fix: use empty() to check if header exists (port #40856)

DeepDiver1975 · DeepDiver1975 · commit f9b76f62ff25 · 2023-08-04T10:23:18.000+02:00
diff --git a/apps/files_sharing/lib/Controller/Share20OcsController.php b/apps/files_sharing/lib/Controller/Share20OcsController.php
@@ -281,6 +281,7 @@ protected function formatShare(IShare $share, $received = false) {
 	 * Get a specific share by id
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @param string $id
 	 * @return Result
@@ -664,6 +665,7 @@ private function getSharedWithMe($node = null, $includeTags, $requestedShareType
 	 * the function will return an empty list.
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * - Get shares by the current user
 	 * - Get shares by the current user and reshares (?reshares=true)
diff --git a/core/Controller/OcsController.php b/core/Controller/OcsController.php
@@ -110,6 +110,7 @@ public function checkPerson($login, $password) {
 	 * test: curl http://login:passwd@oc/core/ocs/v1.php/privatedata/getattribute
 	 *
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @return Result
 	 */
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -143,7 +143,8 @@ public function beforeController($controller, $methodName) {
 		// CSRF check - also registers the CSRF token since the session may be closed later
 		Util::callRegister();
 		if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {
-			if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {
+			$hasNoAuthHeader = ($this->request->getHeader("Authorization") === null || trim($this->request->getHeader("Authorization")) === '');
+			if (!$this->request->passesCSRFCheck() && $hasNoAuthHeader) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,7 @@ protected function formatShare(IShare $share, $received = false) {`
`281`	`281`	`* Get a specific share by id`
`282`	`282`	`*`
`283`	`283`	`* @NoAdminRequired`
	`284`	`+ * @NoCSRFRequired`
`284`	`285`	`*`
`285`	`286`	`* @param string $id`
`286`	`287`	`* @return Result`
`@@ -664,6 +665,7 @@ private function getSharedWithMe($node = null, $includeTags, $requestedShareType`
`664`	`665`	`* the function will return an empty list.`
`665`	`666`	`*`
`666`	`667`	`* @NoAdminRequired`
	`668`	`+ * @NoCSRFRequired`
`667`	`669`	`*`
`668`	`670`	`* - Get shares by the current user`
`669`	`671`	`* - Get shares by the current user and reshares (?reshares=true)`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ public function checkPerson($login, $password) {`
`110`	`110`	`* test: curl http://login:passwd@oc/core/ocs/v1.php/privatedata/getattribute`
`111`	`111`	`*`
`112`	`112`	`* @NoAdminRequired`
	`113`	`+ * @NoCSRFRequired`
`113`	`114`	`*`
`114`	`115`	`* @return Result`
`115`	`116`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,8 @@ public function beforeController($controller, $methodName) {`
`143`	`143`	`// CSRF check - also registers the CSRF token since the session may be closed later`
`144`	`144`	`Util::callRegister();`
`145`	`145`	`if (!$this->reflector->hasAnnotation('NoCSRFRequired')) {`
`146`		`- if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {`
	`146`	`+ $hasNoAuthHeader = ($this->request->getHeader("Authorization") === null \|\| trim($this->request->getHeader("Authorization")) === '');`
	`147`	`+ if (!$this->request->passesCSRFCheck() && $hasNoAuthHeader) {`
`147`	`148`	`throw new CrossSiteRequestForgeryException();`
`148`	`149`	`}`
`149`	`150`	`}`