fix: Do not require samesite=strict cookies for public.php
#52657
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This currently prevent directly accessing a ressource from a third party site. Fix #52482 Signed-off-by: Louis Chemineau <louis@chmn.me>
artonge
requested review from
Altahrim,
ArtificialOwl and
nfebe
and removed request for
a team
artonge
changed the title
samesite=strict cookies for public.phpsamesite=strict cookies for public.php
susnux
reviewed
May 6, 2025
|
Password protected shares are a form of authentication |
|
Hi, trying this fix i found it does in fact NOT solve the issue at hand (#52482). Any ideas what else i could try? Thank you. |
nickvergessen
deleted the
artonge/feat/do_not_require_samesite_strict_cookie_on_public.php
branch
artonge
added a commit
that referenced
this pull request
May 14, 2025
…endpoint This currently prevent directly accessing a resource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment. Skipping the check is an issue with password protected shares, as it allows third party sites to request the resource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add it again in the `PublicAuth` plugin. We also add a redirect to be helpful to the user. **Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view. Another solution would be to do the redirect from the front-end. - Fix #52482 - Improved version of original closed PR: #52657 Signed-off-by: Louis Chemineau <louis@chmn.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This currently prevent directly accessing a resource from a third party site.
Not sure whether
public.phpactually does not need auth. I am just not aware of any place where it is the case.