Merge pull request #19180 from nextcloud/bugfix/office-anonymous-empty-auth

Check for empty authorization headers for office requests

2 files changed, 20 insertions, 4 deletions

diff --git a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
index e222eb18857..e0aa19c50b3 100644
--- a/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
@@ -62,8 +62,11 @@ class AnonymousOptionsPlugin extends ServerPlugin {
 	 */
 	public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
 		$isOffice = preg_match('/Microsoft Office/i', $request->getHeader('User-Agent'));
-		$isAnonymousOption = ($request->getMethod() === 'OPTIONS' && ($request->getHeader('Authorization') === null || trim($request->getHeader('Authorization')) === 'Bearer') && $this->isRequestInRoot($request->getPath()));
-		$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $request->getHeader('Authorization') === 'Bearer';
+		$emptyAuth = $request->getHeader('Authorization') === null
+			|| $request->getHeader('Authorization') === ''
+			|| trim($request->getHeader('Authorization')) === 'Bearer';
+		$isAnonymousOption = $request->getMethod() === 'OPTIONS' && $emptyAuth;
+		$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $emptyAuth;
 		if ($isAnonymousOption || $isOfficeHead) {
 			/** @var CorePlugin $corePlugin */
 			$corePlugin = $this->server->getPlugin('core');
diff --git a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
index a0abac0712a..a61c8e1e550 100644
--- a/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
+++ b/apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
@@ -33,7 +33,7 @@ use Sabre\HTTP\Sapi;
 use Test\TestCase;
 
 class AnonymousOptionsTest extends TestCase {
-	private function sendRequest($method, $path) {
+	private function sendRequest($method, $path, $userAgent = '') {
 		$server = new Server();
 		$server->addPlugin(new AnonymousOptionsPlugin());
 		$server->addPlugin(new Plugin(new BasicCallBack(function() {
@@ -42,6 +42,7 @@ class AnonymousOptionsTest extends TestCase {
 
 		$server->httpRequest->setMethod($method);
 		$server->httpRequest->setUrl($path);
+		$server->httpRequest->setHeader('User-Agent', $userAgent);
 
 		$server->sapi = new SapiMock();
 		$server->exec();
@@ -63,7 +64,19 @@ class AnonymousOptionsTest extends TestCase {
 	public function testAnonymousOptionsNonRootSubDir() {
 		$response = $this->sendRequest('OPTIONS', 'foo/bar');
 
-		$this->assertEquals(401, $response->getStatus());
+		$this->assertEquals(200, $response->getStatus());
+	}
+
+	public function testAnonymousHead() {
+		$response = $this->sendRequest('HEAD', '', 'Microsoft Office does strange things');
+
+		$this->assertEquals(200, $response->getStatus());
+	}
+
+	public function testAnonymousHeadNoOffice() {
+		$response = $this->sendRequest('HEAD', '');
+
+		$this->assertEquals(401, $response->getStatus(), 'curl');
 	}
 }