Text preview not available when outgoing s2s shares disabled #16464
Comments
|
I didn't think public.php/webdav could be disabled... |
|
I might be the one who recommended it to you... sorry... back then I forgot that it could be disabled. |
|
I still think it's the right approach, but that means finding a way to disable s2s another way and that doesn't seem trivial. |
|
Yeah, that's what I think too. Public WebDAV should always be enabled. |
|
Well, there might be ways to disable s2s for "friendly" server like telling them gently to stop connecting, but it's not a "safe" solution as there will always be ways to connect. |
|
Yep and that's a problem. |
|
What kind of policies ? |
|
I was thinking "domain of the requester should match domain of the endpoint" |
|
So basically checking the "Referer" header ? That could work as a simple fix, as the field could be spoofed if a (hacked?) remote server absolutely does want to connect. |
|
Yes, referer header of via CSP or using the CSRF? |
|
@LukasReschke - Tell us what to use! :) |
|
@LukasReschke some magic keywords mentioned above 🌟 blingblingbling ⭐ |
|
I think we're not talking "watertight" security here, just a way to gently prevent remote servers to mount local shares. |
|
Already works on 8.2/master, it seems the headers is already being sent. |
The new text preview from @oparoz is using public.php/webdav to load the text file.
This is not a problem with previews, but rather with the way the endpoint was designed to work.
Also at some point we'd like to make the files app use WebDAV endpoints too #12353 so I think it is valid to expect the public WebDAV endpoint to always work too.
The workaround here would be to provide a separate endpoint for text previews, which would at the same time solve the encoding issues: #16229
See #16439 for the discussion about public.php/webdav
The text was updated successfully, but these errors were encountered: