aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorFerdinand Thiessen <opensource@fthiessen.de>2024-10-08 23:51:38 +0200
committerFerdinand Thiessen <opensource@fthiessen.de>2024-10-09 17:10:52 +0200
commitbbc5d32c8e14de78ae12c3acea384c69d2264eca (patch)
tree85f59483105c3dd763ed37ef5e52d4ce2a3cc79a /apps
parent3d74ed3762c90662a0320aea19437ed1fe9592fb (diff)
downloadnextcloud-server-bbc5d32c8e14de78ae12c3acea384c69d2264eca.tar.gz
nextcloud-server-bbc5d32c8e14de78ae12c3acea384c69d2264eca.zip
fix(dav): Public WebDAV endpoint should allow `GET` requestsfix/public-get
`GET` should be allowed even without Ajax header to allow downloading files, or show files in the viewer. All other requests could be guarded, but this should not. Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps')
-rw-r--r--apps/dav/appinfo/v2/publicremote.php16
1 files changed, 10 insertions, 6 deletions
diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php
index 53e85d556eb..0b7480872cb 100644
--- a/apps/dav/appinfo/v2/publicremote.php
+++ b/apps/dav/appinfo/v2/publicremote.php
@@ -73,11 +73,15 @@ preg_match('/(^files\/\w+)/i', substr($requestUri, strlen($baseuri)), $match);
$baseuri = $baseuri . $match[0];
$server = $serverFactory->createServer($baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) {
- $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? ''));
- $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class);
- if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && !$isAjax) {
- // this is what is thrown when trying to access a non-existing share
- throw new NotAuthenticated();
+ // GET must be allowed for e.g. showing images and allowing Zip downloads
+ if ($server->httpRequest->getMethod() !== 'GET') {
+ // If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed
+ $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? ''));
+ $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class);
+ if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && $isAjax === false) {
+ // this is what is thrown when trying to access a non-existing share
+ throw new NotAuthenticated();
+ }
}
$share = $authBackend->getShare();
@@ -132,4 +136,4 @@ $server->addPlugin($linkCheckPlugin);
$server->addPlugin($filesDropPlugin);
// And off we go!
-$server->exec();
+$server->start();