From: Michiel de Jong Date: Sat, 25 Feb 2012 21:59:58 +0000 (+0000) Subject: security hardening in remoteStorage app X-Git-Tag: v4.0.0beta~440^2~54^2~15 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=820f2f27f6ba0509b43b70eb61204355acfeb30f;p=nextcloud-server.git security hardening in remoteStorage app --- diff --git a/apps/remoteStorage/WebDAV.php b/apps/remoteStorage/WebDAV.php index 06520b4021b..cad465181a9 100644 --- a/apps/remoteStorage/WebDAV.php +++ b/apps/remoteStorage/WebDAV.php @@ -69,7 +69,10 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') { $server->setBaseUri(OC::$WEBROOT."/apps/remoteStorage/WebDAV.php/$ownCloudUser"); // Auth backend - $authBackend = new OC_Connector_Sabre_Auth_ro_oauth(OC_remoteStorage::getValidTokens($ownCloudUser, $category)); + $authBackend = new OC_Connector_Sabre_Auth_ro_oauth( + OC_remoteStorage::getValidTokens($ownCloudUser, $category), + $category + ); $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend,'ownCloud');//should use $validTokens here $server->addPlugin($authPlugin); @@ -82,5 +85,6 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') { // And off we go! $server->exec(); } else { - die('not the right address format '.var_export($pathParts, true)); + //die('not the right address format '.var_export($pathParts, true)); + die('not the right address format'); } diff --git a/apps/remoteStorage/auth.php b/apps/remoteStorage/auth.php index 75e0aac419d..cc40e895e01 100644 --- a/apps/remoteStorage/auth.php +++ b/apps/remoteStorage/auth.php @@ -96,5 +96,6 @@ if(count($pathParts) == 2 && $pathParts[0] == '') { .'
'); } } else { - die('please use auth.php/username?params. '.var_export($pathParts, true)); + //die('please use auth.php/username?params. '.var_export($pathParts, true)); + die('please use auth.php/username?params.'); } diff --git a/apps/remoteStorage/oauth_ro_auth.php b/apps/remoteStorage/oauth_ro_auth.php index d4a55061492..085a5469920 100644 --- a/apps/remoteStorage/oauth_ro_auth.php +++ b/apps/remoteStorage/oauth_ro_auth.php @@ -16,9 +16,10 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBasic { private $validTokens; - - public function __construct($validTokensArg) { + private $category; + public function __construct($validTokensArg, $categoryArg) { $this->validTokens = $validTokensArg; + $this->category = $categoryArg; } /** @@ -31,16 +32,16 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBa */ protected function validateUserPass($username, $password){ //always give read-only: - if(in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS'))) { - OC_Util::setUpFS(); - return true; - } else if(isset($this->validTokens[$password])) { + if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS') + || (isset($this->validTokens[$password])) + || (($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public')) + ) { OC_Util::setUpFS(); return true; } else { -var_export($_SERVER); -var_export($this->validTokens); -die('not getting in with "'.$username.'"/"'.$password.'"!'); + //var_export($_SERVER); + //var_export($this->validTokens); + //die('not getting in with "'.$username.'"/"'.$password.'"!'); return false; } } @@ -53,7 +54,9 @@ die('not getting in with "'.$username.'"/"'.$password.'"!'); $auth->setRealm($realm); $userpass = $auth->getUserPass(); if (!$userpass) { - if(in_array($_SERVER['REQUEST_METHOD'], array('OPTIONS'))) { + if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS') + ||(($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public')) + ) { $userpass = array('', ''); } else { $auth->requireLogin();