search

owncloud / product

ownCloud Product Backlog
GNU Lesser General Public License v3.0
0 stars 1 forks source link

[OCIS] unauthorized or invalid webdav responses donot give any body and invalid status codes. #273

Closed dpakach closed 1 year ago

dpakach commented 4 years ago

When trying to access an webdav endopoint with invalid authorization do not five any body in the response.

for eg. Try to access an trashbin of another user

But instead it gives status 405 with no body.

curl -XPROPFIND https://localhost:9200/remote.php/dav/trash-bin/4c510ada-c86b-4815-8820-42cdf82c3d51/ -u marie:radioactivity -skv
...
> PROPFIND /remote.php/dav/trash-bin/4c510ada-c86b-4815-8820-42cdf82c3d51/ HTTP/1.1
> Host: localhost:9200
> Authorization: Basic bWFyaWU6cmFkaW9hY3Rpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Origin: *
...
C0rby commented 3 years ago

I just tested it locally with the current oCIS master and it returns a 401 status with the following content:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Content-Length: 152
Content-Security-Policy: default-src 'none';
Content-Type: text/plain; charset=utf-8
Date: Tue, 08 Jun 2021 12:52:51 GMT
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block
<?xml version="1.0"?>
<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message/>
</d:error>

The message is missing though.

dragotin commented 3 years ago

Tested today, the reply code is 401 and contains

<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message></s:message>
  <s:header></s:header>
</d:error>

Note that the xml header is missing.

michaelstingl commented 1 year ago

looks fixed