Skip to content

[stable31] fix: Move CSRF check from base to PublicAuth for public.php #53040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 22, 2025
Merged

[stable31] fix: Move CSRF check from base to PublicAuth for public.php #53040

merged 2 commits into from
May 22, 2025

Conversation

@backportbot
Copy link

@backportbot backportbot bot commented May 22, 2025

Backport of PR #52810

artonge added 2 commits May 22, 2025 08:30
@artonge @backportbot
fix: Move CSRF check from base to PublicAuth for public.php
7a02618 
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.

Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF.  So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin.

We also add a redirect to be helpful to the user.

**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.

Fix #52482

Signed-off-by: Louis Chemineau <louis@chmn.me>
@artonge @backportbot
fix: Replace the deprecated direct download link with the public DAV …
617af2f 
…endpoint

Follow-up of #48098

Signed-off-by: Louis Chemineau <louis@chmn.me>
@backportbot backportbot bot requested review from artonge, skjnldsv and susnux May 22, 2025 08:30
@backportbot backportbot bot added bug 3. to review Waiting for reviews feature: sharing feature: dav php Pull requests that update Php code labels May 22, 2025
@backportbot backportbot bot added this to the Nextcloud 31.0.6 milestone May 22, 2025
@susnux susnux merged commit c85f6a6 into stable31 May 22, 2025
197 of 199 checks passed
@susnux susnux deleted the backport/52810/stable31 branch May 22, 2025 11:36
@nextcloud-bot nextcloud-bot mentioned this pull request Jun 4, 2025
Merged
10 tasks
@joshtrichards joshtrichards mentioned this pull request Jun 10, 2025
Closed
8 tasks
@TomKamin1
Copy link

THANK YOU.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

@skjnldsv skjnldsv skjnldsv approved these changes

@susnux susnux Awaiting requested review from susnux

Assignees

@artonge artonge

Labels

3. to review Waiting for reviews bug feature: dav feature: sharing php Pull requests that update Php code

Projects

None yet

Milestone

Nextcloud 31.0.6

Development

Successfully merging this pull request may close these issues.

5 participants

@TomKamin1 @artonge @skjnldsv @susnux