upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-12 10:10:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 20

Merge pull request #20283 from nextcloud/backport/19180/stable17

Browse source 
[stable17] Check for empty authorization headers for office requests
This commit is contained in:
Roeland Jago Douma 2020-04-14 11:36:31 +02:00 committed by GitHub
commit 810d54b0af
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
View file

@ -58,8 +58,11 @@ class AnonymousOptionsPlugin extends ServerPlugin {
*/
public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
$isOffice = preg_match('/Microsoft Office/i', $request->getHeader('User-Agent'));
$isAnonymousOption = ($request->getMethod() === 'OPTIONS' && ($request->getHeader('Authorization') === null || trim($request->getHeader('Authorization')) === 'Bearer') && $this->isRequestInRoot($request->getPath()));
$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $request->getHeader('Authorization') === 'Bearer';
$emptyAuth = $request->getHeader('Authorization') === null
|| $request->getHeader('Authorization') === ''
|| trim($request->getHeader('Authorization')) === 'Bearer';
$isAnonymousOption = $request->getMethod() === 'OPTIONS' && $emptyAuth;
$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $emptyAuth;
if ($isAnonymousOption || $isOfficeHead) {
/** @var CorePlugin $corePlugin */
$corePlugin = $this->server->getPlugin('core');

17
apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
View file

@ -30,7 +30,7 @@ use Sabre\HTTP\Sapi;
use Test\TestCase;
class AnonymousOptionsTest extends TestCase {
private function sendRequest($method, $path) {
private function sendRequest($method, $path, $userAgent = '') {
$server = new Server();
$server->addPlugin(new AnonymousOptionsPlugin());
$server->addPlugin(new Plugin(new BasicCallBack(function() {
@ -39,6 +39,7 @@ class AnonymousOptionsTest extends TestCase {
$server->httpRequest->setMethod($method);
$server->httpRequest->setUrl($path);
$server->httpRequest->setHeader('User-Agent', $userAgent);
$server->sapi = new SapiMock();
$server->exec();
@ -60,7 +61,19 @@ class AnonymousOptionsTest extends TestCase {
public function testAnonymousOptionsNonRootSubDir() {
$response = $this->sendRequest('OPTIONS', 'foo/bar');
$this->assertEquals(401, $response->getStatus());
$this->assertEquals(200, $response->getStatus());
}
public function testAnonymousHead() {
$response = $this->sendRequest('HEAD', '', 'Microsoft Office does strange things');
$this->assertEquals(200, $response->getStatus());
}
public function testAnonymousHeadNoOffice() {
$response = $this->sendRequest('HEAD', '');
$this->assertEquals(401, $response->getStatus(), 'curl');
}
}