUserAgent($incompatibleUserAgents)) {
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue