Startsida Utforska Hjälp
Logga in
RISCI_ATOM
/
nextcloud-server
spegling av https://github.com/nextcloud/server.git
1
0
Fork 0
Filer Ärenden 23 Wiki
Träd: 38a854752c
Grenar Taggar
nextcloud-serve...
/
lib
/
private
/
AppFramework
/
Middleware
/
Security
/
SameSiteCookieMiddleware.php

SameSiteCookieMiddleware.php 2.3 KB
Historik

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
    4. 

  4.  * SPDX-License-Identifier: AGPL-3.0-or-later
    5. 

  5.  */
    6. 

  6. namespace OC\AppFramework\Middleware\Security;
    7. 

  7. 

  8. use OC\AppFramework\Http\Request;
    9. 

  9. use OC\AppFramework\Middleware\Security\Exceptions\LaxSameSiteCookieFailedException;
    10. 

  10. use OC\AppFramework\Utility\ControllerMethodReflector;
    11. 

  11. use OCP\AppFramework\Http;
    12. 

  12. use OCP\AppFramework\Http\Response;
    13. 

  13. use OCP\AppFramework\Middleware;
    14. 

  14. 

  15. class SameSiteCookieMiddleware extends Middleware {
    16. 

  16. 	/** @var Request */
    17. 

  17. 	private $request;
    18. 

  18. 

  19. 	/** @var ControllerMethodReflector */
    20. 

  20. 	private $reflector;
    21. 

  21. 

  22. 	public function __construct(Request $request,
    23. 

  23. 		ControllerMethodReflector $reflector) {
    24. 

  24. 		$this->request = $request;
    25. 

  25. 		$this->reflector = $reflector;
    26. 

  26. 	}
    27. 

  27. 

  28. 	public function beforeController($controller, $methodName) {
    29. 

  29. 		$requestUri = $this->request->getScriptName();
    30. 

  30. 		$processingScript = explode('/', $requestUri);
    31. 

  31. 		$processingScript = $processingScript[count($processingScript) - 1];
    32. 

  32. 

  33. 		if ($processingScript !== 'index.php') {
    34. 

  34. 			return;
    35. 

  35. 		}
    36. 

  36. 

  37. 		$noSSC = $this->reflector->hasAnnotation('NoSameSiteCookieRequired');
    38. 

  38. 		if ($noSSC) {
    39. 

  39. 			return;
    40. 

  40. 		}
    41. 

  41. 

  42. 		if (!$this->request->passesLaxCookieCheck()) {
    43. 

  43. 			throw new LaxSameSiteCookieFailedException();
    44. 

  44. 		}
    45. 

  45. 	}
    46. 

  46. 

  47. 	public function afterException($controller, $methodName, \Exception $exception) {
    48. 

  48. 		if ($exception instanceof LaxSameSiteCookieFailedException) {
    49. 

  49. 			$response = new Response();
    50. 

  50. 			$response->setStatus(Http::STATUS_FOUND);
    51. 

  51. 			$response->addHeader('Location', $this->request->getRequestUri());
    52. 

  52. 

  53. 			$this->setSameSiteCookie();
    54. 

  54. 

  55. 			return $response;
    56. 

  56. 		}
    57. 

  57. 

  58. 		throw $exception;
    59. 

  59. 	}
    60. 

  60. 

  61. 	protected function setSameSiteCookie() {
    62. 

  62. 		$cookieParams = $this->request->getCookieParams();
    63. 

  63. 		$secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : '';
    64. 

  64. 		$policies = [
    65. 

  65. 			'lax',
    66. 

  66. 			'strict',
    67. 

  67. 		];
    68. 

  68. 

  69. 		// Append __Host to the cookie if it meets the requirements
    70. 

  70. 		$cookiePrefix = '';
    71. 

  71. 		if ($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
    72. 

  72. 			$cookiePrefix = '__Host-';
    73. 

  73. 		}
    74. 

  74. 

  75. 		foreach ($policies as $policy) {
    76. 

  76. 			header(
    77. 

  77. 				sprintf(
    78. 

  78. 					'Set-Cookie: %snc_sameSiteCookie%s=true; path=%s; httponly;' . $secureCookie . 'expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=%s',
    79. 

  79. 					$cookiePrefix,
    80. 

  80. 					$policy,
    81. 

  81. 					$cookieParams['path'],
    82. 

  82. 					$policy
    83. 

  83. 				),
    84. 

  84. 				false
    85. 

  85. 			);
    86. 

  86. 		}
    87. 

  87. 	}
    88. 

  88. }
    89.