DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
GNU General Public License v2.0
580
stars
86
forks
source link
caldav port lists DELETE in http OPTIONS command, even when user is not yet authenticated #267
Open
niol opened 1 year ago
from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030688
Normally this should only be available for users that are authenticated. However, this is not the case:
$ alain@ceres:~$ openssl s_client -connect localhost:2443 OPTIONS / HTTP/1.0
HTTP/1.1 200 OK Server: DavMail Gateway 5.5.1-trunk DAV: 1, calendar-access, calendar-auto-schedule, calendarserver-private-events, addressbook Date: Mon, 06 Feb 2023 13:47:07 +0000 Expires: Mon, 06 Feb 2023 13:47:07 +0000 Cache-Control: private, max-age=0 Allow: OPTIONS, PROPFIND, HEAD, GET, REPORT, PROPPATCH, PUT, DELETE, POST Connection: keep-alive Content-Length: 0
Methods that imply write operations should only be listed if a valid Authorization header has been sent by client.
The fix may be as simple as adding a condition in
CaldavConnection.sendOptions().