search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.39k stars 2.05k forks source link

Performing `LOCK` on non existing resource, creates new resource with lock #39952

Open amrita-shrestha opened 2 years ago

amrita-shrestha commented 2 years ago

Steps to reproduce

  1. create user uu1

  2. lock a non-existent resource lorem.txt 


curl -u uu1:password -X LOCK http://host.docker.internal:8080/remote.php/webdav/lorem.txt  -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -v

Expected behaviour

While locking a non-existent resource (file/folder), a new resource should not be created and API should return with error message. Ocis backend returns with 

<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns"><s:exception></s:exception><s:message>error: not found: set lock: error: not found: ddc2004c-0977-11eb-9d3f-a793888cd0f8/adddd</s:message></d:error>%

Actual behaviour

While locking a non-existent resource (file/folder), a new resource is created with an active lock


*   Trying 127.0.0.1:8080...

* TCP_NODELAY set

* Connected to host.docker.internal (127.0.0.1) port 8080 (#0)

* Server auth using Basic with user 'uu1'

> LOCK /remote.php/webdav/lorem.txt HTTP/1.1

> Host: host.docker.internal:8080

> Authorization: Basic YWRtaW46YWRtaW4=

> User-Agent: curl/7.68.0

> Accept: */*

> Content-Length: 120

> Content-Type: application/x-www-form-urlencoded

>

* upload completely sent off: 120 out of 120 bytes

* Mark bundle as not supporting multiuse

< HTTP/1.1 201 Created

< Date: Tue, 05 Apr 2022 08:22:43 GMT

< Server: Apache

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 0

< X-Robots-Tag: none

< X-Frame-Options: SAMEORIGIN

< X-Download-Options: noopen

< X-Permitted-Cross-Domain-Policies: none

< Set-Cookie: ocn66cqa9tb6=ju6fokdj54l05705lnp2spigdu; path=/; HttpOnly; SameSite=Strict

< Expires: Thu, 19 Nov 1981 08:52:00 GMT

< Cache-Control: no-store, no-cache, must-revalidate

< Pragma: no-cache

< Set-Cookie: oc_sessionPassphrase=YEEYWB9GajYKISwomduJjhmKyZenRqMGNEXJTAlPCcgNddq5Owmud6wbe6femnSk7oL7vGXe%2FGpaznwJiP5QAYmJGEujyZf%2FOgq77D8PN2gC%2FB84EZIVTfQgvRopXxdH; path=/; HttpOnly; SameSite=Strict

< Content-Security-Policy: default-src 'none';

< Set-Cookie: ocn66cqa9tb6=rmn5e4igokiaqg6um8l45akouv; path=/; HttpOnly; SameSite=Strict

< Set-Cookie: cookie_test=test; expires=Tue, 05-Apr-2022 09:22:43 GMT; Max-Age=3600

< OC-FileId: 00000021ocn66cqa9tb6

< Lock-Token: <opaquelocktoken:4f749ce7-d547-4fc2-9c3f-80082f0fd7b1>

< Content-Length: 588

< Content-Type: application/xml; charset=utf-8

<

<?xml version="1.0"?>

<d:prop xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">

<d:lockdiscovery>

  <d:activelock>

   <d:lockscope>

    <d:exclusive/>

   </d:lockscope>

   <d:locktype>

    <d:write/>

   </d:locktype>

   <d:lockroot>

    <d:href>/remote.php/webdav/lorem.txt</d:href>

   </d:lockroot>

   <d:depth>infinity</d:depth>

   <d:timeout>Second-1800</d:timeout>

   <d:locktoken>

    <d:href>opaquelocktoken:4f749ce7-d547-4fc2-9c3f-80082f0fd7b1</d:href>

   </d:locktoken>

   <d:owner>uu1</d:owner>

  </d:activelock>

</d:lockdiscovery>

</d:prop>

* Connection #0 to host host.docker.internal left intact

Server configuration

Operating system: ubuntu 20.04

Web server: apache2

Database: sqlite

PHP version: 7.4

ownCloud version: (see ownCloud admin page) git-master

Updated from an older ownCloud or fresh install: fresh

Where did you install ownCloud from: git

phil-davis commented 2 years ago

The new resource is created as an empty file. I suppose that should not happen - a 404 "not found" should be returned when attempting to lock a resource that does not exist.