From 8b0a3a774d87d775ef345faf427ef244aff29b76 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 23 Jun 2025 18:13:39 +0200 Subject: [PATCH] fix: throw a better error if we don't get an authorization header for secutity confirmation Signed-off-by: Robin Appelman --- .../Middleware/Security/Exceptions/NotConfirmedException.php | 4 ++-- .../Middleware/Security/PasswordConfirmationMiddleware.php | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php index 7e950f2c97636..edf25c2cbe7a6 100644 --- a/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php +++ b/lib/private/AppFramework/Middleware/Security/Exceptions/NotConfirmedException.php @@ -14,7 +14,7 @@ * @package OC\AppFramework\Middleware\Security\Exceptions */ class NotConfirmedException extends SecurityException { - public function __construct() { - parent::__construct('Password confirmation is required', Http::STATUS_FORBIDDEN); + public function __construct(string $message = 'Password confirmation is required') { + parent::__construct($message, Http::STATUS_FORBIDDEN); } } diff --git a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php index d00840084a32b..e65fe94d60814 100644 --- a/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/PasswordConfirmationMiddleware.php @@ -79,6 +79,9 @@ public function beforeController(Controller $controller, string $methodName) { if ($this->isPasswordConfirmationStrict($reflectionMethod)) { $authHeader = $this->request->getHeader('Authorization'); + if (!str_starts_with(strtolower($authHeader), 'basic ')) { + throw new NotConfirmedException('Required authorization header missing'); + } [, $password] = explode(':', base64_decode(substr($authHeader, 6)), 2); $loginName = $this->session->get('loginname'); $loginResult = $this->userManager->checkPassword($loginName, $password);