From: Tim Düsterhus Date: Thu, 19 May 2022 14:33:50 +0000 (+0200) Subject: Make EnforceFrameOptions compatible with legacy and PSR-15 controllers X-Git-Tag: 6.0.0_Alpha_1~1266^2~4 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=4298e5ba33df4a4b7e81af5820225f9016f7fb04;p=GitHub%2FWoltLab%2FWCF.git Make EnforceFrameOptions compatible with legacy and PSR-15 controllers --- diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php index b45ba2bec4..b8debaff1d 100644 --- a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php +++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php @@ -24,12 +24,20 @@ final class EnforceFrameOptions implements MiddlewareInterface */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { + // Also set the headers using the regular `\header()` call, because we might receive a + // LegacyPlaceholderResponse and we also need to protect requests to legacy controllers. + // If a proper PSR-7 response is returned the headers will be removed again and set on + // the response object. + \header('x-frame-options: SAMEORIGIN'); + $response = $handler->handle($request); if ($response instanceof LegacyPlaceholderResponse) { return $response; } + \header_remove('x-frame-options'); + return $response->withHeader('x-frame-options', 'SAMEORIGIN'); } } diff --git a/wcfsetup/install/files/lib/util/HeaderUtil.class.php b/wcfsetup/install/files/lib/util/HeaderUtil.class.php index b809c6843e..39d52afb18 100644 --- a/wcfsetup/install/files/lib/util/HeaderUtil.class.php +++ b/wcfsetup/install/files/lib/util/HeaderUtil.class.php @@ -90,8 +90,6 @@ final class HeaderUtil self::sendNoCacheHeaders(); } - @\header('X-Frame-Options: SAMEORIGIN'); - \ob_start([self::class, 'parseOutput']); }