diff options
author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-24 12:15:32 +0100 |
---|---|---|
committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-02-24 12:15:32 +0100 |
commit | 473cd97a45dd1343cec14abfcc60b14b9c12f7e4 (patch) | |
tree | 4bc60fe3149d7060105489fb27cfe2dbb1f7bdb6 /build | |
parent | 2ec1c738d0b2570f3f52dcd790aec0018e59e856 (diff) | |
parent | 403f11633c50b087fee8ffc7ce0dd9ac3e5f1263 (diff) | |
download | nextcloud-server-473cd97a45dd1343cec14abfcc60b14b9c12f7e4.tar.gz nextcloud-server-473cd97a45dd1343cec14abfcc60b14b9c12f7e4.zip |
Merge pull request #22592 from owncloud/fix-response-header
Add header for attachment disposition only once
Diffstat (limited to 'build')
-rw-r--r-- | build/integration/features/bootstrap/WebDav.php | 44 | ||||
-rw-r--r-- | build/integration/features/webdav-related.feature | 33 |
2 files changed, 73 insertions, 4 deletions
diff --git a/build/integration/features/bootstrap/WebDav.php b/build/integration/features/bootstrap/WebDav.php index 58fdfed1711..be87a09731b 100644 --- a/build/integration/features/bootstrap/WebDav.php +++ b/build/integration/features/bootstrap/WebDav.php @@ -12,6 +12,8 @@ require __DIR__ . '/../../vendor/autoload.php'; trait WebDav { /** @var string*/ private $davPath = "remote.php/webdav"; + /** @var ResponseInterface */ + private $response; /** * @Given /^using dav path "([^"]*)"$/ @@ -104,6 +106,48 @@ trait WebDav { $this->downloadedContentShouldBe($content); } + /** + * @When Downloading file :fileName + */ + public function downloadingFile($fileName) { + $this->response = $this->makeDavRequest($this->currentUser, 'GET', $fileName, []); + } + + /** + * @Then The following headers should be set + */ + public function theFollowingHeadersShouldBeSet(\Behat\Gherkin\Node\TableNode $table) { + foreach($table->getTable() as $header) { + $headerName = $header[0]; + $expectedHeaderValue = $header[1]; + $returnedHeader = $this->response->getHeader($headerName); + if($returnedHeader !== $expectedHeaderValue) { + throw new \Exception( + sprintf( + "Expected value '%s' for header '%s', got '%s'", + $expectedHeaderValue, + $headerName, + $returnedHeader + ) + ); + } + } + } + + /** + * @Then Downloaded content should start with :start + */ + public function downloadedContentShouldStartWith($start) { + if(strpos($this->response->getBody()->getContents(), $start) !== 0) { + throw new \Exception( + sprintf( + "Expected '%s', got '%s'", + $start, + $this->response->getBody()->getContents() + ) + ); + } + } /*Returns the elements of a propfind, $folderDepth requires 1 to see elements without children*/ public function listFolder($user, $path, $folderDepth){ diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature index 8be2c196308..c424f77afd5 100644 --- a/build/integration/features/webdav-related.feature +++ b/build/integration/features/webdav-related.feature @@ -15,7 +15,6 @@ Feature: sharing When Downloading file "/welcome.txt" with range "bytes=51-77" Then Downloaded content should be "example file for developers" - Scenario: Upload forbidden if quota is 0 Given using dav path "remote.php/webdav" And As an "admin" @@ -33,9 +32,35 @@ Feature: sharing And Downloading last public shared file with range "bytes=51-77" Then Downloaded content should be "example file for developers" - - - + Scenario: Downloading a file on the old endpoint should serve security headers + Given using dav path "remote.php/webdav" + And As an "admin" + When Downloading file "/welcome.txt" + Then The following headers should be set + |Content-Disposition|attachment| + |Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| + |X-Content-Type-Options |nosniff| + |X-Download-Options|noopen| + |X-Frame-Options|Sameorigin| + |X-Permitted-Cross-Domain-Policies|none| + |X-Robots-Tag|none| + |X-XSS-Protection|1; mode=block| + And Downloaded content should start with "Welcome to your ownCloud account!" + + Scenario: Downloading a file on the new endpoint should serve security headers + Given using dav path "remote.php/dav/files/admin/" + And As an "admin" + When Downloading file "/welcome.txt" + Then The following headers should be set + |Content-Disposition|attachment| + |Content-Security-Policy|default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *| + |X-Content-Type-Options |nosniff| + |X-Download-Options|noopen| + |X-Frame-Options|Sameorigin| + |X-Permitted-Cross-Domain-Policies|none| + |X-Robots-Tag|none| + |X-XSS-Protection|1; mode=block| + And Downloaded content should start with "Welcome to your ownCloud account!" |