security hardening in remoteStorage app
This commit is contained in:
Michiel de Jong
parent
a1d03de666
commit
820f2f27f6
|
|
@ -69,7 +69,10 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
|
|||
$server->setBaseUri(OC::$WEBROOT."/apps/remoteStorage/WebDAV.php/$ownCloudUser");
|
||||
|
||||
// Auth backend
|
||||
$authBackend = new OC_Connector_Sabre_Auth_ro_oauth(OC_remoteStorage::getValidTokens($ownCloudUser, $category));
|
||||
$authBackend = new OC_Connector_Sabre_Auth_ro_oauth(
|
||||
OC_remoteStorage::getValidTokens($ownCloudUser, $category),
|
||||
$category
|
||||
);
|
||||
|
||||
$authPlugin = new Sabre_DAV_Auth_Plugin($authBackend,'ownCloud');//should use $validTokens here
|
||||
$server->addPlugin($authPlugin);
|
||||
|
|
@ -82,5 +85,6 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
|
|||
// And off we go!
|
||||
$server->exec();
|
||||
} else {
|
||||
die('not the right address format '.var_export($pathParts, true));
|
||||
//die('not the right address format '.var_export($pathParts, true));
|
||||
die('not the right address format');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -96,5 +96,6 @@ if(count($pathParts) == 2 && $pathParts[0] == '') {
|
|||
.'<form method="POST"><input name="allow" type="submit" value="Click here"></form>');
|
||||
}
|
||||
} else {
|
||||
die('please use auth.php/username?params. '.var_export($pathParts, true));
|
||||
//die('please use auth.php/username?params. '.var_export($pathParts, true));
|
||||
die('please use auth.php/username?params.');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,9 +16,10 @@
|
|||
|
||||
class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBasic {
|
||||
private $validTokens;
|
||||
|
||||
public function __construct($validTokensArg) {
|
||||
private $category;
|
||||
public function __construct($validTokensArg, $categoryArg) {
|
||||
$this->validTokens = $validTokensArg;
|
||||
$this->category = $categoryArg;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -31,16 +32,16 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBa
|
|||
*/
|
||||
protected function validateUserPass($username, $password){
|
||||
//always give read-only:
|
||||
if(in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS'))) {
|
||||
OC_Util::setUpFS();
|
||||
return true;
|
||||
} else if(isset($this->validTokens[$password])) {
|
||||
if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
|
||||
|| (isset($this->validTokens[$password]))
|
||||
|| (($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
|
||||
) {
|
||||
OC_Util::setUpFS();
|
||||
return true;
|
||||
} else {
|
||||
var_export($_SERVER);
|
||||
var_export($this->validTokens);
|
||||
die('not getting in with "'.$username.'"/"'.$password.'"!');
|
||||
//var_export($_SERVER);
|
||||
//var_export($this->validTokens);
|
||||
//die('not getting in with "'.$username.'"/"'.$password.'"!');
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -53,7 +54,9 @@ die('not getting in with "'.$username.'"/"'.$password.'"!');
|
|||
$auth->setRealm($realm);
|
||||
$userpass = $auth->getUserPass();
|
||||
if (!$userpass) {
|
||||
if(in_array($_SERVER['REQUEST_METHOD'], array('OPTIONS'))) {
|
||||
if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
|
||||
||(($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
|
||||
) {
|
||||
$userpass = array('', '');
|
||||
} else {
|
||||
$auth->requireLogin();
|
||||
|
|
|
|||
Loading…
Reference in New Issue