From 4298e5ba33df4a4b7e81af5820225f9016f7fb04 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Thu, 19 May 2022 16:33:50 +0200 Subject: [PATCH] Make EnforceFrameOptions compatible with legacy and PSR-15 controllers --- .../lib/http/middleware/EnforceFrameOptions.class.php | 8 ++++++++ wcfsetup/install/files/lib/util/HeaderUtil.class.php | 2 -- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php index b45ba2bec4..b8debaff1d 100644 --- a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php +++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php @@ -24,12 +24,20 @@ final class EnforceFrameOptions implements MiddlewareInterface */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { + // Also set the headers using the regular `\header()` call, because we might receive a + // LegacyPlaceholderResponse and we also need to protect requests to legacy controllers. + // If a proper PSR-7 response is returned the headers will be removed again and set on + // the response object. + \header('x-frame-options: SAMEORIGIN'); + $response = $handler->handle($request); if ($response instanceof LegacyPlaceholderResponse) { return $response; } + \header_remove('x-frame-options'); + return $response->withHeader('x-frame-options', 'SAMEORIGIN'); } } diff --git a/wcfsetup/install/files/lib/util/HeaderUtil.class.php b/wcfsetup/install/files/lib/util/HeaderUtil.class.php index b809c6843e..39d52afb18 100644 --- a/wcfsetup/install/files/lib/util/HeaderUtil.class.php +++ b/wcfsetup/install/files/lib/util/HeaderUtil.class.php @@ -90,8 +90,6 @@ final class HeaderUtil self::sendNoCacheHeaders(); } - @\header('X-Frame-Options: SAMEORIGIN'); - \ob_start([self::class, 'parseOutput']); } -- 2.20.1