Skip to content

Commit 03af86f

Browse files
committed
fix(core): Don't set samesite cookies on status.php
Fixes an issue where samesite cookies are sent on status.php before session is started; cookies with webroots other than '/' therefore have the wrong name and lead to samesite cookie validation failures. - resolves #54227 Signed-off-by: Scott Shambarger <devel@shambarger.net>
1 parent 18351be commit 03af86f

File tree

1 file changed

+10
-4
lines changed

1 file changed

+10
-4
lines changed

lib/base.php

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -548,10 +548,11 @@ private static function performSameSiteCookieProtection(IConfig $config): void {
548548
return;
549549
}
550550

551+
$requestUri = $request->getScriptName();
552+
$processingScript = explode('/', $requestUri);
553+
$processingScript = $processingScript[count($processingScript) - 1];
554+
551555
if (count($_COOKIE) > 0) {
552-
$requestUri = $request->getScriptName();
553-
$processingScript = explode('/', $requestUri);
554-
$processingScript = $processingScript[count($processingScript) - 1];
555556

556557
if ($processingScript === 'index.php' // index.php routes are handled in the middleware
557558
|| $processingScript === 'cron.php' // and cron.php does not need any authentication at all
@@ -573,7 +574,12 @@ private static function performSameSiteCookieProtection(IConfig $config): void {
573574
exit();
574575
}
575576
}
576-
} elseif (!isset($_COOKIE['nc_sameSiteCookielax']) || !isset($_COOKIE['nc_sameSiteCookiestrict'])) {
577+
} else {
578+
// Session not started for status.php, skip setting SS cookies
579+
if ($processingScript === 'status.php') {
580+
return;
581+
}
582+
// set nc_sameSiteCookielax and nc_sameSiteCookiestrict
577583
self::sendSameSiteCookies();
578584
}
579585
}

0 commit comments

Comments
 (0)