Can upload virus file with new public WebDAV API

[dpakach]

Steps to reproduce

1. Setup files antivirus on owncloud instance.
2. Enable tech_preview in order to use new public WebDAV API.

php occ config:system:set dav.enable.tech_preview --value true --type bool

3. Create a password protected public link share.
4. Try to upload a virus file with new public WebDAV API.
   eg.

curl http://public:1234@172.17.0.1/oc/core/remote.php/dav/public-files/FkQv9oZCKMIbmfl/eicar.com -X PUT -H "Content-Type: text/plain" --data 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

Expected Behavior

The file will not be uploaded to public share

Actual Result

The file gets uploaded and is in locked state.

[phil-davis]

PR #335 added some scenarios for this that are skipped.
Search for issue-334 when fixing this problem.
I removed the QA-related labels, because this needs some developer effort now.

[phil-davis]

@micbar this API is only active when tech_preview is enabled. But anyway, should someone be scheduled to look into this?
It might turn out to be some core hook that is not firing, or...

[micbar]

@phil-davis good catch!
We need to keep this on the list for the productization of the new APIs.

[micbar]

@phil-davis I created a EE Ticket for 10.5.0

[C0rby]

It seems that it is not possible anymore to upload files using this webdav API.
All my attempts have been responded with:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAVACL\Exception\NeedPrivileges</s:exception>
  <s:message>User did not have the required privileges ({DAV:}write-content) for path "public-files/QPYeKmJuo3yztJ0/welcome2.txt"</s:message>
  <d:need-privileges>
    <d:resource>
      <d:href>/remote.php/dav/public-files/QPYeKmJuo3yztJ0/welcome2.txt</d:href>
      <d:privilege>
        <d:write-content/>
      </d:privilege>
    </d:resource>
  </d:need-privileges>
</d:error>

[individual-it]

the test-data in the original post was wrong, I've corrected it.

The bug is still there but different now:

• uploading the fist time uploads the file, but results in a LockedException and the size of the file is listed as 0bytes but the content is still uploaded
  curl http://localhost/owncloud-core/remote.php/dav/public-files/U44ArE94vPVkIfv/new.txt -X PUT -H "Content-Type: text/plain" --data 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
  results in:

  <?xml version="1.0" encoding="utf-8"?>
  <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
    <s:exception>OCP\Lock\LockedException</s:exception>
    <s:message>"New folder/new.txt" is locked</s:message>
  </d:error>
  

  log-output:

  {"reqId":"NoLesWzZLColjxLgYIn8","level":2,"time":"2021-03-23T06:14:28+00:00","remoteAddr":"127.0.0.1","user":"--","app":"files_antivirus","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Infected file deleted. Win.Test.EICAR_HDB-1 Account: admin Path: files\/New folder\/new.txt"}
  {"reqId":"NoLesWzZLColjxLgYIn8","level":4,"time":"2021-03-23T06:14:28+00:00","remoteAddr":"127.0.0.1","user":"--","app":"webdav","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Exception: \"New folder\/new.txt\" is locked: {\"Exception\":\"OCP\\\\Lock\\\\LockedException\",\"Message\":\"\\\"New folder\\\/new.txt\\\" is locked\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(2140): OC\\\\Files\\\\View->lockPath()\\n#1 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(1208): OC\\\\Files\\\\View->lockFile()\\n#2 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(773): OC\\\\Files\\\\View->basicOperation()\\n#3 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(50): OC\\\\Files\\\\View->OC\\\\Files\\\\{closure}(*** sensitive parameters replaced ***)\\n#4 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(783): OC\\\\Files\\\\View->emittingCall()\\n#5 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Node\\\/File.php(123): OC\\\\Files\\\\View->unlink()\\n#6 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Files\\\/PublicFiles\\\/PublicSharedRootNode.php(131): OC\\\\Files\\\\Node\\\\File->delete()\\n#7 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1098): OCA\\\\DAV\\\\Files\\\\PublicFiles\\\\PublicSharedRootNode->createFile()\\n#8 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(504): Sabre\\\\DAV\\\\Server->createFile()\\n#9 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/WildcardEmitterTrait.php(89): Sabre\\\\DAV\\\\CorePlugin->httpPut()\\n#10 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(472): Sabre\\\\DAV\\\\Server->emit()\\n#11 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(253): Sabre\\\\DAV\\\\Server->invokeMethod()\\n#12 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Server.php(330): Sabre\\\\DAV\\\\Server->start()\\n#13 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#14 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/remote.php(165): require_once('\\\/home\\\/artur\\\/www...')\\n#15 {main}\",\"File\":\"\\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php\",\"Line\":2042}"}
  {"reqId":"NoLesWzZLColjxLgYIn8","level":4,"time":"2021-03-23T06:14:28+00:00","remoteAddr":"127.0.0.1","user":"--","app":"webdav","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Caused by: {\"Exception\":\"OCP\\\\Lock\\\\LockedException\",\"Message\":\"\\\"files\\\/fc7bf4171c38e991ee62b91388cc4cfe\\\" is locked\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Common.php(669): OC\\\\Lock\\\\DBLockingProvider->acquireLock()\\n#1 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(599): OC\\\\Files\\\\Storage\\\\Common->acquireLock()\\n#2 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(599): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->acquireLock()\\n#3 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(599): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->acquireLock()\\n#4 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(599): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->acquireLock()\\n#5 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(599): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->acquireLock()\\n#6 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(2037): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->acquireLock()\\n#7 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(2140): OC\\\\Files\\\\View->lockPath()\\n#8 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(1208): OC\\\\Files\\\\View->lockFile()\\n#9 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(773): OC\\\\Files\\\\View->basicOperation()\\n#10 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(50): OC\\\\Files\\\\View->OC\\\\Files\\\\{closure}(*** sensitive parameters replaced ***)\\n#11 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(783): OC\\\\Files\\\\View->emittingCall()\\n#12 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Node\\\/File.php(123): OC\\\\Files\\\\View->unlink()\\n#13 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Files\\\/PublicFiles\\\/PublicSharedRootNode.php(131): OC\\\\Files\\\\Node\\\\File->delete()\\n#14 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1098): OCA\\\\DAV\\\\Files\\\\PublicFiles\\\\PublicSharedRootNode->createFile()\\n#15 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(504): Sabre\\\\DAV\\\\Server->createFile()\\n#16 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/WildcardEmitterTrait.php(89): Sabre\\\\DAV\\\\CorePlugin->httpPut()\\n#17 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(472): Sabre\\\\DAV\\\\Server->emit()\\n#18 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(253): Sabre\\\\DAV\\\\Server->invokeMethod()\\n#19 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Server.php(330): Sabre\\\\DAV\\\\Server->start()\\n#20 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#21 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/remote.php(165): require_once('\\\/home\\\/artur\\\/www...')\\n#22 {main}\",\"File\":\"\\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Lock\\\/DBLockingProvider.php\",\"Line\":190}"}
  {"reqId":"NoLesWzZLColjxLgYIn8","level":4,"time":"2021-03-23T06:14:28+00:00","remoteAddr":"127.0.0.1","user":"--","app":"webdav","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Caused by: {\"Exception\":\"Error\",\"Message\":\"Call to a member function getAbsolutePath() on null\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_antivirus\\\/lib\\\/AvirWrapper.php(185): OCA\\\\Files_Trashbin\\\\Storage::preRenameHook()\\n#1 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_antivirus\\\/lib\\\/AvirWrapper.php(133): OCA\\\\Files_Antivirus\\\\AvirWrapper->onScanComplete()\\n#2 [internal function]: OCA\\\\Files_Antivirus\\\\AvirWrapper->OCA\\\\Files_Antivirus\\\\{closure}(*** sensitive parameters replaced ***)\\n#3 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_external\\\/3rdparty\\\/icewind\\\/streams\\\/src\\\/CallbackWrapper.php(119): call_user_func()\\n#4 [internal function]: Icewind\\\\Streams\\\\CallbackWrapper->stream_close()\\n#5 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(726): fclose()\\n#6 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(50): OC\\\\Files\\\\View->OC\\\\Files\\\\{closure}(*** sensitive parameters replaced ***)\\n#7 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(751): OC\\\\Files\\\\View->emittingCall()\\n#8 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Node\\\/File.php(71): OC\\\\Files\\\\View->file_put_contents()\\n#9 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Files\\\/PublicFiles\\\/PublicSharedRootNode.php(117): OC\\\\Files\\\\Node\\\\File->putContent()\\n#10 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1098): OCA\\\\DAV\\\\Files\\\\PublicFiles\\\\PublicSharedRootNode->createFile()\\n#11 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(504): Sabre\\\\DAV\\\\Server->createFile()\\n#12 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/WildcardEmitterTrait.php(89): Sabre\\\\DAV\\\\CorePlugin->httpPut()\\n#13 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(472): Sabre\\\\DAV\\\\Server->emit()\\n#14 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(253): Sabre\\\\DAV\\\\Server->invokeMethod()\\n#15 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Server.php(330): Sabre\\\\DAV\\\\Server->start()\\n#16 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#17 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/remote.php(165): require_once('\\\/home\\\/artur\\\/www...')\\n#18 {main}\",\"File\":\"\\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_trashbin\\\/lib\\\/Storage.php\",\"Line\":67}"}
  

  file is uploaded, but shows 0byte size
  
  content can be viewed
• trying to overwrite the file with a non-virus file works (if the Edit permission is set in the public share)
• trying to overwrite the file with a virus file results in:

   <?xml version="1.0" encoding="utf-8"?>
   <d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
     <s:exception>Error</s:exception>
     <s:message>Call to a member function getAbsolutePath() on null</s:message>
   </d:error>
  

  log-output:

  {"reqId":"Xb1hue8FLO4FOVYKCADx","level":2,"time":"2021-03-23T06:21:46+00:00","remoteAddr":"127.0.0.1","user":"--","app":"files_antivirus","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Infected file deleted. Win.Test.EICAR_HDB-1 Account: admin Path: files\/New folder\/new.txt"}
  {"reqId":"Xb1hue8FLO4FOVYKCADx","level":4,"time":"2021-03-23T06:21:46+00:00","remoteAddr":"127.0.0.1","user":"--","app":"webdav","method":"PUT","url":"\/owncloud-core\/remote.php\/dav\/public-files\/U44ArE94vPVkIfv\/new.txt","message":"Exception: Call to a member function getAbsolutePath() on null: {\"Exception\":\"Error\",\"Message\":\"Call to a member function getAbsolutePath() on null\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_antivirus\\\/lib\\\/AvirWrapper.php(185): OCA\\\\Files_Trashbin\\\\Storage::preRenameHook()\\n#1 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_antivirus\\\/lib\\\/AvirWrapper.php(133): OCA\\\\Files_Antivirus\\\\AvirWrapper->onScanComplete()\\n#2 [internal function]: OCA\\\\Files_Antivirus\\\\AvirWrapper->OCA\\\\Files_Antivirus\\\\{closure}(*** sensitive parameters replaced ***)\\n#3 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_external\\\/3rdparty\\\/icewind\\\/streams\\\/src\\\/CallbackWrapper.php(119): call_user_func()\\n#4 [internal function]: Icewind\\\\Streams\\\\CallbackWrapper->stream_close()\\n#5 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(726): fclose()\\n#6 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(50): OC\\\\Files\\\\View->OC\\\\Files\\\\{closure}(*** sensitive parameters replaced ***)\\n#7 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/View.php(751): OC\\\\Files\\\\View->emittingCall()\\n#8 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/private\\\/Files\\\/Node\\\/File.php(71): OC\\\\Files\\\\View->file_put_contents()\\n#9 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Files\\\/PublicFiles\\\/SharedFile.php(68): OC\\\\Files\\\\Node\\\\File->putContent()\\n#10 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(1137): OCA\\\\DAV\\\\Files\\\\PublicFiles\\\\SharedFile->put()\\n#11 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(492): Sabre\\\\DAV\\\\Server->updateFile()\\n#12 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/WildcardEmitterTrait.php(89): Sabre\\\\DAV\\\\CorePlugin->httpPut()\\n#13 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(472): Sabre\\\\DAV\\\\Server->emit()\\n#14 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(253): Sabre\\\\DAV\\\\Server->invokeMethod()\\n#15 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/lib\\\/Server.php(330): Sabre\\\\DAV\\\\Server->start()\\n#16 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/dav\\\/appinfo\\\/v2\\\/remote.php(31): OCA\\\\DAV\\\\Server->exec()\\n#17 \\\/home\\\/artur\\\/www\\\/owncloud-core\\\/remote.php(165): require_once('\\\/home\\\/artur\\\/www...')\\n#18 {main}\",\"File\":\"\\\/home\\\/artur\\\/www\\\/owncloud-core\\\/apps\\\/files_trashbin\\\/lib\\\/Storage.php\",\"Line\":67}"}
  
  

[VicDeo]

I can' upload anything using

curl http://localhost/owncloud-core/remote.php/dav/public-files/U44ArE94vPVkIfv/new.txt -X PUT -H "Content-Type: text/plain" --data 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

oops... I misconstructed the URL

[jnweiger]

Reproduced with files_antivirus-1.0.0-rc2.tar.gz with a public share without(!) setting a password:

# wget https://secure.eicar.org/eicar.com.txt
eicar.com.txt                           100%[=============================================================================>]      68  --.-KB/s    in 0s      
# new_pub_no_pw_url=https://oc1070-macafee-20210519.jw-qa.owncloud.works/owncloud/remote.php/dav/public-files/5C0rxgO0cclZxVn/new-eicar.txt
#  curl $new_pub_no_pw_url -T eicar.com.txt 
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
  <s:message>Virus A malware or virus was detected, your upload was deleted. In doubt or for details please contact your system administrator is detected in the file. Upload cannot be completed.</s:message>
</d:error>

The file is not uploaded. OK.

# curl $new_pub_no_pw_url -X PUT --data "Hello World"
# curl $new_pub_no_pw_url -T eicar.com.txt 
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Error</s:exception>
  <s:message>Call to a member function getAbsolutePath() on null</s:message>
</d:error>

The file gets created with content "Hello World". OK
The file gets overwritten with the eicar virus content. BAD

[individual-it]

the tests enabled in #434 don't check overwrite

• ToDo QA:Team: add tests that check overwrite ob public link with a virus file

I raised a separate issue #458

[micbar]

@VicDeo @jnweiger Was the fix not complete?

Or not included in the release?

[VicDeo]

@micbar there are several issues reported here.

the fix does not cover one of them: overwriting an existing file content with a virus. And there are no acceptance tests covering this particular issue atm.
I'd say it's a less critical issue as the content is not uploaded. There is also probability that the fix should go into the core. Needs investigation.

[VicDeo]

hm... Works differently for me

URL="http://localhost/~deo/oc-tmp/remote.php/dav/public-files/jfsT7ujGSK8JMNn/somenewfile.txt"
deo@jah-mobile:> curl $URL -X PUT --data "Hello World"
deo@jah-mobile:> curl $URL -T ~/public_html/_craft/testfiles/eicar.txt <?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>OCP\Files\FileContentNotAllowedException</s:exception>
  <s:message>Virus Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1; is detected in the file. Upload cannot be completed.</s:message>
</d:error>

The file somenewfile.txt is created with 'Hello World' content

On update with eicar the file didn't get infected content. But it was also removed from the file system.
Web UI still shows somenewfile.txt in this folder but the error popup An error occurred! Cannot read the file. appears on clicking it.

[jnweiger]

@micbar @pmaier1 would you consider the overwrite scenario a blocker for the 1.0.0 release? I'd like to push forward with the release and fix this later.

Overwrite with an infected files produces different results for me and for @VicDeo -- both are bad.

[pmaier1]

@micbar @pmaier1 would you consider the overwrite scenario a blocker for the 1.0.0 release? I'd like to push forward with the release and fix this later.

Under the assumption that this only applies to the new public link endpoint which was added for ownCloud Web and is disabled by default, I'd not qualify this as a blocker and proceed with the release. Needs to be scheduled for fixing, of course.

[micbar]

please go on, agree with @pmaier1

[micbar]

@VicDeo was #434 not enough to fix this issue?

Please check.

[VicDeo]

see #334 (comment)

[micbar]

@pmaier1 @jnweiger @VicDeo I am puzzled.

Is it ok or not?

[VicDeo]

@micbar
when a new uninfected file is created and then it is updated with the infected content
it's not possible to "upload virus file with new public WebDAV API" - it's ok
but the file disappears from the file system and we have a stray DB entry for it - it's not

[micbar]

ok, then we need to fix it. If core changes are needed, we need to do before Code freeze for 10.8.0

[VicDeo]

Here you go #450

[VicDeo]

#450 has been merged

[micbar]

@jnweiger The issue is fixed.

Ship a patch release with minimal QA? Only one fix?

Would be nice IMO