Properly check for empty basic auth when trying to log in a user on CORS annotated endpoints

juliusknorr · juliusknorr · commit b801d2765868 · 2020-02-07T16:03:55.000+01:00
Signed-off-by: Julius Härtl &lt;jus@bitgrid.net&gt;
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -95,7 +95,7 @@ public function beforeController($controller, $methodName) {
 			}
 			$this->session->logout();
 			try {
-				if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+				if (!empty($user) && !empty($pass) && !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
 					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
 				}
 			} catch (PasswordLoginForbiddenException $ex) {

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ public function beforeController($controller, $methodName) {`
`95`	`95`	`}`
`96`	`96`	`$this->session->logout();`
`97`	`97`	`try {`
`98`		`- if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {`
	`98`	`+ if (!empty($user) && !empty($pass) && !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {`
`99`	`99`	`throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);`
`100`	`100`	`}`
`101`	`101`	`} catch (PasswordLoginForbiddenException $ex) {`