Merge pull request #5022 from nextcloud/bugfix/cmdclient-do-not-trust…

…-certs-by-default Command-line client. Do not trust SSL certificates by default, unless '--trust' option is set.
nextcloud · Oct 11, 2022 · 42f6a63 · 42f6a63
2 parents 256aa52 + 564a3ad
commit 42f6a63
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 5 deletions.
diff --git a/src/cmd/cmd.cpp b/src/cmd/cmd.cpp
@@ -440,6 +440,7 @@ int main(int argc, char **argv)
 
     account->setUrl(hostUrl);
     account->setSslErrorHandler(sslErrorHandler);
+    account->setTrustCertificates(options.trustSSL);
 
     QEventLoop loop;
     auto *job = new JsonApiJob(account, QLatin1String("ocs/v1.php/cloud/capabilities"));

diff --git a/src/cmd/simplesslerrorhandler.cpp b/src/cmd/simplesslerrorhandler.cpp
@@ -19,17 +19,29 @@ namespace OCC {
 
 bool SimpleSslErrorHandler::handleErrors(QList<QSslError> errors, const QSslConfiguration &conf, QList<QSslCertificate> *certs, OCC::AccountPtr account)
 {
-    (void)account;
-    (void)conf;
+    Q_UNUSED(conf);
 
-    if (!certs) {
-        qDebug() << "Certs parameter required but is NULL!";
+    if (!account || !certs) {
+        qDebug() << "account and certs parameters are required!";
         return false;
     }
 
+    if (account->trustCertificates()) {
+        for (const auto &error : qAsConst(errors)) {
+            certs->append(error.certificate());
+        }
+        return true;
+    }
+
+    bool allTrusted = true;
+
     for (const auto &error : qAsConst(errors)) {
+        if (!account->approvedCerts().contains(error.certificate())) {
+            allTrusted = false;
+        }
         certs->append(error.certificate());
     }
-    return true;
+
+    return allTrusted;
 }
 }
diff --git a/src/libsync/account.cpp b/src/libsync/account.cpp
@@ -909,4 +909,14 @@ bool Account::fileCanBeUnlocked(SyncJournalDb * const journal,
     return false;
 }
 
+void Account::setTrustCertificates(bool trustCertificates)
+{
+    _trustCertificates = trustCertificates;
+}
+
+bool Account::trustCertificates() const
+{
+    return _trustCertificates;
+}
+
 } // namespace OCC
diff --git a/src/libsync/account.h b/src/libsync/account.h
@@ -291,6 +291,9 @@ class OWNCLOUDSYNC_EXPORT Account : public QObject
 
     bool fileCanBeUnlocked(SyncJournalDb * const journal, const QString &folderRelativePath) const;
 
+    void setTrustCertificates(bool trustCertificates);
+    [[nodiscard]] bool trustCertificates() const;
+
 public slots:
     /// Used when forgetting credentials
     void clearQNAMCache();
@@ -343,6 +346,8 @@ protected Q_SLOTS:
 
     static QString davPathBase();
 
+    bool _trustCertificates = false;
+
     QWeakPointer<Account> _sharedThis;
     QString _id;
     QString _davUser;