/** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @param Response $response the generated response from the controller * @return Response a Response object */ public function afterController($controller, $methodName, Response $response) { $annotationReader = new MethodAnnotationReader($controller, $methodName); // only react if its an API request and if the request sends origin if (isset($this->request->server['HTTP_ORIGIN']) && $annotationReader->hasAnnotation('API')) { $origin = $this->request->server['HTTP_ORIGIN']; $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Credentials', 'false'); } return $response; }
/** * This method implements a preflighted cors response for you that you can * link to for the options request * * @NoAdminRequired * @NoCSRFRequired * @PublicPage * @since 7.0.0 */ public function preflightedCors() { if (isset($this->request->server['HTTP_ORIGIN'])) { $origin = $this->request->server['HTTP_ORIGIN']; } else { $origin = '*'; } $response = new Response(); $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods); $response->addHeader('Access-Control-Max-Age', $this->corsMaxAge); $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders); $response->addHeader('Access-Control-Allow-Credentials', 'false'); return $response; }
/** * @NoAdminRequired * @NoCSRFRequired * @PublicPage */ public function cors() { // needed for webapps access due to cross origin request policy if (isset($this->request->server['HTTP_ORIGIN'])) { $origin = $this->request->server['HTTP_ORIGIN']; } else { $origin = '*'; } $response = new Response(); $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE'); $response->addHeader('Access-Control-Allow-Credentials', 'false'); $response->addHeader('Access-Control-Max-Age', '1728000'); $response->addHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type'); return $response; }
/** * @CORS * @expectedException \OC\AppFramework\Middleware\Security\SecurityException */ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $request = new Request(['server' => ['HTTP_ORIGIN' => 'test']], $this->getMock('\\OCP\\Security\\ISecureRandom'), $this->getMock('\\OCP\\IConfig')); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector, $this->session); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $middleware->afterController($this, __FUNCTION__, $response); }
/** * @CORS * @expectedException \OC\AppFramework\Middleware\Security\SecurityException */ public function testCorsIgnoredIfWithCredentialsHeaderPresent() { $request = new Request(array('server' => array('HTTP_ORIGIN' => 'test'))); $this->reflector->reflect($this, __FUNCTION__); $middleware = new CORSMiddleware($request, $this->reflector); $response = new Response(); $response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE'); $response = $middleware->afterController($this, __FUNCTION__, $response); }
/** * This is being run after a successful controllermethod call and allows * the manipulation of a Response object. The middleware is run in reverse order * * @param Controller $controller the controller that is being called * @param string $methodName the name of the method that will be called on * the controller * @param Response $response the generated response from the controller * @return Response a Response object */ public function afterController($controller, $methodName, Response $response) { // only react if its a CORS request and if the request sends origin and if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) { // allow credentials headers must not be true or CSRF is possible // otherwise foreach ($response->getHeaders() as $header => $value) { if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') { $msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF'; throw new SecurityException($msg); } } $origin = $this->request->server['HTTP_ORIGIN']; $response->addHeader('Access-Control-Allow-Origin', $origin); } return $response; }
public function testAddHeaderValueNullDeletesIt() { $this->childResponse->addHeader('hello', 'world'); $this->childResponse->addHeader('hello', null); $this->assertEquals(1, count($this->childResponse->getHeaders())); }
/** * @NoAdminRequired * @NoCSRFRequired */ public function imageproxy($hash) { $url = base64_decode($hash); if (filter_var($url, FILTER_VALIDATE_URL) === false) { die('Not a valid URL'); } $fileInfo = getimagesize($url); $imageType = $fileInfo['mime']; preg_match('/image\\/(.*)/', $imageType, $match); $response = new Response(); $response->setStatus(304); $response->cacheFor(60 * 60 * 24 * 90); if ($match) { $response->addHeader('Content-Type', $match[0]); $f = $this->getURL($url); if (extension_loaded('imagick') || class_exists("Imagick")) { $name = tempnam('/tmp', "imageProxy"); file_put_contents($name, $f); try { $isIcon = strpos($url, '.ico') !== false ? 'ico:' : ''; $image = new \Imagick($isIcon . $name); if ($image->valid()) { $image->setImageFormat('jpg'); } } catch (exception $e) { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; echo $f; } } else { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; } } else { $f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>'; $f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>'; $f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">'; $f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>'; $f .= '</svg>'; } echo $f; return $response; // // /*if (extension_loaded('imagick') || class_exists("Imagick")) { try { $isIcon = (strpos($url, '.ico') !== false) ? 'ico:' : ''; $image = new \Imagick($isIcon . $name); if ($image->valid()) { $image->setImageFormat('jpg'); } } catch (exception $e) { header("HTTP/1.1 200 OK"); echo "test"; die(); } return die(); } else { if ($f) { $image_mime = image_type_to_mime_type(exif_imagetype($f)); if ($image_mime) { header("Content-Type:" . $image_mime); header('Cache-Control: max-age=86400, public'); header('Cache-Control: max-age=86400, public'); echo $f; return die(); } } }*/ }