security hardening in remoteStorage app

diff --git a/apps/remoteStorage/WebDAV.php b/apps/remoteStorage/WebDAV.php
index 06520b4021bf265429074aa1d7c6839eae2783fe..cad465181a985488f5a70369f673e06c39b3988b 100644 (file)
--- a/apps/remoteStorage/WebDAV.php
+++ b/apps/remoteStorage/WebDAV.php
@@ -69,7 +69,10 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
        $server->setBaseUri(OC::$WEBROOT."/apps/remoteStorage/WebDAV.php/$ownCloudUser");
 
        // Auth backend
-       $authBackend = new OC_Connector_Sabre_Auth_ro_oauth(OC_remoteStorage::getValidTokens($ownCloudUser, $category));
+       $authBackend = new OC_Connector_Sabre_Auth_ro_oauth(
+      OC_remoteStorage::getValidTokens($ownCloudUser, $category),
+      $category
+      );
 
        $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend,'ownCloud');//should use $validTokens here
        $server->addPlugin($authPlugin);
@@ -82,5 +85,6 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
        // And off we go!
        $server->exec();
 } else {
-       die('not the right address format '.var_export($pathParts, true));
+       //die('not the right address format '.var_export($pathParts, true));
+       die('not the right address format');
 }

diff --git a/apps/remoteStorage/auth.php b/apps/remoteStorage/auth.php
index 75e0aac419db964b04ced58339c1c8b366646813..cc40e895e01b753ebcd7f4fd41f476186d453268 100644 (file)
--- a/apps/remoteStorage/auth.php
+++ b/apps/remoteStorage/auth.php
@@ -96,5 +96,6 @@ if(count($pathParts) == 2 && $pathParts[0] == '') {
                        .'<form method="POST"><input name="allow" type="submit" value="Click here"></form>');
        }
 } else {
-       die('please use auth.php/username?params. '.var_export($pathParts, true));
+       //die('please use auth.php/username?params. '.var_export($pathParts, true));
+       die('please use auth.php/username?params.');
 }

diff --git a/apps/remoteStorage/oauth_ro_auth.php b/apps/remoteStorage/oauth_ro_auth.php
index d4a55061492f0dade389d8cc5c5f8b0e72e602d3..085a54699207a657ba9eef31d0b5bb580edc1f99 100644 (file)
--- a/apps/remoteStorage/oauth_ro_auth.php
+++ b/apps/remoteStorage/oauth_ro_auth.php
@@ -16,9 +16,10 @@
 
 class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBasic {
        private $validTokens;
-
-       public function __construct($validTokensArg) {
+  private $category;
+       public function __construct($validTokensArg, $categoryArg) {
                $this->validTokens = $validTokensArg;
+    $this->category = $categoryArg;
        }
 
        /**
@@ -31,16 +32,16 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBa
         */
        protected function validateUserPass($username, $password){
                //always give read-only:
-               if(in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS'))) {
-                       OC_Util::setUpFS();
-                       return true;
-               } else if(isset($this->validTokens[$password])) {
+               if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS') 
+                   || (isset($this->validTokens[$password]))
+        || (($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
+        ) {
                        OC_Util::setUpFS();
                        return true;
                } else {
-var_export($_SERVER);
-var_export($this->validTokens);
-die('not getting in with "'.$username.'"/"'.$password.'"!');
+      //var_export($_SERVER);
+      //var_export($this->validTokens);
+      //die('not getting in with "'.$username.'"/"'.$password.'"!');
                        return false;   
                }
        }
@@ -53,7 +54,9 @@ die('not getting in with "'.$username.'"/"'.$password.'"!');
                $auth->setRealm($realm);
                $userpass = $auth->getUserPass();
                if (!$userpass) {
-                       if(in_array($_SERVER['REQUEST_METHOD'], array('OPTIONS'))) {
+                       if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
+               ||(($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
+          ) {
                                $userpass = array('', '');
                        } else {
                                $auth->requireLogin();