add security access headers for ocdav requests #780
Conversation
karakayasemi
force-pushed
the
add-access-headers
branch
2 times, most recently
from
284fc34 to
1c5f32e
Compare
| @@ -134,3 +138,8 @@ func (s *svc) handleGet(w http.ResponseWriter, r *http.Request, ns string) { | |||
| log.Error().Err(err).Msg("error finishing copying data to response") | |||
| } | |||
| } | |||
|
|
|||
| // Rawurlencode https://www.php2golang.com/method/function.rawurlencode.html | |||
| func Rawurlencode(str string) string { | |||
There was a problem hiding this comment.
Why the url.QueryEspace is not enough?
There was a problem hiding this comment.
oc10 encodes filename in Content-Disposition header with PHP's rawurlencode function. The difference between rawurlencode and url.QueryEscape is url.QueryEscape encodes spaces as + instead of %20. I added this function to ensure consistency with oc10.
I found url.PathEscape is also working in same way. So, now url.PathEscape has been used instead of this function with the last commit.
There was a problem hiding this comment.
@karakayasemi in that case, as youre' doing path.Base there no need to call url.PathEscape as there isn't a path. Base gives you the basename of the path.
There was a problem hiding this comment.
Yes, you are right. Redundant url.PathEscape has been removed.
karakayasemi
force-pushed
the
add-access-headers
branch
from
1c5f32e to
7b3d873
Compare
|
Hi @karakayasemi , take a look at the following page for default security configurations: If we are providing some defaults, let's make sure they are aligned with the propositions above. |
karakayasemi
force-pushed
the
add-access-headers
branch
from
7b3d873 to
105bfc7
Compare
The only conflicting part that I see is the age of |
karakayasemi
force-pushed
the
add-access-headers
branch
2 times, most recently
from
2be076c to
56b8838
Compare
karakayasemi
force-pushed
the
add-access-headers
branch
from
56b8838 to
176060a
Compare
Adds necessary security headers for ocdav requests.
For owncloud/ocis-reva#66