check anonymous OPTIONS requests file in root (not in subdir)

Signed-off-by: Bastien Durel <bastien@durel.org>
This commit is contained in:
Bastien Durel 2019-01-04 13:05:35 +01:00 committed by Backportbot
parent 39b0d4700f
commit 7b4d4dcca8
2 changed files with 14 additions and 1 deletions

View File

@ -45,12 +45,19 @@ class AnonymousOptionsPlugin extends ServerPlugin {
$this->server->on('beforeMethod', [$this, 'handleAnonymousOptions'], 9); $this->server->on('beforeMethod', [$this, 'handleAnonymousOptions'], 9);
} }
/**
* @return bool
*/
public function isRequestInRoot($path) {
return $path === '' || (is_string($path) && strpos($path, '/') === FALSE);
}
/** /**
* @throws \Sabre\DAV\Exception\Forbidden * @throws \Sabre\DAV\Exception\Forbidden
* @return bool * @return bool
*/ */
public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) { public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS') { if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS' && $this->isRequestInRoot($request->getPath())) {
/** @var CorePlugin $corePlugin */ /** @var CorePlugin $corePlugin */
$corePlugin = $this->server->getPlugin('core'); $corePlugin = $this->server->getPlugin('core');
// setup a fake tree for anonymous access // setup a fake tree for anonymous access

View File

@ -56,6 +56,12 @@ class AnonymousOptionsTest extends TestCase {
$this->assertEquals(200, $response->getStatus()); $this->assertEquals(200, $response->getStatus());
} }
public function testAnonymousOptionsNonRootSubDir() {
$response = $this->sendRequest('OPTIONS', 'foo/bar');
$this->assertEquals(401, $response->getStatus());
}
} }
class SapiMock extends Sapi { class SapiMock extends Sapi {