mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Prevent sending second WWW-Authenticate header 

Overrides \Sabre\DAV\Auth\Backend\AbstractBearer::challenge to prevent sending a second WWW-Authenticate header which is standard-compliant but most DAV clients simply fail hard.

Fixes https://github.com/nextcloud/server/issues/5088

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-06-13 13:51:33 +02:00
parent b7761be4d9
commit 633396001f
No known key found for this signature in database
GPG Key ID: B9F6980CF6E759B1
3 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apps/dav/lib/Connector/Sabre/BearerAuth.php
View File

@ -25,6 +25,8 @@ use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
use OCP\IUserSession; use OCP\IUserSession;
use Sabre\DAV\Auth\Backend\AbstractBearer; use Sabre\DAV\Auth\Backend\AbstractBearer;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;
class BearerAuth extends AbstractBearer { class BearerAuth extends AbstractBearer {
/** @var IUserSession */ /** @var IUserSession */
@ -77,4 +79,16 @@ class BearerAuth extends AbstractBearer {
return false; return false;
} }
/**
* \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
* header which some DAV clients can't handle. Thus we override this function
* and make it simply return a 401.
*
* @param RequestInterface $request
* @param ResponseInterface $response
*/
public function challenge(RequestInterface $request, ResponseInterface $response) {
$response->setStatus(401);
}
} }

12
apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
View File

@ -21,9 +21,6 @@
namespace OCA\DAV\Tests\unit\Connector\Sabre; namespace OCA\DAV\Tests\unit\Connector\Sabre;
use OC\Authentication\TwoFactorAuth\Manager;
use OC\Security\Bruteforce\Throttler;
use OC\User\Session;
use OCA\DAV\Connector\Sabre\BearerAuth; use OCA\DAV\Connector\Sabre\BearerAuth;
use OCP\IRequest; use OCP\IRequest;
use OCP\ISession; use OCP\ISession;
@ -85,4 +82,13 @@ class BearerAuthTest extends TestCase {
$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token')); $this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
} }
public function testChallenge() {
/** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
$request = $this->createMock(RequestInterface::class);
/** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
$response = $this->createMock(ResponseInterface::class);
$result = $this->bearerAuth->challenge($request, $response);
$this->assertEmpty($result);
}
} }

4
build/integration/features/webdav-related.feature
View File

@ -8,7 +8,7 @@ Feature: webdav-related
Then the HTTP status code should be "401" Then the HTTP status code should be "401"
And there are no duplicate headers And there are no duplicate headers
And The following headers should be set And The following headers should be set
|WWW-Authenticate|Basic realm="Nextcloud", Bearer realm="Nextcloud"| |WWW-Authenticate|Basic realm="Nextcloud"|
Scenario: Unauthenticated call new dav path Scenario: Unauthenticated call new dav path
Given using new dav path Given using new dav path
@ -16,7 +16,7 @@ Feature: webdav-related
Then the HTTP status code should be "401" Then the HTTP status code should be "401"
And there are no duplicate headers And there are no duplicate headers
And The following headers should be set And The following headers should be set
|WWW-Authenticate|Bearer realm="Nextcloud", Basic realm="Nextcloud"| |WWW-Authenticate|Basic realm="Nextcloud"|
Scenario: Moving a file Scenario: Moving a file
Given using old dav path Given using old dav path