diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-25 17:19:24 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-25 17:54:27 +0100 |
| commit | 5780ba611e6db84719e709b3fe03d08fd8ef58f0 (patch) | |
| tree | 7a4c623c61799e4eb138319f2ef7e279db6c1c0f /build/integration/features/webdav-related.feature | |
| parent | 3772a8acdb611b441bf2ea4fa3e0a37110a9d69f (diff) | |
| download | nextcloud-server-5780ba611e6db84719e709b3fe03d08fd8ef58f0.tar.gz nextcloud-server-5780ba611e6db84719e709b3fe03d08fd8ef58f0.zip | |
Add integration test for CSRF protection on DAV
This adds the integration tests for the CSRF protection on the DAV backend introduced with 9.0.
Fixes https://github.com/owncloud/core/issues/22598
Diffstat (limited to 'build/integration/features/webdav-related.feature')
| -rw-r--r-- | build/integration/features/webdav-related.feature | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature index c424f77afd5..0d2cefa8b80 100644 --- a/build/integration/features/webdav-related.feature +++ b/build/integration/features/webdav-related.feature @@ -62,9 +62,46 @@ Feature: sharing |X-XSS-Protection|1; mode=block| And Downloaded content should start with "Welcome to your ownCloud account!" + Scenario: Doing a GET with a web login should work without CSRF token on the nwe backend + Given Logging in using web as "admin" + When Sending a "GET" to "/remote.php/dav/files/admin/welcome.txt" without requesttoken + Then Downloaded content should start with "Welcome to your ownCloud account!" + Then the HTTP status code should be "200" + Scenario: Doing a GET with a web login should work with CSRF token on the new backend + Given Logging in using web as "admin" + When Sending a "GET" to "/remote.php/dav/files/admin/welcome.txt" with requesttoken + Then Downloaded content should start with "Welcome to your ownCloud account!" + Then the HTTP status code should be "200" + Scenario: Doing a PROPFIND with a web login should not work without CSRF token on the new backend + Given Logging in using web as "admin" + When Sending a "PROPFIND" to "/remote.php/dav/files/admin/welcome.txt" without requesttoken + Then the HTTP status code should be "401" + Scenario: Doing a PROPFIND with a web login should work with CSRF token on the new backend + Given Logging in using web as "admin" + When Sending a "PROPFIND" to "/remote.php/dav/files/admin/welcome.txt" with requesttoken + Then the HTTP status code should be "207" + Scenario: Doing a GET with a web login should work without CSRF token on the old backend + Given Logging in using web as "admin" + When Sending a "GET" to "/remote.php/webdav/welcome.txt" without requesttoken + Then Downloaded content should start with "Welcome to your ownCloud account!" + Then the HTTP status code should be "200" + Scenario: Doing a GET with a web login should work with CSRF token on the old backend + Given Logging in using web as "admin" + When Sending a "GET" to "/remote.php/webdav/welcome.txt" with requesttoken + Then Downloaded content should start with "Welcome to your ownCloud account!" + Then the HTTP status code should be "200" + Scenario: Doing a PROPFIND with a web login should not work without CSRF token on the old backend + Given Logging in using web as "admin" + When Sending a "PROPFIND" to "/remote.php/webdav/welcome.txt" without requesttoken + Then the HTTP status code should be "401" + + Scenario: Doing a PROPFIND with a web login should work with CSRF token on the old backend + Given Logging in using web as "admin" + When Sending a "PROPFIND" to "/remote.php/webdav/welcome.txt" with requesttoken + Then the HTTP status code should be "207" |