From d04edfaf0dee3c2f1b4347a4ed36a79477d4a3f9 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 29 Feb 2016 17:30:02 +0100 Subject: Hides nodes from listing that the user has no access to --- apps/dav/lib/connector/legacydavacl.php | 4 +- apps/dav/lib/connector/sabre/davaclplugin.php | 72 +++++++++++++++++++++++++++ apps/dav/lib/server.php | 3 +- 3 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 apps/dav/lib/connector/sabre/davaclplugin.php (limited to 'apps') diff --git a/apps/dav/lib/connector/legacydavacl.php b/apps/dav/lib/connector/legacydavacl.php index 149bd85e4be..5a654606465 100644 --- a/apps/dav/lib/connector/legacydavacl.php +++ b/apps/dav/lib/connector/legacydavacl.php @@ -21,10 +21,10 @@ namespace OCA\DAV\Connector; - +use OCA\DAV\Connector\Sabre\DavAclPlugin; use Sabre\HTTP\URLUtil; -class LegacyDAVACL extends \Sabre\DAVACL\Plugin { +class LegacyDAVACL extends DavAclPlugin { /** * Converts the v1 principal `principal/` to the new v2 diff --git a/apps/dav/lib/connector/sabre/davaclplugin.php b/apps/dav/lib/connector/sabre/davaclplugin.php new file mode 100644 index 00000000000..4a9dd66161d --- /dev/null +++ b/apps/dav/lib/connector/sabre/davaclplugin.php @@ -0,0 +1,72 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OCA\DAV\Connector\Sabre; + +use Sabre\DAV\Exception\NotFound; +use Sabre\DAV\IFile; +use Sabre\DAV\INode; +use \Sabre\DAV\PropFind; +use \Sabre\DAV\PropPatch; +use Sabre\DAVACL\Exception\NeedPrivileges; +use \Sabre\HTTP\RequestInterface; +use \Sabre\HTTP\ResponseInterface; +use Sabre\HTTP\URLUtil; + +/** + * Class DavAclPlugin is a wrapper around \Sabre\DAVACL\Plugin that returns 404 + * responses in case the resource to a response has been forbidden instead of + * a 403. This is used to prevent enumeration of valid resources. + * + * @see https://github.com/owncloud/core/issues/22578 + * @package OCA\DAV\Connector\Sabre + */ +class DavAclPlugin extends \Sabre\DAVACL\Plugin { + public function __construct() { + $this->hideNodesFromListings = true; + } + + function checkPrivileges($uri, $privileges, $recursion = self::R_PARENT, $throwExceptions = true) { + $access = parent::checkPrivileges($uri, $privileges, $recursion, false); + if($access === false) { + /** @var INode $node */ + $node = $this->server->tree->getNodeForPath($uri); + + switch(get_class($node)) { + case 'OCA\DAV\CardDAV\AddressBook': + $type = 'Addressbook'; + break; + default: + $type = 'Node'; + break; + } + throw new NotFound( + sprintf( + "%s with name '%s' could not be found", + $type, + $node->getName() + ) + ); + } + + return $access; + } +} diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php index 55ae6c62d31..2aa720c9dc4 100644 --- a/apps/dav/lib/server.php +++ b/apps/dav/lib/server.php @@ -26,6 +26,7 @@ use OCA\DAV\CalDAV\Schedule\IMipPlugin; use OCA\DAV\Connector\FedAuth; use OCA\DAV\Connector\Sabre\Auth; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; +use OCA\DAV\Connector\Sabre\DavAclPlugin; use OCA\DAV\Connector\Sabre\FilesPlugin; use OCA\DAV\Files\CustomPropertiesBackend; use OCP\IRequest; @@ -72,7 +73,7 @@ class Server { $this->server->addPlugin(new \Sabre\DAV\Sync\Plugin()); // acl - $acl = new \Sabre\DAVACL\Plugin(); + $acl = new DavAclPlugin(); $acl->defaultUsernamePath = 'principals/users'; $this->server->addPlugin($acl); -- cgit v1.2.3