Skip to content

PROPFINDs on single file public link files return incorrect href and downloadURL #4758

New issue
New issue
Closed
Closed
PROPFINDs on single file public link files return incorrect href and downloadURL#4758
Assignees
butonicSwikritiT
Labels
Priority:p2-highEscalation, on top of current planning, release blockerType:Bug
Milestone
2.0.0 General Availability
@dschmidt

Description

@dschmidt
dschmidt
opened on Oct 7, 2022

Describe the bug

PROPFINDs to a filename in a single file (!) public link share return invalid href and downloadURL. The filename seems to be appended to whatever was requested instead of the root of the public link share.

Steps to reproduce

  1. Create a single file public link (user shares don't seem to be affected)
  2. Do a PROPFIND on the file itself
  3. See the filename duplicated in href and downloadURL

Expected behavior

href and downloadURL point to the canonical correct url of the file

Actual behavior

http --verify=no PROPFIND https://host.docker.internal:9200/remote.php/dav/public-files/aeeGcYCMxdaMTZU
HTTP/1.1 207 Multi-Status
Access-Control-Allow-Origin: *
Content-Length: 1323
Content-Security-Policy: default-src 'none';
Content-Type: application/xml; charset=utf-8
Date: Fri, 07 Oct 2022 10:16:04 GMT
Dav: 1, 3, extended-mkcol
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
  <d:response>
    <d:href>/remote.php/dav/public-files/aeeGcYCMxdaMTZU/</d:href>
    <d:propstat>
      <d:prop>
        <d:resourcetype>
          <d:collection/>
        </d:resourcetype>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
  </d:response>
  <d:response>
    <d:href>/remote.php/dav/public-files/aeeGcYCMxdaMTZU/ownCloud%20Manual.pdf</d:href>
    <d:propstat>
      <d:prop>
        <oc:id>1284d238-aa92-42ce-bdc4-0b0000009157$some-admin-user-id-0000-000000000000!11238f9b-a510-4a0c-b6b1-984829826b2f</oc:id>
        <oc:fileid>1284d238-aa92-42ce-bdc4-0b0000009157$some-admin-user-id-0000-000000000000!11238f9b-a510-4a0c-b6b1-984829826b2f</oc:fileid>
        <oc:spaceid>some-admin-user-id-0000-000000000000</oc:spaceid>
        <oc:name>ownCloud Manual.pdf</oc:name>
        <d:getetag>&quot;9efa1e0cd318faa2f4a0d4cb5eab38d0&quot;</d:getetag>
        <oc:permissions/>
        <d:resourcetype/>
        <d:getcontentlength>6668668</d:getcontentlength>
        <d:getcontenttype>application/pdf</d:getcontenttype>
        <d:getlastmodified>Fri, 07 Oct 2022 10:14:23 GMT</d:getlastmodified>
        <oc:checksums>
          <oc:checksum>SHA1:346f7b57dd5489e5ded01316fd1cc723c4301c00 MD5:dcf532c1acfa3d8a7b6d6b393dfcd89d ADLER32:723ea1ec</oc:checksum>
        </oc:checksums>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
  </d:response>
</d:multistatus>

http --verify=no PROPFIND https://host.docker.internal:9200/remote.php/dav/public-files/aeeGcYCMxdaMTZU/ownCloud%20Manual.pdf
HTTP/1.1 207 Multi-Status
Access-Control-Allow-Origin: *
Content-Length: 1132
Content-Security-Policy: default-src 'none';
Content-Type: application/xml; charset=utf-8
Date: Fri, 07 Oct 2022 10:16:19 GMT
Dav: 1, 3, extended-mkcol
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns">
  <d:response>
    <d:href>/remote.php/dav/public-files/aeeGcYCMxdaMTZU/ownCloud%20Manual.pdf/ownCloud%20Manual.pdf</d:href>
    <d:propstat>
      <d:prop>
        <oc:id>1284d238-aa92-42ce-bdc4-0b0000009157$some-admin-user-id-0000-000000000000!11238f9b-a510-4a0c-b6b1-984829826b2f</oc:id>
        <oc:fileid>1284d238-aa92-42ce-bdc4-0b0000009157$some-admin-user-id-0000-000000000000!11238f9b-a510-4a0c-b6b1-984829826b2f</oc:fileid>
        <oc:spaceid>some-admin-user-id-0000-000000000000</oc:spaceid>
        <oc:name>ownCloud Manual.pdf</oc:name>
        <d:getetag>&quot;9efa1e0cd318faa2f4a0d4cb5eab38d0&quot;</d:getetag>
        <oc:permissions/>
        <d:resourcetype/>
        <d:getcontentlength>6668668</d:getcontentlength>
        <d:getcontenttype>application/pdf</d:getcontenttype>
        <d:getlastmodified>Fri, 07 Oct 2022 10:14:23 GMT</d:getlastmodified>
        <oc:checksums>
          <oc:checksum>SHA1:346f7b57dd5489e5ded01316fd1cc723c4301c00 MD5:dcf532c1acfa3d8a7b6d6b393dfcd89d ADLER32:723ea1ec</oc:checksum>
        </oc:checksums>
      </d:prop>
      <d:status>HTTP/1.1 200 OK</d:status>
    </d:propstat>
  </d:response>
</d:multistatus>

I expect those two requests to return the same href and downloadURL for the same resource, but as you can see the filename is somehow appended to the requested url.

It does not seem to matter what filename is requested, as long as there's a slash and anything after the public link token in the requested url, the filename gets simply appended.

Metadata

Metadata

Assignees

Labels

Priority:p2-highEscalation, on top of current planning, release blockerType:Bug

Type

No type

Projects

Infinite Scale Team Board

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions