diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-01-16 14:31:02 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-01-17 13:29:07 +0100 |
| commit | dfbc405a45f42acd1202d5f0649619388adbfb83 (patch) | |
| tree | ee88f7a0c23e5d457e5eff51f6d51d1cf95be8a1 /apps | |
| parent | 60c4cb1dd669a0c40abcff50a636d7b4cb6469e0 (diff) | |
| download | nextcloud-server-dfbc405a45f42acd1202d5f0649619388adbfb83.tar.gz nextcloud-server-dfbc405a45f42acd1202d5f0649619388adbfb83.zip | |
Prioritise Basic Auth header over Cookie
There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header.
This patch adds a workaround the following way:
1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF)
2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth
Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well.
This requires proper testing also considering LDAP / Shibboleth and whatever instances.
Diffstat (limited to 'apps')
| -rwxr-xr-x | apps/files_encryption/tests/webdav.php | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/apps/files_encryption/tests/webdav.php b/apps/files_encryption/tests/webdav.php index 83f4c0a77de..bdbc9d7ef02 100755 --- a/apps/files_encryption/tests/webdav.php +++ b/apps/files_encryption/tests/webdav.php @@ -206,12 +206,17 @@ class Webdav extends TestCase { * handle webdav request * * @param bool $body - * * @note this init procedure is copied from /apps/files/appinfo/remote.php */ function handleWebdavRequest($body = false) { // Backends - $authBackend = new \OC_Connector_Sabre_Auth(); + $authBackend = $this->getMockBuilder('OC_Connector_Sabre_Auth') + ->setMethods(['validateUserPass']) + ->getMock(); + $authBackend->expects($this->any()) + ->method('validateUserPass') + ->will($this->returnValue(true)); + $lockBackend = new \OC_Connector_Sabre_Locks(); $requestBackend = new \OC_Connector_Sabre_Request(); @@ -236,6 +241,10 @@ class Webdav extends TestCase { $server->addPlugin(new \OC_Connector_Sabre_MaintenancePlugin()); $server->debugExceptions = true; + // Totally ugly hack to setup the FS + \OC::$server->getUserSession()->login($this->userId, $this->userId); + \OC_Util::setupFS($this->userId); + // And off we go! if ($body) { $server->httpRequest->setBody($body); |