Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sending MKCOL requests to another user's webDav endpoints as normal user gives 404 instead of 403 #3872

Closed
SwikritiT opened this issue May 25, 2022 · 8 comments
Closed

sending MKCOL requests to another user's webDav endpoints as normal user gives 404 instead of 403 #3872

SwikritiT opened this issue May 25, 2022 · 8 comments
Assignees
@amrita-shrestha
Labels
Type:Bug

Comments

@SwikritiT
Copy link
Contributor

Describe the bug

A clear and concise description of what the bug is.

Steps to reproduce

Steps to reproduce the behavior:

  1. As user Einstein send MKCOL request to other user's endpoint
    curl -vk -X MKCOL -u einstein:relativity https://localhost:9200/remote.php/dav/files/admin/Test | xmllint --format -

Expected behavior

As in OC10 the status code should be 403

curl -X MKCOL -u testUser:123456 http://localhost/core/remote.php/dav/files/admin/PARENT -v | xmllint --format - 
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'testUser'
> MKCOL /core/remote.php/dav/files/admin/PARENT HTTP/1.1
> Host: localhost
> Authorization: Basic dGVzdFVzZXI6MTIzNDU2
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Wed, 25 May 2022 07:46:30 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: oc5soe2gvutv=j8dud1spqf36dd6rm9fsd9hh1u; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=8dXBIYPFLce49CNV5Vh5HFOVN1S0qnWfitLeEy1o%2BwuIhqCsB8%2B7T1hmsD5IYu9O4vuazjAGFReIc%2B4TSsB%2FoY3TQRFSvOTovCfkt6TF%2BKnEJiCFBCMIiZFDcAiBZ90N; expires=Wed, 25-May-2022 08:06:30 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: oc5soe2gvutv=pj99e98a05rl1498t65623ba4v; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Wed, 25-May-2022 08:46:31 GMT; Max-Age=3600
< Content-Length: 230
< Content-Type: application/xml; charset=utf-8
< 
{ [230 bytes data]
100   230  100   230    0     0   2300      0 --:--:-- --:--:-- --:--:--  2300
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
  <s:message>Permission denied to create directory</s:message>
</d:error>

Actual behavior

Returns status 404

curl -vk -X MKCOL -u einstein:relativity https://localhost:9200/remote.php/dav/files/einstein/Test | xmllint --format - 
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [835 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: May 25 05:08:52 2022 GMT
*  expire date: May 25 05:08:52 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'einstein'
} [5 bytes data]
> MKCOL /remote.php/dav/files/admin/Test HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Content-Security-Policy: default-src 'none';
< Date: Wed, 25 May 2022 07:49:35 GMT
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host localhost left intact
-:1: parser error : Document is empty

^
@micbar
Copy link
Contributor

micbar commented Jul 13, 2022

@butonic @C0rby the old topic 404 vs 403 IMO 404 is the better solution

@phil-davis
Copy link
Contributor

Yes, 404 helps prevent leaking the existence or non-existence of another user.

IMO we should fix the test suite to expect 404 for all these sort of cross-user request attempts.

And raise an issue in oC10 to adjust the oC10 responses from 403 to 404, to improve that in oC10 and make it consistent.

@butonic butonic mentioned this issue Nov 7, 2022
Closed
@butonic
Copy link
Member

butonic commented Nov 7, 2022

works as designed. in ocis we want to return 404 if a user does not have access to a space

@butonic butonic closed this as completed Nov 7, 2022
@phil-davis
Copy link
Contributor

@amrita-shrestha @SagarGi this issue still appears in expected-failures-API-on-OCIS-storage.md

Please assign someone to find out why - probably we still need to adjust the test expectations.

@phil-davis phil-davis reopened this Nov 7, 2022
@SagarGi
Copy link
Member

SagarGi commented Nov 8, 2022

@amrita-shrestha @SagarGi this issue still appears in expected-failures-API-on-OCIS-storage.md

Please assign someone to find out why - probably we still need to adjust the test expectations.

sure !!

@amrita-shrestha amrita-shrestha self-assigned this Nov 8, 2022
@amrita-shrestha
Copy link
Contributor

@phil-davis currently response returns 409 http status code in ocis .

In oc10

  1. As user admin send MKCOL request at root directory to other user's endpoint
    Response : 403 http status code
`curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -` 
curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'admin'
> MKCOL /core/remote.php/dav/files/anu/Test HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Tue, 08 Nov 2022 06:16:12 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: ocdyemofowli=82k2al7rk5s86at5o9nod3sbbu; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=9lMPlShWSOuv4sKHdcInmdm5FzRFq5oh1gVJcRtBAptqJplo%2FxImrE%2FGkaVc%2BaB6vnlNhFwDv91RbccXmaRrVkPkOfdgljZVUPH06qSkKRZv2%2FYcCS77d%2B9S%2B4PZbu4F; expires=Tue, 08-Nov-2022 06:36:12 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: ocdyemofowli=11n0q0rpkccdc4nua5iveoje72; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Tue, 08-Nov-2022 07:16:12 GMT; Max-Age=3600
< Content-Length: 230
< Content-Type: application/xml; charset=utf-8
< 
{ [230 bytes data]
100   230  100   230    0     0   2254      0 --:--:-- --:--:-- --:--:--  2254
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Forbidden</s:exception>
  <s:message>Permission denied to create directory</s:message>
</d:error>
  1. As user admin send MKCOL request to create file inside folder to other user's endpoint
    Response : 409 http status code
curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test/abc.txt | xmllint --format - 
❯ curl -vk -X MKCOL -u admin:admin http://localhost/core/remote.php/dav/files/anu/Test/abc.txt | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'admin'
> MKCOL /core/remote.php/dav/files/anu/Test/abc.txt HTTP/1.1
> Host: localhost
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 409 Conflict
< Date: Tue, 08 Nov 2022 06:21:29 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: ocdyemofowli=vs0ou7k16spfvkc7s4n5f44o84; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=IWZAW6fWgJdil5hDztOZCLy5KBRUm4Yi5A%2FOw83%2B011msllArj%2FlQFMp1UpbkVb6E5808obUP%2B0vv6N8e4uDns4N9gJr11TKvu7lpMuJre8Ex7NkEU7Z%2BTztfWvM40D3; expires=Tue, 08-Nov-2022 06:41:29 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: ocdyemofowli=7gp3f3iku2fhhqccepe3uufhk8; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Tue, 08-Nov-2022 07:21:29 GMT; Max-Age=3600
< Content-Length: 218
< Content-Type: application/xml; charset=utf-8
< 
{ [218 bytes data]
100   218  100   218    0     0   2270      0 --:--:-- --:--:-- --:--:--  2247
* Connection #0 to host localhost left intact
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Conflict</s:exception>
  <s:message>Parent node does not exist</s:message>
</d:error>

In ocis

  1. As user admin send MKCOL request at root directory to other user's endpoint
  2. As user admin send MKCOL request to create file inside folder to other user's endpoint
    Response for request 1 and 2 in ocis is same: Response : 409 http status code
curl -vk -X MKCOL -u admin:admin https://host.docker.internal:9200/remote.php/dav/files/einstein/Test | xmllint --format - 
curl -vk -X MKCOL -u admin:admin https://host.docker.internal:9200/remote.php/dav/files/einstein/Test | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to host.docker.internal (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [836 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Nov  8 05:23:39 2022 GMT
*  expire date: Nov  8 05:23:39 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'admin'
} [5 bytes data]
> MKCOL /remote.php/dav/files/einstein/Test HTTP/1.1
> Host: host.docker.internal:9200
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/7.68.0
> Accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 409 Conflict
< Access-Control-Allow-Origin: *
< Content-Length: 221
< Content-Security-Policy: default-src 'none';
< Content-Type: text/xml; charset=utf-8
< Date: Tue, 08 Nov 2022 06:24:55 GMT
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
{ [221 bytes data]
100   221  100   221    0     0   2946      0 --:--:-- --:--:-- --:--:--  2946
* Connection #0 to host host.docker.internal left intact
<?xml version="1.0" encoding="UTF-8"?>
<d:error xmlns:d="DAV" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\Conflict</s:exception>
  <s:message>intermediate collection does not exist</s:message>
</d:error>

Previous discussion

@butonic @C0rby the old topic 404 vs 403 IMO 404 is the better solution

@micbar suggested http status code 404 as actual behavior

and

Yes, 404 helps prevent leaking the existence or non-existence of another user.

IMO we should fix the test suite to expect 404 for all these sort of cross-user request attempts.

And raise an issue in oC10 to adjust the oC10 responses from 403 to 404, to improve that in oC10 and make it consistent.

@phil-davis suggested

  • The /dav/files/{username} endpoint should return 404 to not leak if a user exists or not.
  • raise an issue in oc10 to adjust response from 403 to 404 but it was never done in past.

Question

  1. Does previous decision still valid now about creating issue in oc10 to adjust response from 403 to 404 ?
  2. In oc10 http status code differ as you can see above. What is actual behavior?

@phil-davis
Copy link
Contributor

"As user admin send MKCOL request to create file inside folder to other user's endpoint"
@amrita-shrestha MKCOL "makes a collection" = "creates a folder/directory". So your description "request to create file inside folder" is not relevant to MKCOL - I think that the example curl command is actually trying to create a folder abc.txt in folder Test

This was referenced Nov 10, 2022
Closed
Open
@amrita-shrestha
Copy link
Contributor

Currently, the HTTP status code has changed to 409. So, a new issue has been created #5049.

@phil-davis phil-davis mentioned this issue Nov 30, 2022
Open
@SwikritiT SwikritiT mentioned this issue Dec 2, 2022
Merged
9 tasks
@SagarGi SagarGi mentioned this issue Jul 3, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amrita-shrestha amrita-shrestha

Labels
Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@butonic @phil-davis @micbar @SwikritiT @SagarGi @amrita-shrestha