Rewrite OCS CSRF check to be readable

Signed-off-by: jld3103 <jld3103yt@gmail.com>
nextcloud · Jul 3, 2023 · f3f7472 · f3f7472
1 parent c3dcd70
commit f3f7472
Showing 1 changed file with 3 additions and 15 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -206,21 +206,9 @@ public function beforeController($controller, $methodName) {
 		}
 		// CSRF check - also registers the CSRF token since the session may be closed later
 		Util::callRegister();
-		if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class)) {
-			/*
-			 * Only allow the CSRF check to fail on OCS Requests. This kind of
-			 * hacks around that we have no full token auth in place yet and we
-			 * do want to offer CSRF checks for web requests.
-			 *
-			 * Additionally we allow Bearer authenticated requests to pass on OCS routes.
-			 * This allows oauth apps (e.g. moodle) to use the OCS endpoints
-			 */
-			if (!$this->request->passesCSRFCheck() && !(
-				$controller instanceof OCSController && (
-					$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
-					str_starts_with($this->request->getHeader('Authorization'), 'Bearer ')
-				)
-			)) {
+		if (!$this->hasAnnotationOrAttribute($reflectionMethod, 'NoCSRFRequired', NoCSRFRequired::class) && !$this->request->passesCSRFCheck()) {
+			// If CSRF is required and the CSRF check does not pass, only allow OCS requests to that go to an OCS controllers.
+			if (!$controller instanceof OCSController || !($this->request->getHeader('OCS-APIREQUEST') === 'true' && str_starts_with($this->request->getHeader('Authorization'), 'Bearer '))) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}