summaryrefslogtreecommitdiffstats
path: root/apps/dav/lib
diff options
context:
space:
mode:
Diffstat (limited to 'apps/dav/lib')
-rw-r--r--apps/dav/lib/connector/legacydavacl.php4
-rw-r--r--apps/dav/lib/connector/sabre/davaclplugin.php72
-rw-r--r--apps/dav/lib/server.php3
3 files changed, 76 insertions, 3 deletions
diff --git a/apps/dav/lib/connector/legacydavacl.php b/apps/dav/lib/connector/legacydavacl.php
index 149bd85e4be..5a654606465 100644
--- a/apps/dav/lib/connector/legacydavacl.php
+++ b/apps/dav/lib/connector/legacydavacl.php
@@ -21,10 +21,10 @@
namespace OCA\DAV\Connector;
-
+use OCA\DAV\Connector\Sabre\DavAclPlugin;
use Sabre\HTTP\URLUtil;
-class LegacyDAVACL extends \Sabre\DAVACL\Plugin {
+class LegacyDAVACL extends DavAclPlugin {
/**
* Converts the v1 principal `principal/<username>` to the new v2
diff --git a/apps/dav/lib/connector/sabre/davaclplugin.php b/apps/dav/lib/connector/sabre/davaclplugin.php
new file mode 100644
index 00000000000..4a9dd66161d
--- /dev/null
+++ b/apps/dav/lib/connector/sabre/davaclplugin.php
@@ -0,0 +1,72 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2016, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\DAV\Connector\Sabre;
+
+use Sabre\DAV\Exception\NotFound;
+use Sabre\DAV\IFile;
+use Sabre\DAV\INode;
+use \Sabre\DAV\PropFind;
+use \Sabre\DAV\PropPatch;
+use Sabre\DAVACL\Exception\NeedPrivileges;
+use \Sabre\HTTP\RequestInterface;
+use \Sabre\HTTP\ResponseInterface;
+use Sabre\HTTP\URLUtil;
+
+/**
+ * Class DavAclPlugin is a wrapper around \Sabre\DAVACL\Plugin that returns 404
+ * responses in case the resource to a response has been forbidden instead of
+ * a 403. This is used to prevent enumeration of valid resources.
+ *
+ * @see https://github.com/owncloud/core/issues/22578
+ * @package OCA\DAV\Connector\Sabre
+ */
+class DavAclPlugin extends \Sabre\DAVACL\Plugin {
+ public function __construct() {
+ $this->hideNodesFromListings = true;
+ }
+
+ function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) {
+ $access = parent::checkPrivileges($uri, $privileges, $recursion, false);
+ if($access === false) {
+ /** @var INode $node */
+ $node = $this->server->tree->getNodeForPath($uri);
+
+ switch(get_class($node)) {
+ case 'OCA\DAV\CardDAV\AddressBook':
+ $type = 'Addressbook';
+ break;
+ default:
+ $type = 'Node';
+ break;
+ }
+ throw new NotFound(
+ sprintf(
+ "%s with name '%s' could not be found",
+ $type,
+ $node->getName()
+ )
+ );
+ }
+
+ return $access;
+ }
+}
diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php
index 55ae6c62d31..2aa720c9dc4 100644
--- a/apps/dav/lib/server.php
+++ b/apps/dav/lib/server.php
@@ -26,6 +26,7 @@ use OCA\DAV\CalDAV\Schedule\IMipPlugin;
use OCA\DAV\Connector\FedAuth;
use OCA\DAV\Connector\Sabre\Auth;
use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
+use OCA\DAV\Connector\Sabre\DavAclPlugin;
use OCA\DAV\Connector\Sabre\FilesPlugin;
use OCA\DAV\Files\CustomPropertiesBackend;
use OCP\IRequest;
@@ -72,7 +73,7 @@ class Server {
$this->server->addPlugin(new \Sabre\DAV\Sync\Plugin());
// acl
- $acl = new \Sabre\DAVACL\Plugin();
+ $acl = new DavAclPlugin();
$acl->defaultUsernamePath = 'principals/users';
$this->server->addPlugin($acl);