search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.38k stars 182 forks source link

REPORT request to dav endpoints without `remote.php` returns 405 method not allowed #6954

Open nabim777 opened 1 year ago

nabim777 commented 1 year ago

Describe the bug

When making API request to search a file by tag and not using remote.php in the destination URL, then we get the following results:

Steps to reproduce

Steps to reproduce the behavior:

  1. Create a file personalFile.txt in personal space
  2. Create a space Project
  3. Create a file space.txt inside project space Project
  4. Asign a tag tag1 in both file personalFile.txt and space.txt
  5. Search a file using tag tag1 with following curl command in different dav path version:
for old dav path version: ```bash curl -kv -XREPORT https://localhost:9200/webdav \ -u admin:admin \ -d " Tags:tag1 " | xmllint --format - ```
for new dav path version: ```bash curl -kv -XREPORT https://localhost:9200/dav/files/admin \ -u admin:admin \ -d " Tags:tag1 " | xmllint --format - ```
for spaces dav path version: ```bash curl -kv -XREPORT https://localhost:9200/dav/spaces/ \ -u admin:admin \ -d " Tags:tag1 " | xmllint --format - ```

Expected behavior

The expected response should be same as using remote.php in the endpoint

for old dav path version: ```xml < HTTP/1.1 207 Multi-Status < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 1847 < Content-Range: rows 0-1/2 < Content-Security-Policy: frame-ancestors 'none' < Content-Type: application/xml; charset=utf-8 < Date: Thu, 03 Aug 2023 06:38:09 GMT < Dav: 1, 3, extended-mkcol < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:38:09 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-002986 < X-Webdav-Version: 3.1.0-beta.1+92d94afb20 < { [627 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] 100 2033 100 1847 100 186 23774 2394 --:--:-- --:--:-- --:--:-- 26402 * Connection #0 to host localhost left intact /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74/space.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!383e22e5-35d6-43be-aa9a-1fe6b0c72e2e 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!ee621d91-9363-4164-a970-775b4eefed74 space.txt 2023-08-03T06:37:04Z text/plain RDNVW tag1 0 5.363422393798828 HTTP/1.1 200 OK /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89/personal.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!f6b497f9-9e0a-4d0b-83dd-cfcdc3f949d3 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!faa55102-57df-4539-8a4a-5a1b03560e89 personal.txt 2023-08-02T09:32:53Z text/plain RDNVW tag1 5 4.950923442840576 HTTP/1.1 200 OK ```
for new dav path version: ```xml < HTTP/1.1 207 Multi-Status < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 1847 < Content-Range: rows 0-1/2 < Content-Security-Policy: frame-ancestors 'none' < Content-Type: application/xml; charset=utf-8 < Date: Thu, 03 Aug 2023 06:40:10 GMT < Dav: 1, 3, extended-mkcol < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:40:10 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-002988 < X-Webdav-Version: 3.1.0-beta.1+92d94afb20 < { [627 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] 100 2033 100 1847 100 186 23867 2403 --:--:-- --:--:-- --:--:-- 26402 * Connection #0 to host localhost left intact /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74/space.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!383e22e5-35d6-43be-aa9a-1fe6b0c72e2e 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!ee621d91-9363-4164-a970-775b4eefed74 space.txt 2023-08-03T06:37:04Z text/plain RDNVW tag1 0 5.363422393798828 HTTP/1.1 200 OK /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89/personal.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!f6b497f9-9e0a-4d0b-83dd-cfcdc3f949d3 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!faa55102-57df-4539-8a4a-5a1b03560e89 personal.txt 2023-08-02T09:32:53Z text/plain RDNVW tag1 5 4.950923442840576 HTTP/1.1 200 OK ```
for spaces dav path version: ```xml < HTTP/1.1 207 Multi-Status < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 1847 < Content-Range: rows 0-1/2 < Content-Security-Policy: frame-ancestors 'none' < Content-Type: application/xml; charset=utf-8 < Date: Thu, 03 Aug 2023 06:41:59 GMT < Dav: 1, 3, extended-mkcol < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:41:59 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-002990 < X-Webdav-Version: 3.1.0-beta.1+92d94afb20 < { [627 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] 100 2033 100 1847 100 186 24772 2494 --:--:-- --:--:-- --:--:-- 27472 * Connection #0 to host localhost left intact /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74/space.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!383e22e5-35d6-43be-aa9a-1fe6b0c72e2e 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$ee621d91-9363-4164-a970-775b4eefed74!ee621d91-9363-4164-a970-775b4eefed74 space.txt 2023-08-03T06:37:04Z text/plain RDNVW tag1 0 5.363422393798828 HTTP/1.1 200 OK /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89/personal.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!f6b497f9-9e0a-4d0b-83dd-cfcdc3f949d3 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!faa55102-57df-4539-8a4a-5a1b03560e89 personal.txt 2023-08-02T09:32:53Z text/plain RDNVW tag1 5 4.950923442840576 HTTP/1.1 200 OK ```

Actual behavior

for old dav path version: ```xml < HTTP/1.1 405 Method Not Allowed < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 0 < Content-Security-Policy: frame-ancestors 'self' < Date: Thu, 03 Aug 2023 06:43:21 GMT < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:43:21 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-003066 < X-Web-Version: 3.1.0-beta.1+92d94afb20 ```
for new new path version: ```xml < HTTP/1.1 405 Method Not Allowed < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 0 < Content-Security-Policy: frame-ancestors 'self' < Date: Thu, 03 Aug 2023 06:48:08 GMT < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:48:08 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-003142 < X-Web-Version: 3.1.0-beta.1+92d94afb20 ```
for spaces new path version: ```xml < HTTP/1.1 207 Multi-Status < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, value < Content-Length: 1847 < Content-Range: rows 0-1/2 < Content-Security-Policy: frame-ancestors 'none' < Content-Type: application/xml; charset=utf-8 < Date: Thu, 03 Aug 2023 06:49:43 GMT < Dav: 1, 3, extended-mkcol < Expires: Thu, 01 Jan 1970 00:00:00 GMT < Last-Modified: Thu, 03 Aug 2023 06:49:43 GMT < Vary: Origin < X-Content-Type-Options: nosniff < X-Frame-Options: DENY < X-Request-Id: nabin-OptiPlex-3050/u2704Ztkec-003146 < X-Webdav-Version: 3.1.0-beta.1+92d94afb20 < { [627 bytes data] * TLSv1.2 (IN), TLS header, Supplemental data (23): { [5 bytes data] 100 2033 100 1847 100 186 24731 2490 --:--:-- --:--:-- --:--:-- 27472 * Connection #0 to host localhost left intact /remote.php/dav/spaces/9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89/personal.txt 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!f6b497f9-9e0a-4d0b-83dd-cfcdc3f949d3 9f9fbd5f-3099-4eae-a3b4-e3ab1b939902$faa55102-57df-4539-8a4a-5a1b03560e89!faa55102-57df-4539-8a4a-5a1b03560e89 personal.txt 2023-08-02T09:32:53Z text/plain RDNVW tag1 5 4.950923442840576 HTTP/1.1 200 OK ```
ScharfViktor commented 1 year ago

Honestly, I'm not sure if this is a bug. I haven't found any Webdav request in web without remote.php. It's too confusing to have a lot of endpoints and use endpoints with/without some part of it. IMHO I don't think that dev team starts fix legacy to have ability use olds endpoints without remote.php

I just see that the tests use endpoint without remote.php only for space dav path https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/bootstrap/WebDav.php#L218-L234

maybe we need change it? cc @saw-jan @individual-it

saw-jan commented 1 year ago

If the dev team won't be fixing old and new dav endpoints (to work without remote.php) then it should be fine but for spaces this (without remote.php) should work because I suppose, /remote.php endpoints are just for compatibility and they will be removed/discouraged to use later in the future.

saw-jan commented 1 year ago

Tested for spaces endpoints:

/dav/spaces :heavy_check_mark:

curl -XREPORT -uadmin:admin "https://localhost:9200/dav/spaces/8c99ec79-9e69-4fe6-a0bc-d97e048f0eae%24e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d" \
-d"<?xml version='1.0' encoding='utf-8' ?>
<oc:search-files xmlns:a='DAV:' xmlns:oc='http://owncloud.org/ns' >
<oc:search>
<oc:pattern>Tags:tag1</oc:pattern>
</oc:search>
</oc:search-files>" -vk
< HTTP/1.1 207 Multi-Status
< Content-Length: 975
...
<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/remote.php/dav/spaces/8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d/fil1.txt</d:href><d:propstat><d:prop><oc:fileid>8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d!4a456eb4-640c-4b7e-b8c4-67c522583dd4</oc:fileid><oc:file-parent>8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d!e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d</oc:file-parent><oc:name>fil1.txt</oc:name><d:getlastmodified>2023-08-03T09:35:12Z</d:getlastmodified><d:getcontenttype>text/plain</d:getcontenttype><oc:permissions>RDNVW</oc:permissions><oc:highlights></oc:highlights><oc:tags>tag1</oc:tags><d:getetag></d:getetag><d:resourcetype></d:resourcetype><d:getcontentlength>7</d:getcontentlength><oc:score>2.873692750930786</oc:score></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>

remote.php/dav/spaces :heavy_check_mark:

curl -XREPORT -uadmin:admin "https://localhost:9200/remote.php/dav/spaces/8c99ec79-9e69-4fe6-a0bc-d97e048f0eae%24e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d" \
-d"<?xml version='1.0' encoding='utf-8' ?>
<oc:search-files xmlns:a='DAV:' xmlns:oc='http://owncloud.org/ns' >
<oc:search>
<oc:pattern>Tags:tag1</oc:pattern>
</oc:search>
</oc:search-files>" -vk
< HTTP/1.1 207 Multi-Status
< Content-Length: 975
...
<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/remote.php/dav/spaces/8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d/fil1.txt</d:href><d:propstat><d:prop><oc:fileid>8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d!4a456eb4-640c-4b7e-b8c4-67c522583dd4</oc:fileid><oc:file-parent>8c99ec79-9e69-4fe6-a0bc-d97e048f0eae$e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d!e2f5e9d7-742a-4e9f-9bed-0fa6b7f0ec1d</oc:file-parent><oc:name>fil1.txt</oc:name><d:getlastmodified>2023-08-03T09:35:12Z</d:getlastmodified><d:getcontenttype>text/plain</d:getcontenttype><oc:permissions>RDNVW</oc:permissions><oc:highlights></oc:highlights><oc:tags>tag1</oc:tags><d:getetag></d:getetag><d:resourcetype></d:resourcetype><d:getcontentlength>7</d:getcontentlength><oc:score>2.873692750930786</oc:score></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>

\ \ @ScharfViktor you can close the issue if there won't be any changes for old and new dav. spaces endpoints look good.

nabim777 commented 1 month ago

According to the discussion in https://github.com/owncloud/ocis/issues/7104#issuecomment-1711310103, this issue is closed.

saw-jan commented 1 month ago

According to the discussion in #7104 (comment), this issue is closed.

This is a different issue than issues #7104 and #7096

REPORT requests with remote.php should be allowed.

CC @ScharfViktor