From bbc5d32c8e14de78ae12c3acea384c69d2264eca Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Tue, 8 Oct 2024 23:51:38 +0200 Subject: fix(dav): Public WebDAV endpoint should allow `GET` requests `GET` should be allowed even without Ajax header to allow downloading files, or show files in the viewer. All other requests could be guarded, but this should not. Signed-off-by: Ferdinand Thiessen --- apps/dav/appinfo/v2/publicremote.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'apps') diff --git a/apps/dav/appinfo/v2/publicremote.php b/apps/dav/appinfo/v2/publicremote.php index 53e85d556eb..0b7480872cb 100644 --- a/apps/dav/appinfo/v2/publicremote.php +++ b/apps/dav/appinfo/v2/publicremote.php @@ -73,11 +73,15 @@ preg_match('/(^files\/\w+)/i', substr($requestUri, strlen($baseuri)), $match); $baseuri = $baseuri . $match[0]; $server = $serverFactory->createServer($baseuri, $requestUri, $authPlugin, function (\Sabre\DAV\Server $server) use ($authBackend, $linkCheckPlugin, $filesDropPlugin) { - $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); - $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); - if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && !$isAjax) { - // this is what is thrown when trying to access a non-existing share - throw new NotAuthenticated(); + // GET must be allowed for e.g. showing images and allowing Zip downloads + if ($server->httpRequest->getMethod() !== 'GET') { + // If this is *not* a GET request we only allow access to public DAV from AJAX or when Server2Server is allowed + $isAjax = in_array('XMLHttpRequest', explode(',', $_SERVER['HTTP_X_REQUESTED_WITH'] ?? '')); + $federatedShareProvider = \OCP\Server::get(FederatedShareProvider::class); + if ($federatedShareProvider->isOutgoingServer2serverShareEnabled() === false && $isAjax === false) { + // this is what is thrown when trying to access a non-existing share + throw new NotAuthenticated(); + } } $share = $authBackend->getShare(); @@ -132,4 +136,4 @@ $server->addPlugin($linkCheckPlugin); $server->addPlugin($filesDropPlugin); // And off we go! -$server->exec(); +$server->start(); -- cgit v1.2.3