search

couling / WebDAV-Daemon

MIT License
34 stars 7 forks source link

OPTIONS request requires authentication #11

Closed sbluhm closed 3 years ago

sbluhm commented 4 years ago

When an OPTIONS request is received, the server requires authentication. This will cause CORS requests to fail.

See https://www.jujens.eu/posts/en/2015/Jun/27/webdav-options/

Test: curl -i -X OPTIONS https://www.example.com Result:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="My Server"
Content-Type: text/html

Expectation: 

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 0
Accept: OPTIONS, GET, HEAD, DELETE, PROPFIND, PUT, PROPPATCH, COPY, MOVE, LOCK, UNLOCK
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1980 00:00:00 GMT
Server: couling-webdavd
Accept-Ranges: bytes
DAV: 1
Content-Type: text/html
couling commented 4 years ago

Do you have any steps to reproduce in terms of it's affect on CORS?

The current behaviour is as designed as this has security implications:

RFC 4918 section 18 states:

Note particularly that resources, rather than servers, are spoken of as being compliant. That is because theoretically some resources on a server could support different feature sets. For example, a server could have a sub-repository where an advanced feature like versioning was supported, even if that feature was not supported on all sub-repositories.

So the design decision to hide this behind authentication was to avoid exposing information about the existence of underlying resources.

The current code responds with a uniform response to OPTIONS requests irrespective of URL. (see here) however if the server is placed behind a reverse proxy it could expose a DAV server to unauthenticated users which may not be desirable.

It might take a significant code change to make this work but I think it would be okay to make this configurable leaving the current behaviour by default.

sbluhm commented 4 years ago

You will get "unidentifyable" errors in Firefox and Chrome that are blocking the request mentioning CORS but also indicating an underlying network issue.

I did the code change and am currently testing it (whilst working on other CORS challenges like the header implementation). I think I found an easy change. Let me adapt the code to make it configure-able and test some more.

This is my approach: https://github.com/sbluhm/WebDAV-Daemon/blob/no-auth-options/webdavd.c#L1775

sbluhm commented 4 years ago

12

couling commented 3 years ago

Merged