Skip to content

fix(dav): do not require CSRF for safe and indempotent HTTP methods #51457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
susnux merged 1 commit into from
Mar 17, 2025
Merged

fix(dav): do not require CSRF for safe and indempotent HTTP methods #51457

susnux merged 1 commit into from
Mar 17, 2025

Conversation

@susnux
Copy link
Contributor

@susnux susnux commented Mar 13, 2025

Summary

Safe methods (and idempotent) do not need CSRF protection - especially as HEAD is basically a GET without a body.

Checklist

@susnux susnux added this to the Nextcloud 32 milestone Mar 13, 2025
@susnux susnux requested a review from a team as a code owner March 13, 2025 11:06
@susnux susnux requested review from artonge, come-nc, provokateurin and sorbaugh and removed request for a team and sorbaugh March 13, 2025 11:06
provokateurin
provokateurin reviewed Mar 13, 2025
View reviewed changes
apps/dav/lib/Connector/Sabre/Auth.php
// GET requires no check at all
if ($this->request->getMethod() === 'GET') {

$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
Copy link
Member

@provokateurin provokateurin Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A HEAD request is turned into a GET request by the web server, so PHP will never see any HEAD requests.

Copy link
Contributor

@come-nc come-nc Mar 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that true for all webserver configurations?

@susnux susnux merged commit 2e60c09 into master Mar 17, 2025
206 of 214 checks passed
@susnux susnux deleted the fix/dav-csrf branch March 17, 2025 17:18
@nextcloud-bot nextcloud-bot mentioned this pull request Aug 19, 2025
Merged
@skjnldsv skjnldsv modified the milestones: Nextcloud 32, Nextcloud 33 Sep 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@provokateurin provokateurin provokateurin left review comments

@artonge artonge artonge approved these changes

@come-nc come-nc come-nc approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feature: dav

Projects

None yet

Milestone

Nextcloud 32

Development

Successfully merging this pull request may close these issues.

CSRF is not skipped for HEAD requests

6 participants

@susnux @artonge @provokateurin @come-nc @skjnldsv