fix(middleware): Fix header injection for bruteforce middleware

Calling setHeaders(getHeaders()) breaks the CSP nonce for unknown reasons So shifting back to old standard practise for now Signed-off-by: Joas Schilling <coding@schilljs.com>
nextcloud · Aug 22, 2023 · 381c350 · 381c350
1 parent e42d82f
commit 381c350
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php b/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php
@@ -130,11 +130,7 @@ public function afterController($controller, $methodName, Response $response) {
 		}
 
 		if ($this->delaySlept) {
-			$headers = $response->getHeaders();
-			if (!isset($headers['X-Nextcloud-Bruteforce-Throttled'])) {
-				$headers['X-Nextcloud-Bruteforce-Throttled'] = $this->delaySlept . 'ms';
-				$response->setHeaders($headers);
-			}
+			$response->addHeader('X-Nextcloud-Bruteforce-Throttled', $this->delaySlept . 'ms');
 		}
 
 		return parent::afterController($controller, $methodName, $response);