Merge pull request #8459 from nextcloud/fix/image-proxy-strict-cookie…

…-check fix: Check strict cookies for image proxy
nextcloud · Jun 27, 2023 · df22103 · df22103
2 parents 610d605 + be36e3e
commit df22103
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/lib/Controller/ProxyController.php b/lib/Controller/ProxyController.php
@@ -36,6 +36,7 @@
 use OCP\IURLGenerator;
 use Psr\Http\Client\ClientExceptionInterface;
 use Psr\Log\LoggerInterface;
+use function file_get_contents;
 
 class ProxyController extends Controller {
 	private IURLGenerator $urlGenerator;
@@ -105,6 +106,12 @@ public function proxy(string $src): ProxyDownloadResponse {
 		// close the session to allow parallel downloads
 		$this->session->close();
 
+		// If strict cookies are set it means we come from the same domain so no open redirect
+		if (!$this->request->passesStrictCookieCheck()) {
+			$content = file_get_contents(__DIR__ . '/../../img/blocked-image.png');
+			return new ProxyDownloadResponse($content, $src, 'application/octet-stream');
+		}
+
 		$client = $this->clientService->newClient();
 		try {
 			$response = $client->get($src);

diff --git a/tests/Unit/Controller/ProxyControllerTest.php b/tests/Unit/Controller/ProxyControllerTest.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 /**
  * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  *
@@ -156,11 +158,41 @@ public function testRedirectInvalidUrl() {
 		$this->controller->redirect('ftps://example.com');
 	}
 
-	public function testProxy() {
+	public function testProxyWithoutCookies(): void {
 		$src = 'http://example.com';
-		$httpResponse = $this->createMock(IResponse::class);
 		$content = '🐵🐵🐵';
+		$this->session->expects($this->once())
+			->method('close');
+		$client = $this->getMockBuilder(IClient::class)->getMock();
+		$this->clientService->expects(self::never())
+			->method('newClient')
+			->willReturn($client);
+		$unexpected = new ProxyDownloadResponse(
+			$content,
+			$src,
+			'application/octet-stream'
+		);
+		$this->controller = new ProxyController(
+			$this->appName,
+			$this->request,
+			$this->urlGenerator,
+			$this->session,
+			$this->clientService,
+			$this->logger
+		);
+
+		$response = $this->controller->proxy($src);
 
+		$this->assertNotEquals($unexpected, $response);
+	}
+
+	public function testProxy(): void {
+		$src = 'http://example.com';
+		$httpResponse = $this->createMock(IResponse::class);
+		$content = '🐵🐵🐵';
+		$this->request->expects(self::once())
+			->method('passesStrictCookieCheck')
+			->willReturn(true);
 		$this->session->expects($this->once())
 			->method('close');
 		$client = $this->getMockBuilder(IClient::class)->getMock();