Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent WebDAV delete of user's files folder #16756

Closed
PVince81 opened this issue Jun 5, 2015 · 7 comments · Fixed by #16767
Closed

Prevent WebDAV delete of user's files folder #16756

PVince81 opened this issue Jun 5, 2015 · 7 comments · Fixed by #16767
Assignees
@PVince81
Labels
3 - To Review app:files sev3-medium Type:Bug
Milestone
8.1

Comments

@PVince81
Copy link
Contributor

PVince81 commented Jun 5, 2015

Steps:

Run curl -D - -X DELETE "http://root:admin@localhost/owncloud/remote.php/webdav/"

Expected result

403 forbidden

Actual result

Internal folder "$user/files" is deleted.
Trashbin contains folder "files".
Getting "contrain violation errors".

We should probably make "isDeletable()" return false on the root folder and also "files".

CC @icewind1991 @schiesbn @nickvergessen
@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

Note, this can also be achieved using a backslash folder:
curl -D - -X DELETE "http://root:admin@localhost/owncloud/remote.php/webdav/\\"

The folder gets sanitized to "/" which points to the internal "files" folder...

@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

This also deletes the root:
curl -D - -X MOVE "http://root:admin@localhost/owncloud/remote.php/webdav/" -H 'Destination: http://root:admin@localhost/owncloud/remote.php/webdav/.\\.

Normally it would not accept to MOVE a folder to itself, but semantically the target folder is considered a different folder, so it tries to overwrite it. And overwrite first deletes the destination. So this has the same symptoms.

@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

@SergioBertolinSG @jnfrmarks something to add to test plans.
Better test any kind of WebDAV operations on the root.

@DeepDiver1975 DeepDiver1975 added this to the 8.1-current milestone Jun 5, 2015
@SergioBertolinSG
Copy link
Contributor

Tried

curl -D - -X DELETE "http://user:passwd@host/remote.php/webdav/\\"

It returned:

?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Doctrine\DBAL\Exception\NotNullConstraintViolationException</s:exception>
  <s:message>An exception occurred while executing 'INSERT INTO "files_trash" ("id","timestamp","location","user") VALUES (?,?,?,?)' with params ["", 1433501523, null, "sergio"]:

SQLSTATE[23502]: Not null violation: 7 ERROR:  null value in column "location" violates not-null constraint
DETAIL:  Failing row contains (10, , sergio, 1433501523, null, null, null).</s:message>
</d:error>

And session gets broken.

@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

Yes. And after the next login, they get an empty account.

@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

Similar issue with public WebDAV: #16757

@PVince81 PVince81 mentioned this issue Jun 5, 2015
Merged
1 task
@PVince81
Copy link
Contributor Author

PVince81 commented Jun 5, 2015

PR here #16767

@PVince81 PVince81 self-assigned this Jun 5, 2015
@ownclouders ownclouders mentioned this issue Apr 17, 2018
Closed
@ownclouders ownclouders mentioned this issue Jul 5, 2018
Closed
@ownclouders ownclouders mentioned this issue Oct 1, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Aug 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@PVince81 PVince81

Labels
3 - To Review app:files sev3-medium Type:Bug
Projects
None yet
Milestone
8.1
Development

Successfully merging a pull request may close this issue.

Prevent deleting Webdav root owncloud/core
4 participants
@MorrisJobke @PVince81 @DeepDiver1975 @SergioBertolinSG