search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.35k stars 2.06k forks source link

Case sensitive usernames when logging in with an app password via webdav #29708

Closed mdusher closed 6 years ago

mdusher commented 6 years ago
### Steps to reproduce 1. Create an app password 2. Try and login with your username in a different case as to what is stored in ownCloud ### Expected behaviour The login should be case insensitive for the login. ### Actual behaviour The login is rejected because it does not match what is stored in ownCloud ### Server configuration **Operating system**: Redhat 7 **Web server:** Apache 2.2.15 **Database:** MariaDB 10.0.27 with Galera 25.3.18 **PHP version:** 7.0.23 **ownCloud version:** 10.0.3 **Updated from an older ownCloud or fresh install:** Updated from 8.2.11 **Where did you install ownCloud from:** https://owncloud.org/install/#edition **Signing status (ownCloud 9.0 and above):** ``` Integrity checker has been disabled. Integrity cannot be verified. ``` **The content of config/config.php:** ``` { "system": { "instanceid": "5230042dc1897", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": { "0": "cloudstor.aarnet.edu.au" }, "datadirectory": "\/cloudstor\/data\/owncloud\/data", "version": "10.0.3.3", "dbtype": "mysql", "dbname": "owncloud", "dbhost": "127.0.0.1:3306", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "dbtableprefix": "", "installed": true, "operation.mode": "clustered-instance", "default_language": "en_GB", "defaultapp": "files", "knowledgebaseenabled": true, "enable_avatars": false, "allow_user_to_change_display_name": false, "session_lifetime": 86400, "session_keepalive": true, "token_auth_enforced": false, "mail_domain": "aarnet.edu.au", "mail_from_address": "cloudstor-noreply", "mail_smtpmode": "php", "overwriteprotocol": "https", "overwrite.cli.url": "https:\/\/cloudstor.aarnet.edu.au\/plus", "htaccess.RewriteBase": "\/plus", "trashbin_retention_obligation": "30, auto, auto", "appcodechecker": false, "updatechecker": false, "has_internet_connection": true, "check_for_working_webdav": false, "check_for_working_htaccess": true, "log_type": "owncloud", "logfile": "\/cloudstor\/logs\/owncloud\/owncloud.log", "loglevel": 3, "logtimezone": "UTC", "log_query": false, "customclient_desktop": "https:\/\/cloudstor.aarnet.edu.au\/client-download\/", "customclient_android": "https:\/\/play.google.com\/store\/apps\/details?id=au.edu.aarnet.cloudstor.android", "customclient_ios": "https:\/\/itunes.apple.com\/au\/app\/cloudstor\/id1215476371?mt=8", "cron_log": true, "appstore.experimental.enabled": false, "apps_paths": [ { "path": "\/cloudstor\/www\/owncloud\/apps", "url": "\/apps", "writable": true }, { "path": "\/cloudstor\/www\/owncloud\/3rdparty-apps", "url": "\/3rdparty-apps", "writable": true } ], "enable_previews": true, "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\Illustrator", "OC\\Preview\\Postscript", "OC\\Preview\\Photoshop", "OC\\Preview\\Movie" ], "maintenance": false, "singleuser": false, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "redis": { "host": "127.0.0.1", "port": 6380, "timeout": 0, "password": "***REMOVED SENSITIVE VALUE***" }, "memcached_servers": [ [ "127.0.0.1", 11211 ] ], "blacklisted_files": [ ".htaccess" ], "share_folder": "\/Shared", "cipher": "AES-256-CFB", "minimum.supported.desktop.version": "1.5.0", "quota_include_external_storage": false, "filesystem_check_changes": 0, "filesystem_cache_readonly": false, "forwarded_for_headers": [ "HTTP_X_FORWARDED", "HTTP_FORWARDED_FOR" ], "filelocking.enabled": true, "filelocking.ttl": 3600, "memcache.locking": "\\OC\\Memcache\\Redis", "upgrade.disable-web": true, "upgrade.automatic-app-update": false, "integrity.check.disabled": true, "cache_path": "\/cloudstor\/data\/tmp", "tempdirectory": "\/cloudstor\/data\/tmp", "mail_smtpdebug": false, "mail_smtphost": "smtp.aarnet.edu.au", "mail_smtpport": "25", "mail_smtptimeout": 10, "preview_office_cl_parameters": "", "preview_max_scale_factor": 10, "preview_max_filesize_image": 100, "openssl": [], "activity_expire_days": 365 } } ``` **List of activated apps:** ``` - aarnet-hooks: 0.0.1 - activity: 2.3.4 - cloudstortheme: 1.0.0 - collections: 1.1.1 - comments: 0.3.0 - configreport: 0.1.1 - dav: 0.3.0 - direct_menu: 0.1.0 - federatedfilesharing: 0.3.1 - federation: 0.1.0 - files: 1.5.1 - files_clipboard: 0.6.4 - files_external: 0.7.1 - files_pdfviewer: 0.8.2 - files_sharing: 0.10.1 - files_texteditor: 2.2 - files_trashbin: 0.9.1 - files_versions: 1.3.0 - files_videoplayer: 0.9.8 - filescan: 0.0.1 - filesenderapp: 1.0 - firstrunwizard: 1.1 - gallery: 16.0.2 - impersonate: 0.1.0 - market: 0.2.2 - notifications: 0.3.1 - provisioning_api: 0.5.0 - renaming_api: 0.0.1 - tenant_portal: 1.0.6 - terms: 0.1 - updatenotification: 0.2.1 - user_saml: 0.4 ``` **Are you using external storage, if yes which one:** no **Are you using encryption:** no **Are you using an external user-backend, if yes which one:** user_saml ### Logs I don't think any of the logs are relevant. But here's the header responses from a simple curl (truncated, only difference is the capital letters in my username): ``` $ curl -I -X PROPFIND -u"michael.usher@aarnet.edu.au:XXXX-XXXX-XXXX-XXXX" https://cloudstor.aarnet.edu.au/plus/remote.php/webdav/ Enter host password for user 'michael.usher@aarnet.edu.au': HTTP/1.1 401 Unauthorized $ curl -I -X PROPFIND -u"Michael.Usher@aarnet.edu.au:XXXX-XXXX-XXXX-XXXX" https://cloudstor.aarnet.edu.au/plus/remote.php/webdav/ Enter host password for user 'Michael.Usher@aarnet.edu.au': HTTP/1.1 207 Multi-Status ```
ownclouders commented 6 years ago

GitMate.io thinks a possibly related issue is #29063: Generic Share Exception when attempting to create new shares (OC10.0.3).

PVince81 commented 6 years ago

At first I'd think it's only a matter of adding strtolower when comparing the user name in some of the auth code. However I think there is more involved: some user backends are case sensitive. So the bug fix will need to take this into account.

PVince81 commented 6 years ago

@DeepDiver1975

PVince81 commented 6 years ago

From what I remember, app passwords are created based on the login you have used for the session in which you created the app password. There is some information that is encrypted in the database using this specific user id. So using a different user id in combination with that password cannot work.

This is not only about casing but also affects setups where LDAP allows a single user to login with several different login names. Only one can be used in combination with an app password. This is why it is currently displayed in the settings page along with the token. They need to be copy-pasted as is.

Also app passwords are usually designed to be stored and saved once. So the user only ever enters this once in their apps. So there is no UX benefit of allowing different username casings anyway.

Closing as "by design".

lock[bot] commented 5 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.