From c79dc0e08f9234739eccf07e13b971aa4664d86f Mon Sep 17 00:00:00 2001 From: jaltek Date: Wed, 31 Jan 2018 14:17:56 +0100 Subject: [PATCH] Configurable list for opt out from same site cookie protection Signed-off-by: Roeland Jago Douma --- config/config.sample.php | 10 ++++++++++ lib/base.php | 17 ++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/config/config.sample.php b/config/config.sample.php index 40d83cea37..fb767c9cf8 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -1595,4 +1595,14 @@ $CONFIG = array( */ 'gs.federation' => 'internal', +/** + * List of incompatible user agents opted out from Same Site Cookie Protection. + * Some user agents are notorious and don't really properly follow HTTP + * specifications. For those, have an opt-out. + */ +'csrf.optout' => array( + '/^WebDAVFS/', // OS X Finder + '/^Microsoft-WebDAV-MiniRedir/', // Windows webdav drive +), + ); diff --git a/lib/base.php b/lib/base.php index 57a620db0e..5cc33e233f 100644 --- a/lib/base.php +++ b/lib/base.php @@ -523,11 +523,18 @@ class OC { // specifications. For those, have an automated opt-out. Since the protection // for remote.php is applied in base.php as starting point we need to opt out // here. - $incompatibleUserAgents = [ - // OS X Finder - '/^WebDAVFS/', - '/^Microsoft-WebDAV-MiniRedir/', - ]; + $incompatibleUserAgents = \OC::$server->getConfig()->getSystemValue('csrf.optout'); + + // Fallback, if csrf.optout is unset + if (!is_array($incompatibleUserAgents)) { + $incompatibleUserAgents = [ + // OS X Finder + '/^WebDAVFS/', + // Windows webdav drive + '/^Microsoft-WebDAV-MiniRedir/', + ]; + } + if($request->isUserAgent($incompatibleUserAgents)) { return; }