diff options
author | Lukas Reschke <lukas@owncloud.com> | 2016-02-29 17:30:02 +0100 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-29 20:53:38 +0100 |
commit | d04edfaf0dee3c2f1b4347a4ed36a79477d4a3f9 (patch) | |
tree | 0b2e653611b941193f012901a535fccd754feb25 /apps/dav/lib | |
parent | 52d217d77519ed95a18237b09a351f83a0ae7f47 (diff) | |
download | nextcloud-server-d04edfaf0dee3c2f1b4347a4ed36a79477d4a3f9.tar.gz nextcloud-server-d04edfaf0dee3c2f1b4347a4ed36a79477d4a3f9.zip |
Hides nodes from listing that the user has no access to
Diffstat (limited to 'apps/dav/lib')
-rw-r--r-- | apps/dav/lib/connector/legacydavacl.php | 4 | ||||
-rw-r--r-- | apps/dav/lib/connector/sabre/davaclplugin.php | 72 | ||||
-rw-r--r-- | apps/dav/lib/server.php | 3 |
3 files changed, 76 insertions, 3 deletions
diff --git a/apps/dav/lib/connector/legacydavacl.php b/apps/dav/lib/connector/legacydavacl.php index 149bd85e4be..5a654606465 100644 --- a/apps/dav/lib/connector/legacydavacl.php +++ b/apps/dav/lib/connector/legacydavacl.php @@ -21,10 +21,10 @@ namespace OCA\DAV\Connector; - +use OCA\DAV\Connector\Sabre\DavAclPlugin; use Sabre\HTTP\URLUtil; -class LegacyDAVACL extends \Sabre\DAVACL\Plugin { +class LegacyDAVACL extends DavAclPlugin { /** * Converts the v1 principal `principal/<username>` to the new v2 diff --git a/apps/dav/lib/connector/sabre/davaclplugin.php b/apps/dav/lib/connector/sabre/davaclplugin.php new file mode 100644 index 00000000000..4a9dd66161d --- /dev/null +++ b/apps/dav/lib/connector/sabre/davaclplugin.php @@ -0,0 +1,72 @@ +<?php +/** + * @author Lukas Reschke <lukas@owncloud.com> + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\DAV\Connector\Sabre; + +use Sabre\DAV\Exception\NotFound; +use Sabre\DAV\IFile; +use Sabre\DAV\INode; +use \Sabre\DAV\PropFind; +use \Sabre\DAV\PropPatch; +use Sabre\DAVACL\Exception\NeedPrivileges; +use \Sabre\HTTP\RequestInterface; +use \Sabre\HTTP\ResponseInterface; +use Sabre\HTTP\URLUtil; + +/** + * Class DavAclPlugin is a wrapper around \Sabre\DAVACL\Plugin that returns 404 + * responses in case the resource to a response has been forbidden instead of + * a 403. This is used to prevent enumeration of valid resources. + * + * @see https://github.com/owncloud/core/issues/22578 + * @package OCA\DAV\Connector\Sabre + */ +class DavAclPlugin extends \Sabre\DAVACL\Plugin { + public function __construct() { + $this->hideNodesFromListings = true; + } + + function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) { + $access = parent::checkPrivileges($uri, $privileges, $recursion, false); + if($access === false) { + /** @var INode $node */ + $node = $this->server->tree->getNodeForPath($uri); + + switch(get_class($node)) { + case 'OCA\DAV\CardDAV\AddressBook': + $type = 'Addressbook'; + break; + default: + $type = 'Node'; + break; + } + throw new NotFound( + sprintf( + "%s with name '%s' could not be found", + $type, + $node->getName() + ) + ); + } + + return $access; + } +} diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php index 55ae6c62d31..2aa720c9dc4 100644 --- a/apps/dav/lib/server.php +++ b/apps/dav/lib/server.php @@ -26,6 +26,7 @@ use OCA\DAV\CalDAV\Schedule\IMipPlugin; use OCA\DAV\Connector\FedAuth; use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; +use OCA\DAV\Connector\Sabre\DavAclPlugin; use OCA\DAV\Connector\Sabre\FilesPlugin; use OCA\DAV\Files\CustomPropertiesBackend; use OCP\IRequest; @@ -72,7 +73,7 @@ class Server { $this->server->addPlugin(new \Sabre\DAV\Sync\Plugin()); // acl - $acl = new \Sabre\DAVACL\Plugin(); + $acl = new DavAclPlugin(); $acl->defaultUsernamePath = 'principals/users'; $this->server->addPlugin($acl); |