Do not setup a session when not required on WebDAV requests

If basic auth is used on WebDAV endpoints, we will not setup a session
by default but instead set a test cookie. Clients which handle session
cookies properly will send back the cookie then on the second request
and a session will be initialized which can be resued for
authentication.

Signed-off-by: Julius Härtl <jus@bitgrid.net>

apps/files/lib/Controller/ViewController.php

@@ -174,6 +174,7 @@ public function showFile(string $fileid = null, int $openfile = 1): Response {
  /**
  * @NoCSRFRequired
  * @NoAdminRequired
+ * @UseSession
  *
  * @param string $dir
  * @param string $view

lib/base.php

@@ -412,6 +412,15 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig) {
  }
 
  public static function initSession() {
+ $request = self::$server->getRequest();
+ $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
+ if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) {
+ setcookie('cookie_test', 'test', time() + 3600);
+ // Do not initialize the session if a request is authenticated directly
+ // unless there is a session cookie already sent along
+ return;
+ }
+
  if (self::$server->getRequest()->getServerProtocol() === 'https') {
  ini_set('session.cookie_secure', 'true');
  }

lib/private/Authentication/TwoFactorAuth/Manager.php

@@ -42,6 +42,7 @@
 use OCP\IConfig;
 use OCP\ISession;
 use OCP\IUser;
+use OCP\Session\Exceptions\SessionNotAvailableException;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\EventDispatcher\GenericEvent;
@@ -362,7 +363,7 @@ public function needsSecondFactor(IUser $user = null): bool {
  $this->session->set(self::SESSION_UID_DONE, $user->getUID());
  return false;
  }
- } catch (InvalidTokenException $e) {
+ } catch (InvalidTokenException|SessionNotAvailableException $e) {
  }
  }