diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-10-08 23:51:38 +0200 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-10-09 18:17:19 +0200 |
| commit | eae69cb8bc4dc428b50b34d2a7aecca022823af3 (patch) | |
| tree | 1bd70fda3e5aebb8f770029f31617b92465d99e7 /apps/dav | |
| parent | f23f6ff63aa03a722151580811e37d3cd51b2985 (diff) | |
| download | nextcloud-server-eae69cb8bc4dc428b50b34d2a7aecca022823af3.tar.gz nextcloud-server-eae69cb8bc4dc428b50b34d2a7aecca022823af3.zip | |
fix(dav): Public WebDAV endpoint should allow `GET` requestsbackport/dav-get
`GET` should be allowed even without Ajax header to allow downloading files,
or show files in the viewer. All other requests could be guarded, but this should not.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps/dav')
| -rw-r--r-- | apps/dav/appinfo/v2/publicremote.php | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php index 0381614a328..c48f582ab4a 100644 --- a/apps/dav/appinfo/v2/publicremote.php +++ b/apps/dav/appinfo/v2/publicremote.php @@ -96,11 +96,15 @@ preg_match('/(^files\/\w+)/i', substr($requestUri, strlen($baseuri)), $match); $baseuri = $baseuri . $match[0]; $server = $serverFactory->createServer($baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) { - $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); - $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); - if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && !$isAjax) { - // this is what is thrown when trying to access a non-existing share - throw new NotAuthenticated(); + // GET must be allowed for e.g. showing images and allowing Zip downloads + if ($server->httpRequest->getMethod() !== 'GET') { + // If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed + $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); + $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); + if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && $isAjax === false) { + // this is what is thrown when trying to access a non-existing share + throw new NotAuthenticated(); + } } $share = $authBackend->getShare(); @@ -152,4 +156,4 @@ $server->addPlugin($linkCheckPlugin); $server->addPlugin($filesDropPlugin); // And off we go! -$server->exec(); +$server->start(); |