From 208928cd695a568f37c258fc919e816bc94168af Mon Sep 17 00:00:00 2001 From: rtoth Date: Fri, 4 Feb 2022 16:27:28 +0000 Subject: [PATCH 1/2] Combine the check for API calls as from MagentaCLOUD prod and NC E2E test --- lib/base.php | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/base.php b/lib/base.php index 01aa346f36c80..a78ae0f2ba20b 100644 --- a/lib/base.php +++ b/lib/base.php @@ -66,6 +66,7 @@ use OCP\EventDispatcher\IEventDispatcher; use OCP\Group\Events\UserRemovedEvent; use OCP\ILogger; +use OCP\IRequest; use OCP\Server; use OCP\Share; use OC\Encryption\HookManager; @@ -414,8 +415,22 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig) { $tmpl->printPage(); } - public static function initSession() { - if (self::$server->getRequest()->getServerProtocol() === 'https') { + public static function initSession(): void { + $request = Server::get(IRequest::class); + + // TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies + // TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments + // TODO: for further information. + // MagentaCLOUD stays with original version of the solution from production + $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || + strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + if ($request->getHeader('Authorization') !== '' && $isDavRequest && !isset($_COOKIE['nc_session_id'])) { + // Do not initialize the session if a request is authenticated directly + // unless there is a session cookie already sent along + return; + } + + if ($request->getServerProtocol() === 'https') { ini_set('session.cookie_secure', 'true'); } From 311ff80b19e99d5c5fe30dce5587b9f8167fffc3 Mon Sep 17 00:00:00 2001 From: "Bernd.Rederlechner@t-systems.com" Date: Fri, 21 Jul 2023 17:19:27 +0200 Subject: [PATCH 2/2] Changes for PR28311 required only up to stable25 --- apps/files/lib/Controller/ViewController.php | 1 + lib/private/Authentication/TwoFactorAuth/Manager.php | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/files/lib/Controller/ViewController.php b/apps/files/lib/Controller/ViewController.php index cfbc9afce2b07..046eb44420629 100644 --- a/apps/files/lib/Controller/ViewController.php +++ b/apps/files/lib/Controller/ViewController.php @@ -158,6 +158,7 @@ protected function getStorageInfo() { /** * @NoCSRFRequired * @NoAdminRequired + * @UseSession * * @param string $fileid * @return TemplateResponse|RedirectResponse diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 66e7c090e4200..b5552d8c5de0b 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -42,6 +42,7 @@ use OCP\IConfig; use OCP\ISession; use OCP\IUser; +use OCP\Session\Exceptions\SessionNotAvailableException; use Psr\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\GenericEvent; @@ -362,7 +363,7 @@ public function needsSecondFactor(IUser $user = null): bool { $this->session->set(self::SESSION_UID_DONE, $user->getUID()); return false; } - } catch (InvalidTokenException $e) { + } catch (InvalidTokenException|SessionNotAvailableException $e) { } }