Properly check for empty basic auth when trying to log in a user on C…

…ORS annotated endpoints Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Feb 7, 2020 · b801d27 · b801d27
1 parent cf5b33f
commit b801d27
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -95,7 +95,7 @@ public function beforeController($controller, $methodName) {
 			}
 			$this->session->logout();
 			try {
-				if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+				if (!empty($user) && !empty($pass) && !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
 					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
 				}
 			} catch (PasswordLoginForbiddenException $ex) {