Allow only cookie auth to webdav

author: Roeland Jago Douma <rullzer@owncloud.com> 2016-01-06 20:48:33 +0100
committer: Roeland Jago Douma <rullzer@owncloud.com> 2016-01-07 10:44:26 +0100
commit: 4a38793d111f68d9b00eaff4804293fd10d89a5f (patch)
tree: 85975c85f429d298c4734b1526dc7bfb98db6648 /apps/dav/lib/connector/sabre/auth.php
parent: 336fe868b2ee3a4105b93b71a1e739c9e412237b (diff)
download: nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.tar.gz
nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 7f4f4a531b1..02b88390bad 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -151,7 +151,10 @@ class Auth extends AbstractBasic {
 	 */
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		if (\OC_User::handleApacheAuth() ||
-			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
+			//Fix for broken webdav clients
+			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
+			//Well behaved clients that only send the cookie are allowed
+			($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
 		) {
 			$user = $this->userSession->getUser()->getUID();
 			\OC_Util::setupFS($user);
author	Roeland Jago Douma <rullzer@owncloud.com>	2016-01-06 20:48:33 +0100
committer	Roeland Jago Douma <rullzer@owncloud.com>	2016-01-07 10:44:26 +0100
commit	4a38793d111f68d9b00eaff4804293fd10d89a5f (patch)
tree	85975c85f429d298c4734b1526dc7bfb98db6648 /apps/dav/lib/connector/sabre/auth.php
parent	336fe868b2ee3a4105b93b71a1e739c9e412237b (diff)
download	nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.tar.gz nextcloud-server-4a38793d111f68d9b00eaff4804293fd10d89a5f.zip