check anonymous OPTIONS requests file in root (not in subdir)

Signed-off-by: Bastien Durel <bastien@durel.org>

2 files changed, 14 insertions, 1 deletions

diff --git a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
index 390cb4a9c67..67c1a9a5118 100644
--- a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
@@ -46,11 +46,18 @@ class AnonymousOptionsPlugin extends ServerPlugin {
 	}
 
 	/**
+	 * @return bool
+	 */
+	public function isRequestInRoot($path) {
+		return $path === '' || (is_string($path) && strpos($path, '/') === FALSE);
+	}
+
+	/**
 	 * @throws \Sabre\DAV\Exception\Forbidden
 	 * @return bool
 	 */
 	public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
-		if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS') {
+		if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS' && $this->isRequestInRoot($request->getPath())) {
 			/** @var CorePlugin $corePlugin */
 			$corePlugin = $this->server->getPlugin('core');
 			// setup a fake tree for anonymous access
diff --git a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
index 87a778e596d..22a4b973427 100644
--- a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
+++ b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
@@ -56,6 +56,12 @@ class AnonymousOptionsTest extends TestCase {
 
 		$this->assertEquals(200, $response->getStatus());
 	}
+
+	public function testAnonymousOptionsNonRootSubDir() {
+		$response = $this->sendRequest('OPTIONS', 'foo/bar');
+
+		$this->assertEquals(401, $response->getStatus());
+	}
 }
 
 class SapiMock extends Sapi {