diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-01-04 20:35:47 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-04 20:35:47 +0100 |
| commit | 5ef74e29525c13e041ef1f50994b404664b77ece (patch) | |
| tree | 1bfb6f15edb104c487fe86b06affe84d08fecd15 | |
| parent | 14fcc64c49f356e8b6acca93a643e52f8ba57ad4 (diff) | |
| parent | 4535cc50adcfe68a96f3647c19fc762803ee15f4 (diff) | |
| download | nextcloud-server-5ef74e29525c13e041ef1f50994b404664b77ece.tar.gz nextcloud-server-5ef74e29525c13e041ef1f50994b404664b77ece.zip | |
Merge pull request #13362 from nextcloud/backport/13354/master
[master] check anonymous OPTIONS requests file in root (not in subdir)
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php | 9 | ||||
| -rw-r--r-- | apps/dav/tests/unit/DAV/AnonymousOptionsTest.php | 6 |
2 files changed, 14 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php index 390cb4a9c67..67c1a9a5118 100644 --- a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php +++ b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php @@ -46,11 +46,18 @@ class AnonymousOptionsPlugin extends ServerPlugin { } /** + * @return bool + */ + public function isRequestInRoot($path) { + return $path === '' || (is_string($path) && strpos($path, '/') === FALSE); + } + + /** * @throws \Sabre\DAV\Exception\Forbidden * @return bool */ public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) { - if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS') { + if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS' && $this->isRequestInRoot($request->getPath())) { /** @var CorePlugin $corePlugin */ $corePlugin = $this->server->getPlugin('core'); // setup a fake tree for anonymous access diff --git a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php index 87a778e596d..22a4b973427 100644 --- a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php +++ b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php @@ -56,6 +56,12 @@ class AnonymousOptionsTest extends TestCase { $this->assertEquals(200, $response->getStatus()); } + + public function testAnonymousOptionsNonRootSubDir() { + $response = $this->sendRequest('OPTIONS', 'foo/bar'); + + $this->assertEquals(401, $response->getStatus()); + } } class SapiMock extends Sapi { |