Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: move csrf validation out of request #55558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: move csrf validation out of request #55558

wants to merge 1 commit into from
+380 −66

Conversation

kesselb
Copy link
Collaborator

@kesselb kesselb commented Oct 4, 2025

Summary

TODO

  • ...

Checklist

@kesselb kesselb added this to the Nextcloud 33 milestone Oct 4, 2025
@kesselb kesselb self-assigned this Oct 4, 2025
@kesselb kesselb requested a review from a team as a code owner October 4, 2025 21:20
@kesselb kesselb added the 2. developing Work in progress label Oct 4, 2025
@kesselb kesselb requested review from icewind1991 and leftybournes and removed request for a team October 4, 2025 21:20
@kesselb kesselb added the ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring) label Oct 4, 2025
@kesselb kesselb requested a review from CarlSchwan October 4, 2025 21:20
@kesselb kesselb marked this pull request as draft October 4, 2025 21:21
kesselb
kesselb commented Oct 7, 2025
View reviewed changes
lib/private/Security/CSRF/CsrfValidator.php
Comment on lines +30 to +36
$token = $request->getParam('requesttoken', '');
if ($token === '') {
$token = $request->getHeader('REQUESTTOKEN');
}
if ($token === '') {
return false;
}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is slightly different to

server/lib/private/AppFramework/Http/Request.php

Lines 449 to 458 in db3e845

if (isset($this->items['get']['requesttoken'])) {
$token = $this->items['get']['requesttoken'];
} elseif (isset($this->items['post']['requesttoken'])) {
$token = $this->items['post']['requesttoken'];
} elseif (isset($this->items['server']['HTTP_REQUESTTOKEN'])) {
$token = $this->items['server']['HTTP_REQUESTTOKEN'];
} else {
//no token found.
return false;
}

Request.php: GET, POST, SERVER

CsrfValidator.php: GET, POST, SERVER and Url Params

As the URL parameters are matched GET parameters I don't see a big issue, but it's still noteworthy for the reviewers.

@CarlSchwan
Copy link
Member

It's more of a refactoring than a new feature?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

@kesselb kesselb

Labels
2. developing Work in progress ♻️ refactor Refactor code (not a bug fix, not a feature just refactoring)
Projects
None yet
Milestone
Nextcloud 33
Development

Successfully merging this pull request may close these issues.
2 participants
@kesselb @CarlSchwan