/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
$annotationReader = new MethodAnnotationReader($controller, $methodName);
// only react if its an API request and if the request sends origin
if (isset($this->request->server['HTTP_ORIGIN']) && $annotationReader->hasAnnotation('API')) {
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Credentials', 'false');
}
return $response;
}
/**
* This method implements a preflighted cors response for you that you can
* link to for the options request
*
* @NoAdminRequired
* @NoCSRFRequired
* @PublicPage
* @since 7.0.0
*/
public function preflightedCors()
{
if (isset($this->request->server['HTTP_ORIGIN'])) {
$origin = $this->request->server['HTTP_ORIGIN'];
} else {
$origin = '*';
}
$response = new Response();
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Methods', $this->corsMethods);
$response->addHeader('Access-Control-Max-Age', $this->corsMaxAge);
$response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders);
$response->addHeader('Access-Control-Allow-Credentials', 'false');
return $response;
}
/**
* @NoAdminRequired
* @NoCSRFRequired
* @PublicPage
*/
public function cors()
{
// needed for webapps access due to cross origin request policy
if (isset($this->request->server['HTTP_ORIGIN'])) {
$origin = $this->request->server['HTTP_ORIGIN'];
} else {
$origin = '*';
}
$response = new Response();
$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE');
$response->addHeader('Access-Control-Allow-Credentials', 'false');
$response->addHeader('Access-Control-Max-Age', '1728000');
$response->addHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
return $response;
}
/**
* @CORS
* @expectedException \OC\AppFramework\Middleware\Security\SecurityException
*/
public function testCorsIgnoredIfWithCredentialsHeaderPresent()
{
$request = new Request(['server' => ['HTTP_ORIGIN' => 'test']], $this->getMock('\\OCP\\Security\\ISecureRandom'), $this->getMock('\\OCP\\IConfig'));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
$middleware->afterController($this, __FUNCTION__, $response);
}
/**
* @CORS
* @expectedException \OC\AppFramework\Middleware\Security\SecurityException
*/
public function testCorsIgnoredIfWithCredentialsHeaderPresent()
{
$request = new Request(array('server' => array('HTTP_ORIGIN' => 'test')));
$this->reflector->reflect($this, __FUNCTION__);
$middleware = new CORSMiddleware($request, $this->reflector);
$response = new Response();
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
$response = $middleware->afterController($this, __FUNCTION__, $response);
}
/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
// only react if its a CORS request and if the request sends origin and
if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
foreach ($response->getHeaders() as $header => $value) {
if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
}
return $response;
}
public function testAddHeaderValueNullDeletesIt()
{
$this->childResponse->addHeader('hello', 'world');
$this->childResponse->addHeader('hello', null);
$this->assertEquals(1, count($this->childResponse->getHeaders()));
}
/**
* @NoAdminRequired
* @NoCSRFRequired
*/
public function imageproxy($hash)
{
$url = base64_decode($hash);
if (filter_var($url, FILTER_VALIDATE_URL) === false) {
die('Not a valid URL');
}
$fileInfo = getimagesize($url);
$imageType = $fileInfo['mime'];
preg_match('/image\\/(.*)/', $imageType, $match);
$response = new Response();
$response->setStatus(304);
$response->cacheFor(60 * 60 * 24 * 90);
if ($match) {
$response->addHeader('Content-Type', $match[0]);
$f = $this->getURL($url);
if (extension_loaded('imagick') || class_exists("Imagick")) {
$name = tempnam('/tmp', "imageProxy");
file_put_contents($name, $f);
try {
$isIcon = strpos($url, '.ico') !== false ? 'ico:' : '';
$image = new \Imagick($isIcon . $name);
if ($image->valid()) {
$image->setImageFormat('jpg');
}
} catch (exception $e) {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
echo $f;
}
} else {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
}
} else {
$f = '<?xml version="1.0" encoding="UTF-8" standalone="no"?>';
$f .= '<!DOCTYPE svg PUBLIC \'-//W3C//DTD SVG 1.1//EN\' \'http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\'>';
$f .= '<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" height="16px" width="16px" version="1.1" y="0px" x="0px" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 71 100">';
$f .= '<path d="m65.5 45v-15c0-16.542-13.458-30-30-30s-30 13.458-30 30v15h-5.5v55h71v-55h-5.5zm-52-15c0-12.131 9.869-22 22-22s22 9.869 22 22v15h-44v-15z"/>';
$f .= '</svg>';
}
echo $f;
return $response;
//
//
/*if (extension_loaded('imagick') || class_exists("Imagick")) {
try {
$isIcon = (strpos($url, '.ico') !== false) ? 'ico:' : '';
$image = new \Imagick($isIcon . $name);
if ($image->valid()) {
$image->setImageFormat('jpg');
}
} catch (exception $e) {
header("HTTP/1.1 200 OK");
echo "test";
die();
}
return die();
} else {
if ($f) {
$image_mime = image_type_to_mime_type(exif_imagetype($f));
if ($image_mime) {
header("Content-Type:" . $image_mime);
header('Cache-Control: max-age=86400, public');
header('Cache-Control: max-age=86400, public');
echo $f;
return die();
}
}
}*/
}
