fix: Move CSRF check from base to PublicAuth for public.php #52810
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
artonge
requested review from
ArtificialOwl and
nfebe
and removed request for
a team
artonge
added
3. to review
susnux
approved these changes
May 14, 2025
skjnldsv
approved these changes
May 14, 2025
artonge
force-pushed
the
artonge/feat/do_not_require_samesite_strict_cookie_on_public.php
branch
10 times, most recently
from
0eef221 to
d5be952
Compare
artonge
requested review from
sorbaugh and
szaimen
and removed request for
a team
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment. Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin. We also add a redirect to be helpful to the user. **Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view. Fix #52482 Signed-off-by: Louis Chemineau <louis@chmn.me>
…endpoint Follow-up of #48098 Signed-off-by: Louis Chemineau <louis@chmn.me>
artonge
force-pushed
the
artonge/feat/do_not_require_samesite_strict_cookie_on_public.php
branch
from
95ed1fe to
ec1db0c
Compare
artonge
deleted the
artonge/feat/do_not_require_samesite_strict_cookie_on_public.php
branch
|
/backport to stable31 |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This currently prevent directly accessing a resource when clicking on a link on a third party site. Example, clicking on
https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zipin a GitHub comment.Skipping the check is an issue with password protected shares, as it allows third party sites to request the resource when the user already entered the password, aka CSRF. So after removing the check from
base.php, we need to add it again in thePublicAuthplugin.We also add a redirect to be helpful to the user.
Warning: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.
Another solution would be to do the redirect from the front-end.
Extra: replace the deprecated direct download URL by the new DAV one.
samesite=strictcookies forpublic.php#52657