diff options
author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-10-08 23:51:38 +0200 |
---|---|---|
committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-10-09 17:10:52 +0200 |
commit | bbc5d32c8e14de78ae12c3acea384c69d2264eca (patch) | |
tree | 85f59483105c3dd763ed37ef5e52d4ce2a3cc79a /apps | |
parent | 3d74ed3762c90662a0320aea19437ed1fe9592fb (diff) | |
download | nextcloud-server-bbc5d32c8e14de78ae12c3acea384c69d2264eca.tar.gz nextcloud-server-bbc5d32c8e14de78ae12c3acea384c69d2264eca.zip |
fix(dav): Public WebDAV endpoint should allow `GET` requestsfix/public-get
`GET` should be allowed even without Ajax header to allow downloading files,
or show files in the viewer. All other requests could be guarded, but this should not.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps')
-rw-r--r-- | apps/dav/appinfo/v2/publicremote.php | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php index 53e85d556eb..0b7480872cb 100644 --- a/apps/dav/appinfo/v2/publicremote.php +++ b/apps/dav/appinfo/v2/publicremote.php @@ -73,11 +73,15 @@ preg_match('/(^files\/\w+)/i', substr($requestUri, strlen($baseuri)), $match); $baseuri = $baseuri . $match[0]; $server = $serverFactory->createServer($baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) { - $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); - $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); - if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && !$isAjax) { - // this is what is thrown when trying to access a non-existing share - throw new NotAuthenticated(); + // GET must be allowed for e.g. showing images and allowing Zip downloads + if ($server->httpRequest->getMethod() !== 'GET') { + // If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed + $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); + $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); + if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && $isAjax === false) { + // this is what is thrown when trying to access a non-existing share + throw new NotAuthenticated(); + } } $share = $authBackend->getShare(); @@ -132,4 +136,4 @@ $server->addPlugin($linkCheckPlugin); $server->addPlugin($filesDropPlugin); // And off we go! -$server->exec(); +$server->start(); |