From 262547ba3d81a870521ad65bca770e9e1b14f229 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Thu, 24 Mar 2016 16:02:36 +0100 Subject: [PATCH 1/2] Return 401 DummyBasicAuth in case of ajax call --- apps/dav/appinfo/v1/publicwebdav.php | 2 +- apps/dav/lib/connector/publicauth.php | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php index b0ee264aac..558a823866 100644 --- a/apps/dav/appinfo/v1/publicwebdav.php +++ b/apps/dav/appinfo/v1/publicwebdav.php @@ -32,7 +32,7 @@ OC_App::loadApps($RUNTIME_APPTYPES); OC_Util::obEnd(); // Backends -$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig()); +$authBackend = new OCA\DAV\Connector\PublicAuth(\OC::$server->getConfig(), \OC::$server->getRequest()); $serverFactory = new OCA\DAV\Connector\Sabre\ServerFactory( \OC::$server->getConfig(), diff --git a/apps/dav/lib/connector/publicauth.php b/apps/dav/lib/connector/publicauth.php index f069a214fe..fc9b98c483 100644 --- a/apps/dav/lib/connector/publicauth.php +++ b/apps/dav/lib/connector/publicauth.php @@ -26,6 +26,8 @@ namespace OCA\DAV\Connector; +use OCP\IRequest; + class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { /** @@ -36,10 +38,17 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { private $share; /** - * @param \OCP\IConfig $config + * @var IRequest */ - public function __construct($config) { + private $request; + + /** + * @param \OCP\IConfig $config + * @param IRequest $request + */ + public function __construct($config, $request) { $this->config = $config; + $this->request = $request; } /** @@ -92,6 +101,12 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { && \OC::$server->getSession()->get('public_link_authenticated') === $linkItem['id']) { return true; } else { + if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) { + // do not re-authenticate over ajax, use dummy auth name to prevent browser popup + header('Status: 401'); + header('WWW-Authenticate', 'DummyBasic real="ownCloud"'); + throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); + } return false; } } else if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_REMOTE) { From ba69a90ab5c7756d1a53c2871ed86b29a942bb85 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Thu, 31 Mar 2016 19:32:30 +0200 Subject: [PATCH 2/2] Enforce type --- apps/dav/lib/connector/publicauth.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apps/dav/lib/connector/publicauth.php b/apps/dav/lib/connector/publicauth.php index fc9b98c483..0d75a4db49 100644 --- a/apps/dav/lib/connector/publicauth.php +++ b/apps/dav/lib/connector/publicauth.php @@ -26,6 +26,7 @@ namespace OCA\DAV\Connector; +use OCP\IConfig; use OCP\IRequest; class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { @@ -46,7 +47,8 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { * @param \OCP\IConfig $config * @param IRequest $request */ - public function __construct($config, $request) { + public function __construct(IConfig $config, + IRequest $request) { $this->config = $config; $this->request = $request; } @@ -61,6 +63,7 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { * @param string $password * * @return bool + * @throws \Sabre\DAV\Exception\NotAuthenticated */ protected function validateUserPass($username, $password) { $linkItem = \OCP\Share::getShareByToken($username, false); @@ -103,7 +106,7 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { } else { if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) { // do not re-authenticate over ajax, use dummy auth name to prevent browser popup - header('Status: 401'); + http_response_code(401); header('WWW-Authenticate', 'DummyBasic real="ownCloud"'); throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls'); }