diff --git a/apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php b/apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php
index cff60b9e0f888..93ce18fa8f903 100644
--- a/apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php
@@ -49,14 +49,26 @@ public function beforeHandler(RequestInterface $request) {
return;
}
- $minimumSupportedDesktopVersion = $this->config->getSystemValue('minimum.supported.desktop.version', '2.3.0');
+ $minimumSupportedDesktopVersion = $this->config->getSystemValueString('minimum.supported.desktop.version', '2.3.0');
+ $maximumSupportedDesktopVersion = $this->config->getSystemValueString('maximum.supported.desktop.version', '99.99.99');
+
+ // Check if the client is a desktop client
preg_match(IRequest::USER_AGENT_CLIENT_DESKTOP, $userAgent, $versionMatches);
- if (isset($versionMatches[1]) &&
- version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {
+
+ // If the client is a desktop client and the version is too old, block it
+ if (isset($versionMatches[1]) && version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {
$customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());
$minimumSupportedDesktopVersion = htmlspecialchars($minimumSupportedDesktopVersion);
throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Upgrade to version $minimumSupportedDesktopVersion or later.");
}
+
+ // If the client is a desktop client and the version is too new, block it
+ if (isset($versionMatches[1]) && version_compare($versionMatches[1], $maximumSupportedDesktopVersion) === 1) {
+ $customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());
+ $maximumSupportedDesktopVersion = htmlspecialchars($maximumSupportedDesktopVersion);
+
+ throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Downgrade to version $maximumSupportedDesktopVersion or earlier.");
+ }
}
}
diff --git a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
index c44f52ec7136a..072dd1a3b589d 100644
--- a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
@@ -16,6 +16,12 @@
use Sabre\HTTP\RequestInterface;
use Test\TestCase;
+enum ERROR_TYPE {
+ case MIN_ERROR;
+ case MAX_ERROR;
+ case NONE;
+}
+
/**
* Class BlockLegacyClientPluginTest
*
@@ -40,29 +46,41 @@ protected function setUp(): void {
public static function oldDesktopClientProvider(): array {
return [
- ['Mozilla/5.0 (Windows) mirall/1.5.0'],
- ['Mozilla/5.0 (Bogus Text) mirall/1.6.9'],
+ ['Mozilla/5.0 (Windows) mirall/1.5.0', ERROR_TYPE::MIN_ERROR],
+ ['Mozilla/5.0 (Bogus Text) mirall/1.6.9', ERROR_TYPE::MIN_ERROR],
+ ['Mozilla/5.0 (Windows) mirall/2.5.0', ERROR_TYPE::MAX_ERROR],
+ ['Mozilla/5.0 (Bogus Text) mirall/2.0.1', ERROR_TYPE::MAX_ERROR],
+ ['Mozilla/5.0 (Windows) mirall/2.0.0', ERROR_TYPE::NONE],
+ ['Mozilla/5.0 (Bogus Text) mirall/2.0.0', ERROR_TYPE::NONE],
];
}
/**
* @dataProvider oldDesktopClientProvider
*/
- public function testBeforeHandlerException(string $userAgent): void {
- $this->expectException(\Sabre\DAV\Exception\Forbidden::class);
-
+ public function testBeforeHandlerException(string $userAgent, ERROR_TYPE $errorType): void {
$this->themingDefaults
- ->expects($this->once())
+ ->expects($this->atMost(1))
->method('getSyncClientUrl')
->willReturn('https://nextcloud.com/install/#install-clients');
$this->config
- ->expects($this->once())
- ->method('getSystemValue')
- ->with('minimum.supported.desktop.version', '2.3.0')
- ->willReturn('1.7.0');
-
- $this->expectExceptionMessage('This version of the client is unsupported. Upgrade to version 1.7.0 or later.');
+ ->expects($this->exactly(2))
+ ->method('getSystemValueString')
+ ->willReturnCallback(function (string $key) {
+ if ($key === 'minimum.supported.desktop.version') {
+ return '1.7.0';
+ }
+ return '2.0.0';
+ });
+
+ if ($errorType !== ERROR_TYPE::NONE) {
+ $errorString = $errorType === ERROR_TYPE::MIN_ERROR
+ ? 'This version of the client is unsupported. Upgrade to version 1.7.0 or later.'
+ : 'This version of the client is unsupported. Downgrade to version 2.0.0 or earlier.';
+ $this->expectException(\Sabre\DAV\Exception\Forbidden::class);
+ $this->expectExceptionMessage($errorString);
+ }
/** @var RequestInterface|MockObject $request */
$request = $this->createMock('\Sabre\HTTP\RequestInterface');
@@ -72,7 +90,6 @@ public function testBeforeHandlerException(string $userAgent): void {
->with('User-Agent')
->willReturn($userAgent);
-
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
@@ -80,21 +97,28 @@ public function testBeforeHandlerException(string $userAgent): void {
* Ensure that there is no room for XSS attack through configured URL / version
* @dataProvider oldDesktopClientProvider
*/
- public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): void {
+ public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent, ERROR_TYPE $errorType): void {
$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
$this->themingDefaults
- ->expects($this->once())
+ ->expects($this->atMost(1))
->method('getSyncClientUrl')
->willReturn('https://example.com">');
$this->config
- ->expects($this->once())
- ->method('getSystemValue')
- ->with('minimum.supported.desktop.version', '2.3.0')
- ->willReturn('1.7.0 ');
-
- $this->expectExceptionMessage('This version of the client is unsupported. Upgrade to version 1.7.0 <script>alert("unsafe")</script> or later.');
+ ->expects($this->exactly(2))
+ ->method('getSystemValueString')
+ ->willReturnCallback(function (string $key) {
+ if ($key === 'minimum.supported.desktop.version') {
+ return '1.7.0 ';
+ }
+ return '2.0.0 ';
+ });
+
+ $errorString = $errorType === ERROR_TYPE::MIN_ERROR
+ ? 'This version of the client is unsupported. Upgrade to version 1.7.0 <script>alert("unsafe")</script> or later.'
+ : 'This version of the client is unsupported. Downgrade to version 2.0.0 <script>alert("unsafe")</script> or earlier.';
+ $this->expectExceptionMessage($errorString);
/** @var RequestInterface|MockObject $request */
$request = $this->createMock('\Sabre\HTTP\RequestInterface');
@@ -104,15 +128,17 @@ public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): v
->with('User-Agent')
->willReturn($userAgent);
-
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
- public function newAndAlternateDesktopClientProvider(): array {
+ public static function newAndAlternateDesktopClientProvider(): array {
return [
['Mozilla/5.0 (Windows) mirall/1.7.0'],
['Mozilla/5.0 (Bogus Text) mirall/1.9.3'],
['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/1.1.0'],
+ ['Mozilla/5.0 (Windows) mirall/4.7.0'],
+ ['Mozilla/5.0 (Bogus Text) mirall/3.9.3'],
+ ['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/45.0.0'],
];
}
@@ -129,10 +155,14 @@ public function testBeforeHandlerSuccess(string $userAgent): void {
->willReturn($userAgent);
$this->config
- ->expects($this->once())
- ->method('getSystemValue')
- ->with('minimum.supported.desktop.version', '2.3.0')
- ->willReturn('1.7.0');
+ ->expects($this->exactly(2))
+ ->method('getSystemValueString')
+ ->willReturnCallback(function (string $key) {
+ if ($key === 'minimum.supported.desktop.version') {
+ return '1.7.0';
+ }
+ return '10.0.0';
+ });
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
@@ -145,6 +175,7 @@ public function testBeforeHandlerNoUserAgent(): void {
->method('getHeader')
->with('User-Agent')
->willReturn(null);
+
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
}
diff --git a/config/config.sample.php b/config/config.sample.php
index 96377b7dbf0ba..ab094c09fb226 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -2136,6 +2136,15 @@
*/
'minimum.supported.desktop.version' => '2.3.0',
+/**
+ * The maximum Nextcloud desktop client version that will be allowed to sync with
+ * this server instance. All connections made from later clients will be denied
+ * by the server.
+ *
+ * Defaults to 99.99.99
+ */
+'maximum.supported.desktop.version' => '99.99.99',
+
/**
* Option to allow local storage to contain symlinks.
* WARNING: Not recommended. This would make it possible for Nextcloud to access