From 4a38793d111f68d9b00eaff4804293fd10d89a5f Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <rullzer@owncloud.com>
Date: Wed, 6 Jan 2016 20:48:33 +0100
Subject: [PATCH] Allow only cookie auth to webdav

---
 apps/dav/lib/connector/sabre/auth.php        |  5 ++++-
 apps/dav/tests/unit/connector/sabre/auth.php | 18 +++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index 7f4f4a531b..02b88390ba 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -151,7 +151,10 @@ class Auth extends AbstractBasic {
 	 */
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		if (\OC_User::handleApacheAuth() ||
-			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
+			//Fix for broken webdav clients
+			($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
+			//Well behaved clients that only send the cookie are allowed
+			($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && $request->getHeader('Authorization') === null)
 		) {
 			$user = $this->userSession->getUser()->getUID();
 			\OC_Util::setupFS($user);
diff --git a/apps/dav/tests/unit/connector/sabre/auth.php b/apps/dav/tests/unit/connector/sabre/auth.php
index 217ff5fc3f..5e1cdfb03d 100644
--- a/apps/dav/tests/unit/connector/sabre/auth.php
+++ b/apps/dav/tests/unit/connector/sabre/auth.php
@@ -21,6 +21,7 @@
 
 namespace OCA\DAV\Tests\Unit\Connector\Sabre;
 
+use OCP\IUser;
 use Test\TestCase;
 use OCP\ISession;
 use OCP\IUserSession;
@@ -29,6 +30,7 @@ use OCP\IUserSession;
  * Class Auth
  *
  * @package OCA\DAV\Connector\Sabre
+ * @group DB
  */
 class Auth extends TestCase {
 	/** @var ISession */
@@ -330,21 +332,31 @@ class Auth extends TestCase {
 		$httpResponse = $this->getMockBuilder('\Sabre\HTTP\ResponseInterface')
 			->disableOriginalConstructor()
 			->getMock();
+		/** @var IUser */
+		$user = $this->getMock('OCP\IUser');
+		$user->method('getUID')->willReturn('MyTestUser');
 		$this->userSession
 			->expects($this->any())
 			->method('isLoggedIn')
 			->will($this->returnValue(true));
+		$this->userSession
+			->expects($this->any())
+			->method('getUser')
+			->willReturn($user);
 		$this->session
-			->expects($this->once())
+			->expects($this->atLeastOnce())
 			->method('get')
 			->with('AUTHENTICATED_TO_DAV_BACKEND')
 			->will($this->returnValue('MyTestUser'));
 		$httpRequest
-			->expects($this->once())
+			->expects($this->atLeastOnce())
 			->method('getHeader')
 			->with('Authorization')
 			->will($this->returnValue(null));
-		$this->auth->check($httpRequest, $httpResponse);
+		$this->assertEquals(
+			[true, 'principals/users/MyTestUser'],
+			$this->auth->check($httpRequest, $httpResponse)
+		);
 	}
 
 	public function testAuthenticateValidCredentials() {