]> source.dussan.org Git - nextcloud-server.git/commitdiff
Check for empty authorization headers for office requests and allow anonymous option... 19180/head
authorJulius Härtl <jus@bitgrid.net>
Mon, 23 Dec 2019 12:08:10 +0000 (13:08 +0100)
committerJulius Härtl <jus@bitgrid.net>
Tue, 4 Feb 2020 14:35:23 +0000 (15:35 +0100)
Signed-off-by: Julius Härtl <jus@bitgrid.net>
apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
apps/dav/tests/unit/DAV/AnonymousOptionsTest.php

index e222eb18857c29852c98ba0dd79ba60802df5a59..e0aa19c50b3f7639c892eba0b8c28f4aaaf0d200 100644 (file)
@@ -62,8 +62,11 @@ class AnonymousOptionsPlugin extends ServerPlugin {
         */
        public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
                $isOffice = preg_match('/Microsoft Office/i', $request->getHeader('User-Agent'));
-               $isAnonymousOption = ($request->getMethod() === 'OPTIONS' && ($request->getHeader('Authorization') === null || trim($request->getHeader('Authorization')) === 'Bearer') && $this->isRequestInRoot($request->getPath()));
-               $isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $request->getHeader('Authorization') === 'Bearer';
+               $emptyAuth = $request->getHeader('Authorization') === null
+                       || $request->getHeader('Authorization') === ''
+                       || trim($request->getHeader('Authorization')) === 'Bearer';
+               $isAnonymousOption = $request->getMethod() === 'OPTIONS' && $emptyAuth;
+               $isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $emptyAuth;
                if ($isAnonymousOption || $isOfficeHead) {
                        /** @var CorePlugin $corePlugin */
                        $corePlugin = $this->server->getPlugin('core');
index a0abac0712abf7a4e32cdc2ebf55ec10a13554e6..a61c8e1e550e9489cc1b536cbbc2defde67e89f4 100644 (file)
@@ -33,7 +33,7 @@ use Sabre\HTTP\Sapi;
 use Test\TestCase;
 
 class AnonymousOptionsTest extends TestCase {
-       private function sendRequest($method, $path) {
+       private function sendRequest($method, $path, $userAgent = '') {
                $server = new Server();
                $server->addPlugin(new AnonymousOptionsPlugin());
                $server->addPlugin(new Plugin(new BasicCallBack(function() {
@@ -42,6 +42,7 @@ class AnonymousOptionsTest extends TestCase {
 
                $server->httpRequest->setMethod($method);
                $server->httpRequest->setUrl($path);
+               $server->httpRequest->setHeader('User-Agent', $userAgent);
 
                $server->sapi = new SapiMock();
                $server->exec();
@@ -63,7 +64,19 @@ class AnonymousOptionsTest extends TestCase {
        public function testAnonymousOptionsNonRootSubDir() {
                $response = $this->sendRequest('OPTIONS', 'foo/bar');
 
-               $this->assertEquals(401, $response->getStatus());
+               $this->assertEquals(200, $response->getStatus());
+       }
+
+       public function testAnonymousHead() {
+               $response = $this->sendRequest('HEAD', '', 'Microsoft Office does strange things');
+
+               $this->assertEquals(200, $response->getStatus());
+       }
+
+       public function testAnonymousHeadNoOffice() {
+               $response = $this->sendRequest('HEAD', '');
+
+               $this->assertEquals(401, $response->getStatus(), 'curl');
        }
 }