From 4a38793d111f68d9b00eaff4804293fd10d89a5f Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <rullzer@owncloud.com>
Date: Wed, 6 Jan 2016 20:48:33 +0100
Subject: Allow only cookie auth to webdav

---
 apps/dav/lib/connector/sabre/auth.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'apps/dav/lib')

diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 7f4f4a531b1..02b88390bad 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -151,7 +151,10 @@ class Auth extends AbstractBasic {
 	 */
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		if (\OC_User::handleApacheAuth() ||
-			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
+			//Fix for broken webdav clients
+			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
+			//Well behaved clients that only send the cookie are allowed
+			($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
 		) {
 			$user = $this->userSession->getUser()->getUID();
 			\OC_Util::setupFS($user);
-- 
cgit v1.2.3