Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sending MKCOL requests to another or non-existing user's webDav endpoints as normal user should return 404 #40519

Open
phil-davis opened this issue Nov 30, 2022 · 3 comments
Labels

Comments

@phil-davis
Copy link
Contributor

Steps to reproduce

Steps to reproduce the behavior:

  1. As user admin send MKCOL request to another user's endpoint
    curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -

  2. As user admin send MKCOL request to non-existing user's endpoint
    curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/nonexistent/Test | xmllint --format -

Expected behavior

the status code should be 404. Visit this lInk owncloud/ocis#3872 (comment) for more info

Actual behavior

  • Returns status 403 for existing user
  • Return status 409 non-existent user
`curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -`
curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'admin'
> MKCOL /core/remote.php/dav/files/anu/Test HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Tue, 08 Nov 2022 06:16:12 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: ocdyemofowli=82k2al7rk5s86at5o9nod3sbbu; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=9lMPlShWSOuv4sKHdcInmdm5FzRFq5oh1gVJcRtBAptqJplo%2FxImrE%2FGkaVc%2BaB6vnlNhFwDv91RbccXmaRrVkPkOfdgljZVUPH06qSkKRZv2%2FYcCS77d%2B9S%2B4PZbu4F; expires=Tue, 08-Nov-2022 06:36:12 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: ocdyemofowli=11n0q0rpkccdc4nua5iveoje72; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Tue, 08-Nov-2022 07:16:12 GMT; Max-Age=3600
< Content-Length: 230
< Content-Type: application/xml; charset=utf-8
< 
{ [230 bytes data]
100   230  100   230    0     0   2254      0 --:--:-- --:--:-- --:--:--  2254
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
  <s:message>Permission denied to create directory</s:message>
</d:error>

The response should be the same for both cases - if the user exists, and if the user does not exist. A mix of 403 and 409 are returned. The suggestion is that 404 should be returned in all cases, which is what ocis is implementing.

@phil-davis
Copy link
Contributor Author

phil-davis commented Nov 30, 2022

See https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiAuthWebDav/webDavMCKOLAuthOC10Issue40485.feature for the scenarios that demonstrate the current behavior.

See PR #40495 which adjusted the test scenarios. And previous issue #40485

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

@phil-davis
Copy link
Contributor Author

Still relevant. I added the "bug" labrl so that the bot will not touch this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant