mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #13558 from nextcloud/backport/13354/stable14 

[stable14] check anonymous OPTIONS requests file in root (not in subdir)
This commit is contained in:
Roeland Jago Douma 2019-01-13 19:34:53 +01:00 committed by GitHub
parent 39b0d4700f 7b4d4dcca8
commit dfad1cae2f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
View File

@ -45,12 +45,19 @@ class AnonymousOptionsPlugin extends ServerPlugin {
$this->server->on('beforeMethod', [$this, 'handleAnonymousOptions'], 9);
}
/**
* @return bool
*/
public function isRequestInRoot($path) {
return $path === '' || (is_string($path) && strpos($path, '/') === FALSE);
}
/**
* @throws \Sabre\DAV\Exception\Forbidden
* @return bool
*/
public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS') {
if ($request->getHeader('Authorization') === null && $request->getMethod() === 'OPTIONS' && $this->isRequestInRoot($request->getPath())) {
/** @var CorePlugin $corePlugin */
$corePlugin = $this->server->getPlugin('core');
// setup a fake tree for anonymous access

6
apps/dav/tests/unit/DAV/AnonymousOptionsTest.php
View File

@ -56,6 +56,12 @@ class AnonymousOptionsTest extends TestCase {
$this->assertEquals(200, $response->getStatus());
}
public function testAnonymousOptionsNonRootSubDir() {
$response = $this->sendRequest('OPTIONS', 'foo/bar');
$this->assertEquals(401, $response->getStatus());
}
}
class SapiMock extends Sapi {