From 6abb37317f9a5e0dd4744b0c4a221ee04ffc700f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Wed, 4 Aug 2021 15:52:10 +0200 Subject: [PATCH] Do not setup a session when not required on WebDAV requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If basic auth is used on WebDAV endpoints, we will not setup a session by default but instead set a test cookie. Clients which handle session cookies properly will send back the cookie then on the second request and a session will be initialized which can be resued for authentication. Signed-off-by: Julius Härtl --- apps/files/lib/Controller/ViewController.php | 1 + lib/base.php | 20 ++++++++++++++----- .../Authentication/TwoFactorAuth/Manager.php | 3 ++- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/apps/files/lib/Controller/ViewController.php b/apps/files/lib/Controller/ViewController.php index cfbc9afce2b07..1da9814d7e829 100644 --- a/apps/files/lib/Controller/ViewController.php +++ b/apps/files/lib/Controller/ViewController.php @@ -175,6 +175,7 @@ public function showFile(string $fileid = null, int $openfile = 1): Response { /** * @NoCSRFRequired * @NoAdminRequired + * @UseSession * * @param string $dir * @param string $view diff --git a/lib/base.php b/lib/base.php index a847373ea2bb2..a7c36bcd3fe19 100644 --- a/lib/base.php +++ b/lib/base.php @@ -73,6 +73,7 @@ use OCP\EventDispatcher\IEventDispatcher; use OCP\Group\Events\UserRemovedEvent; use OCP\ILogger; +use OCP\IRequest; use OCP\IURLGenerator; use OCP\IUserSession; use OCP\Server; @@ -408,7 +409,16 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig): void { } public static function initSession(): void { - if (Server::get(\OCP\IRequest::class)->getServerProtocol() === 'https') { + $request = Server::get(IRequest::class); + $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0; + if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) { + setcookie('cookie_test', 'test', time() + 3600); + // Do not initialize the session if a request is authenticated directly + // unless there is a session cookie already sent along + return; + } + + if ($request->getServerProtocol() === 'https') { ini_set('session.cookie_secure', 'true'); } @@ -516,7 +526,7 @@ private static function sendSameSiteCookies(): void { * also we can't directly interfere with PHP's session mechanism. */ private static function performSameSiteCookieProtection(\OCP\IConfig $config): void { - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); // Some user agents are notorious and don't really properly follow HTTP // specifications. For those, have an automated opt-out. Since the protection @@ -778,7 +788,7 @@ public static function init(): void { return; } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $host = $request->getInsecureServerHost(); /** * if the host passed in headers isn't trusted @@ -840,7 +850,7 @@ public static function registerCleanupHooks(\OC\SystemConfig $systemConfig): voi if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) { // reset brute force delay for this IP address and username $uid = $userSession->getUser()->getUID(); - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $throttler = Server::get(\OC\Security\Bruteforce\Throttler::class); $throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]); } @@ -970,7 +980,7 @@ public static function handleRequest(): void { exit(); } - $request = Server::get(\OCP\IRequest::class); + $request = Server::get(IRequest::class); $requestPath = $request->getRawPathInfo(); if ($requestPath === '/heartbeat') { return; diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php index 37a9f03d07383..ce73238498755 100644 --- a/lib/private/Authentication/TwoFactorAuth/Manager.php +++ b/lib/private/Authentication/TwoFactorAuth/Manager.php @@ -42,6 +42,7 @@ use OCP\IConfig; use OCP\ISession; use OCP\IUser; +use OCP\Session\Exceptions\SessionNotAvailableException; use Psr\Log\LoggerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\GenericEvent; @@ -362,7 +363,7 @@ public function needsSecondFactor(IUser $user = null): bool { $this->session->set(self::SESSION_UID_DONE, $user->getUID()); return false; } - } catch (InvalidTokenException $e) { + } catch (InvalidTokenException|SessionNotAvailableException $e) { } }