mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

security hardening in remoteStorage app

This commit is contained in:
Michiel de Jong 2012-02-25 21:59:58 +00:00
parent a1d03de666
commit 820f2f27f6
3 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/remoteStorage/WebDAV.php
View File

@ -69,7 +69,10 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
$server->setBaseUri(OC::$WEBROOT."/apps/remoteStorage/WebDAV.php/$ownCloudUser"); $server->setBaseUri(OC::$WEBROOT."/apps/remoteStorage/WebDAV.php/$ownCloudUser");
// Auth backend // Auth backend
$authBackend = new OC_Connector_Sabre_Auth_ro_oauth(OC_remoteStorage::getValidTokens($ownCloudUser, $category)); $authBackend = new OC_Connector_Sabre_Auth_ro_oauth(
OC_remoteStorage::getValidTokens($ownCloudUser, $category),
$category
);
$authPlugin = new Sabre_DAV_Auth_Plugin($authBackend,'ownCloud');//should use $validTokens here $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend,'ownCloud');//should use $validTokens here
$server->addPlugin($authPlugin); $server->addPlugin($authPlugin);
@ -82,5 +85,6 @@ if(count($pathParts) >= 3 && $pathParts[0] == '') {
// And off we go! // And off we go!
$server->exec(); $server->exec();
} else { } else {
die('not the right address format '.var_export($pathParts, true)); //die('not the right address format '.var_export($pathParts, true));
die('not the right address format');
} }

3
apps/remoteStorage/auth.php
View File

@ -96,5 +96,6 @@ if(count($pathParts) == 2 && $pathParts[0] == '') {
.'<form method="POST"><input name="allow" type="submit" value="Click here"></form>'); .'<form method="POST"><input name="allow" type="submit" value="Click here"></form>');
} }
} else { } else {
die('please use auth.php/username?params. '.var_export($pathParts, true)); //die('please use auth.php/username?params. '.var_export($pathParts, true));
die('please use auth.php/username?params.');
} }

23
apps/remoteStorage/oauth_ro_auth.php
View File

@ -16,9 +16,10 @@
class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBasic { class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBasic {
private $validTokens; private $validTokens;
private $category;
public function __construct($validTokensArg) { public function __construct($validTokensArg, $categoryArg) {
$this->validTokens = $validTokensArg; $this->validTokens = $validTokensArg;
$this->category = $categoryArg;
} }
/** /**
@ -31,16 +32,16 @@ class OC_Connector_Sabre_Auth_ro_oauth extends Sabre_DAV_Auth_Backend_AbstractBa
*/ */
protected function validateUserPass($username, $password){ protected function validateUserPass($username, $password){
//always give read-only: //always give read-only:
if(in_array($_SERVER['REQUEST_METHOD'], array('GET', 'HEAD', 'OPTIONS'))) { if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
OC_Util::setUpFS(); || (isset($this->validTokens[$password]))
return true; || (($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
} else if(isset($this->validTokens[$password])) { ) {
OC_Util::setUpFS(); OC_Util::setUpFS();
return true; return true;
} else { } else {
var_export($_SERVER); //var_export($_SERVER);
var_export($this->validTokens); //var_export($this->validTokens);
die('not getting in with "'.$username.'"/"'.$password.'"!'); //die('not getting in with "'.$username.'"/"'.$password.'"!');
return false; return false;
} }
} }
@ -53,7 +54,9 @@ die('not getting in with "'.$username.'"/"'.$password.'"!');
$auth->setRealm($realm); $auth->setRealm($realm);
$userpass = $auth->getUserPass(); $userpass = $auth->getUserPass();
if (!$userpass) { if (!$userpass) {
if(in_array($_SERVER['REQUEST_METHOD'], array('OPTIONS'))) { if(($_SERVER['REQUEST_METHOD'] == 'OPTIONS')
||(($_SERVER['REQUEST_METHOD'] == 'GET') && ($this->category == 'public'))
) {
$userpass = array('', ''); $userpass = array('', '');
} else { } else {
$auth->requireLogin(); $auth->requireLogin();