mirror of
https://github.com/nextcloud/server.git
synced 2026-04-21 06:08:46 -04:00
009d0c550c
This currently prevent directly accessing a ressource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment. Skipping the check is an issue with password protected shares, as it allows third party sites to request the ressource when the user already entered the password, aka CSRF. So after removing the check from `base.php`, we need to add the it again in the `PublicAuth` plugin. We also add a redirect to be helpful to the user. **Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view. Fix #52482 Signed-off-by: Louis Chemineau <louis@chmn.me> |
||
|---|---|---|
| .. | ||
| admin_audit | ||
| cloud_federation_api | ||
| comments | ||
| contactsinteraction | ||
| dashboard | ||
| dav | ||
| encryption | ||
| federatedfilesharing | ||
| federation | ||
| files | ||
| files_external | ||
| files_reminders | ||
| files_sharing | ||
| files_trashbin | ||
| files_versions | ||
| lookup_server_connector | ||
| oauth2 | ||
| profile | ||
| provisioning_api | ||
| settings | ||
| sharebymail | ||
| systemtags | ||
| testing | ||
| theming | ||
| twofactor_backupcodes | ||
| updatenotification | ||
| user_ldap | ||
| user_status | ||
| weather_status | ||
| webhook_listeners | ||
| workflowengine | ||