Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix public link path for persistent locks #34229

Merged
merged 2 commits into from
Jan 28, 2019
Merged

Fix public link path for persistent locks #34229

merged 2 commits into from
Jan 28, 2019

Conversation

PVince81
Copy link
Contributor

@PVince81 PVince81 commented Jan 23, 2019
edited
Loading

Description

When querying lock info on public links, always return a path relative
to the public webdav endpoint.

Related Issue

Fixes #34225

Motivation and Context

How Has This Been Tested?

  • Unit tests
    With "/public/share" being the link share:
  • TEST: set lock on "/public", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
  • TEST: set lock on "/public/share", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/"
  • TEST: set lock on "/public/share/sub", query locks on "public.php/webdav/sub" returns lock root "public.php/webdav/sub"
  • TEST: set lock on "/public", set another lock on "public.php/webdav/sub" returns empty lock root ""
  • TEST: set lock on "/public/share/sub", set another lock on "public.php/webdav/sub" returns lock root "/sub"

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

Open tasks:

  • Backport (if applicable set "backport-request" label and remove when the backport was done)

@PVince81 PVince81 added this to the development milestone Jan 23, 2019
@PVince81 PVince81 self-assigned this Jan 23, 2019
@PVince81 PVince81 mentioned this pull request Jan 23, 2019
Closed
@codecov
Copy link

codecov bot commented Jan 23, 2019

Codecov Report

Merging #34229 into master will decrease coverage by <.01%.
The diff coverage is 45.45%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #34229      +/-   ##
============================================
- Coverage     64.75%   64.75%   -0.01%     
- Complexity    18362    18364       +2     
============================================
  Files          1198     1198              
  Lines         69533    69540       +7     
  Branches       1281     1281              
============================================
+ Hits          45026    45028       +2     
- Misses        24134    24139       +5     
  Partials        373      373
Flag Coverage Δ Complexity Δ
#javascript 53.09% <ø> (ø) 0 <ø> (ø) ⬇️
#phpunit 66.1% <45.45%> (-0.01%) 18364 <0> (+2)
Impacted Files Coverage Δ Complexity Δ
apps/dav/lib/Files/FileLocksBackend.php 84.61% <45.45%> (-5.53%) 23 <0> (+2)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c255c6c...793d0d4. Read the comment docs.

@codecov
Copy link

codecov bot commented Jan 23, 2019
edited
Loading

Codecov Report

Merging #34229 into master will increase coverage by <.01%.
The diff coverage is 90.9%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #34229      +/-   ##
============================================
+ Coverage     64.76%   64.76%   +<.01%     
- Complexity    18363    18365       +2     
============================================
  Files          1198     1198              
  Lines         69538    69545       +7     
  Branches       1281     1281              
============================================
+ Hits          45035    45042       +7     
  Misses        24130    24130              
  Partials        373      373
Flag Coverage Δ Complexity Δ
#javascript 53.09% <ø> (ø) 0 <ø> (ø) ⬇️
#phpunit 66.11% <90.9%> (ø) 18365 <0> (+2) ⬆️
Impacted Files Coverage Δ Complexity Δ
apps/dav/lib/Files/FileLocksBackend.php 91.02% <90.9%> (+0.88%) 23 <0> (+2) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06e9bf6...207e059. Read the comment docs.

@PVince81
Copy link
Contributor Author

@davitol FYI see test plan in the section above

@DeepDiver1975 please review

@PVince81 PVince81 requested a review from VicDeo January 23, 2019 16:34
@individual-it individual-it mentioned this pull request Jan 24, 2019
Closed
3 tasks
@davitol
Copy link
Contributor

davitol commented Jan 24, 2019
edited
Loading

Spotted by @individual-it:

with a PROPFIND a client can find out the locktoken, so a nasty client can overwrite resources even they are locked by an other user.

Steps to reproduce

  1. User shares a public link and locks a folder
  2. The public does a PROPFIND and gets tould the locktoken
  3. Using that token the public can overwrite locked files

@PVince81
Copy link
Contributor Author

Idea: only expose the lock token if the lock owner is NULL, which refers to a lock that has been created through the public API. if the lock was created by a logged in user, don't reveal it.

@DeepDiver1975 thoughts ?

@PVince81
Copy link
Contributor Author

ok I think I'll always hide the lock token for public users. there is no UI to unlock there and whoever created the lock already has the token somewhere

the file owner can still unlock with the UI as they have the token

@PVince81
Copy link
Contributor Author

note: also tested trying to lock "sub" through public webdav while "public" was locked.
the error response also contains the correct non-leaked lock root:

curl -u 6OVGtYzOTEmozQB: -X LOCK http://localhost/owncloud/public.php/webdav/sub -d "<?xml version='1.0' encoding='UTF-8'?><d:lockinfo xmlns:d='DAV:'> <d:lockscope><d:exclusive/></d:lockscope></d:lockinfo>" -H 'Depth: infinite'
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\ConflictingLock</s:exception>
  <s:message/>
  <d:no-conflicting-lock>
    <d:href/>
  </d:no-conflicting-lock>
</d:error>

@PVince81
Copy link
Contributor Author

  • not sure if bug: lock root as returned in lockdiscovery contains full path with public.php while lock root in conflict exception response contains a relative path

@PVince81
Copy link
Contributor Author

https://tools.ietf.org/html/rfc4918#section-6.5 says that

Servers MAY make lock tokens publicly readable (e.g., in the DAV:
lockdiscovery property).

which means we should be able to hide them.

However Sabre still returns the lock even when empty... Will need an upstream patch.

@PVince81
Copy link
Contributor Author

Upstream PR: sabre-io/dav#1130

@individual-it
Copy link
Member

@ownclouders rebase

@ownclouders
Copy link
Contributor

Hey! I'm GitMate.io! This pull request is being rebased automatically. Please DO NOT push while rebase is in progress or your changes would be lost permanently ⚠️

@ownclouders
Copy link
Contributor

Automated rebase with GitMate.io was successful! 🎉

@individual-it
Copy link
Member

pushed a couple of acceptance tests
@PVince81 @phil-davis @davitol please review test code and expectations

phil-davis
phil-davis reviewed Jan 25, 2019
View reviewed changes
Copy link
Contributor

@phil-davis phil-davis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@individual-it acceptance tests look good, just little comments

@individual-it
Copy link
Member

@phil-davis fixed the things you commented on

Additionally added tests that check the locktoken. See #34229 (comment)
The current tests reflect the current behaviour, as soon this issue is fixed the test need to be adjusted (delete the wrong line and activate the line below)

@individual-it
Fix public link path for persistent locks
07a4ddb 
When querying lock info on public links, always return a path relative
to the public webdav endpoint.
@PVince81 PVince81 merged commit d6ff26c into master Jan 28, 2019
@delete-merged-branch delete-merged-branch bot deleted the lock-public-path branch January 28, 2019 08:32
@PVince81 PVince81 mentioned this pull request Jan 28, 2019
Merged
@PVince81
Copy link
Contributor Author

stable10: #34267

I forgot to push the solution for #34229 (comment), it will be in a separate PR

@PVince81 PVince81 mentioned this pull request Jan 28, 2019
Merged
10 tasks
@individual-it individual-it mentioned this pull request Jan 30, 2019
Merged
@davitol davitol mentioned this pull request Jan 31, 2019
Closed
39 tasks
@lock lock bot locked as resolved and limited conversation to collaborators Jan 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@DeepDiver1975 DeepDiver1975 DeepDiver1975 approved these changes

@phil-davis phil-davis phil-davis approved these changes

@VicDeo VicDeo Awaiting requested review from VicDeo

Assignees

@PVince81 PVince81

Labels
3 - To Review
Projects
None yet
Milestone
development
Development

Successfully merging this pull request may close these issues.

Parent share link path leaked through lock info
6 participants
@PVince81 @davitol @individual-it @ownclouders @DeepDiver1975 @phil-davis