PROPFIND to get list of files doesn't properly encode @ character #33594
Comments
|
With other characters like space (%20) works as expected. Curl command:
Result: <?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns">
<d:response>
<d:href>/remote.php/dav/files/user%20name/</d:href>
<d:propstat>
<d:prop>
<d:getlastmodified>Tue, 20 Nov 2018 11:02:27 GMT</d:getlastmodified>
<d:resourcetype>
<d:collection/>
</d:resourcetype>
<d:quota-used-bytes>5630922</d:quota-used-bytes>
<d:quota-available-bytes>-3</d:quota-available-bytes>
<d:getetag>"5bf3e9c3df9af"</d:getetag>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
<d:response>
<d:href>/remote.php/dav/files/user%20name/Documents/</d:href>
<d:propstat>
<d:prop>
<d:getlastmodified>Tue, 20 Nov 2018 11:02:27 GMT</d:getlastmodified>
<d:resourcetype>
<d:collection/>
</d:resourcetype>
<d:quota-used-bytes>36227</d:quota-used-bytes>
<d:quota-available-bytes>-3</d:quota-available-bytes>
<d:getetag>"5bf3e9c3b95b3"</d:getetag>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
<d:response>
<d:href>/remote.php/dav/files/user%20name/Photos/</d:href>
<d:propstat>
<d:prop>
<d:getlastmodified>Tue, 20 Nov 2018 11:02:27 GMT</d:getlastmodified>
<d:resourcetype>
<d:collection/>
</d:resourcetype>
<d:quota-used-bytes>678556</d:quota-used-bytes>
<d:quota-available-bytes>-3</d:quota-available-bytes>
<d:getetag>"5bf3e9c3df9af"</d:getetag>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
<d:response>
<d:href>/remote.php/dav/files/user%20name/ownCloud%20Manual.pdf</d:href>
<d:propstat>
<d:prop>
<d:getlastmodified>Tue, 20 Nov 2018 11:02:27 GMT</d:getlastmodified>
<d:getcontentlength>4916139</d:getcontentlength>
<d:resourcetype/>
<d:getetag>"6086aa0d80c0f3f57ae262a54a200055"</d:getetag>
<d:getcontenttype>application/pdf</d:getcontenttype>
</d:prop>
<d:status>HTTP/1.1 200 OK</d:status>
</d:propstat>
</d:response>
</d:multistatus> |
|
GitMate.io thinks possibly related issues are #22326 (PROPFIND answer doesn't include encoding.), #12112 (ownCloud File Mapper Not Encoding UTF-8 Properly), #11724 (filename with bad encoding not listed), and #27089 (Server >9.0 is not responding with 403 Forbidden when some firewall rules are enabled). |
|
I made issue #33596 to consider adding a more general variety of acceptance tests for user IDs. |
|
I am surprised that "space" in a user ID works at all. I didn't think that user IDs containing the "space" char could be created in the first place. |
I thought the same the first time I saw it 😄 |
|
|
|
I could not find any detailed specs in the RFC regarding what to decode and what not. Tests with default Apache+mod_dav show the same behavior: I created a folder at@user and a folder "a b" and this is the propfind response:
|
|
See this test - only spaces need to be decoded in href sabre-io/dav#719 https://github.com/sabre-io/http/blob/4bfb3834209de0a4c658e0dbe69bda794bf42e3a/lib/functions.php#L385 |
|
Thanks @DeepDiver1975 for having a look into this. I am going to give you more context about what is done in the Android app after performing a Once we get the How is this relative remote path built? By comparing two paths:
What happens when the username contains
What happens when the username contains
|
|
The files app work almost identical - with one exception:
double decode is not hurting - while double encode hurts for sure |
|
Good news, applying the decoding approach seems to work: Comparing next paths:
Thanks for your help @DeepDiver1975 😉 Anyway, I was expecting to receive the
After reading this, I understand that |
|
Just for the sake of completness ... http://sabre.io/dav/character-encoding/ |
Then I don't understand they are not considering |
|
I think I observed similar issues before when working on having the UI use the new DAV endpoint. See c99f5b4 I didn't know back then that it might be a Sabre problem and simply adjusted the JS side to send whatever works. |
|
@PVince81 this was fixed in andoid - we can close this from my pov |
We've been facing some issues with usernames containing 'At' character (@) in mobile apps so I had a deep look into it and noticed a weird behaviour. It seems that the
PROPFINDto get the files for a specific user is not properly retrieving the encoded path for files when using @.Steps to reproduce
Curl command to list a directory:
Being
%40the@character encoded, therefore usernameuser@whateverisuser%40whatevercurl -X PROPFIND -H "Content-Type: text/xml" -H 'User-Agent:Mozilla/5.0 (Android) ownCloud-android/2.9.2' -H 'Authorization:Basic base64Credentials' -d "<?xml version='1.0' encoding='utf-8' ?><D:propfind xmlns:D='DAV:'><D:allprop/></D:propfind>" 'url:port/remote.php/dav/files/user%40name/' | xmllint --format -Expected behaviour
Server should include the path for every file properly encoded, i.e.
/remote.php/dav/files/user%40name/whateverExpected curl result:
Actual behaviour
Server includes
@instead of%40, e.g./remote.php/dav/files/user@name/whateverActual curl result:
Server configuration
Web server: Apache 2.4.25
Database: MySQL
PHP version: php7.2.12
ownCloud version: 10.0.10 (stable)
CC / @michaelstingl @DeepDiver1975 @PVince81
The text was updated successfully, but these errors were encountered: