Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload-only shares must not overwrite but create a separate file #1267

Closed
PVince81 opened this issue Jun 18, 2020 · 13 comments
Closed

Upload-only shares must not overwrite but create a separate file #1267

PVince81 opened this issue Jun 18, 2020 · 13 comments
Labels
Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced Type:Technical-Debt

Comments

@PVince81
Copy link
Contributor

curl -D - 'https://localhost:9200/remote.php/webdav/empty%20file' \                                                           
  -X 'PUT' \    
  -H 'Content-Length: 0' \
  --insecure \
  -u einstein:relativity
HTTP/1.1 204 No Content

Discovered while running tests/acceptance/features/apiSharePublicLink1/changingPublicLinkShare.feature:171

@PVince81
Copy link
Contributor Author

Ohh, this is a regression that only exists in cs3org/reva#822.

I'll submit the fix there...

@PVince81
Copy link
Contributor Author

now I'm confused... some other tests are failing now, the test is obviously overwriting the file but is expecting a 201 status and not 204.

either I remembered the specs wrong and so does whoever wrote the put.go code, or maybe the old API was already returning the wrong value for public links... needs further research...

I've enabled the tests that work correctly now on owncloud/core#37552

The remaining ones are here:

    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:22
    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:283

@PVince81
Copy link
Contributor Author

Here is another test for uploading + overwriting a file in a another non-public link context, and here we expect 204: https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiShareOperations/uploadToShare.feature#L111

I suspect that the public webdav API when it was added was not consistent with the non-public one, but the test got added to comply with the buggy result.

For the time being we could write a separate set of tests for OCIS that requires 204 and later on we might need to fix OC 10 public webdav to also return 204 on overwrite.

@individual-it

@PVince81
Copy link
Contributor Author

ownCloud 10

tldr; all is fine there: creation returns 201 on all endpoints and overwrite returns 204.

Logged-in user

File creation
% curl -u admin:admin -D - 'http://localhost/owncloud/remote.php/dav/files/admin/empty.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:48:26 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=4ghltf4cbcrcef0gjkprs03l9k; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=PYh8Qd3dEFDzKeY5uc5TsIiJnpBD2zpzz5mXAuNjP7RZ5JZKNjwqhGXVdCq9v%2BsmMiKayPbHiS%2Fo%2BGyRgGUyHO%2Forh1JcuJzwHUz8R%2BaKly73%2BAeiI8f6XML6wZWr%2B6f; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: och3q2wgdlyf=bi03cqm8a02p0to50m6ojgdg1j; path=/owncloud; HttpOnly
Set-Cookie: cookie_test=test; expires=Wed, 24-Jun-2020 16:48:27 GMT; Max-Age=3600
OC-FileId: 00000012och3q2wgdlyf
Content-Length: 0
ETag: "926768092c070d9a64e1e79324369897"
OC-ETag: "926768092c070d9a64e1e79324369897"
Content-Type: text/html; charset=UTF-8
File overwrite
% curl -u admin:admin -D - 'http://localhost/owncloud/remote.php/dav/files/admin/empty.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:48:29 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=ocrcbibpermglgvb8hhlmj906q; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=iYnC2tIj%2BawUc%2F%2ByvhYEpTTiSjGbuhGPy0zB58ab%2FyH4v5KK9cz6s9TlHV10RpudDoUobnbz1cPQ%2B%2Fr8i9IE%2Bx6EvF2i4BjsgscWJ5x5TjfE5Xz46jUUx6m9YEA6%2ByuZ; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: och3q2wgdlyf=fj4r69t38r1m5096k9p3g9cv7g; path=/owncloud; HttpOnly
Set-Cookie: cookie_test=test; expires=Wed, 24-Jun-2020 16:48:29 GMT; Max-Age=3600
OC-FileId: 00000012och3q2wgdlyf
ETag: "1734319668252544057ce2268ec79120"
OC-ETag: "1734319668252544057ce2268ec79120"

Public folder share old public Webdav API

File creation
% curl -u J7PLLaPvZcassmR: -D - 'http://localhost/owncloud/public.php/webdav/emptypublic.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:50:09 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=lok0dpbtu1vpq11psbjrnlvt60; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=8zbPpBRsZacZP%2FYAoGqs3l%2B01fxwZJRtWyEoPyCZSrBlBQM%2Fq7Xn%2FTYwGXWyrOrk4pLRiNrG%2BDQEOqJBVJRllpawjbmPXqO8beY0KDYb0PReV90w492JbOqjH4587HYK; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
OC-FileId: 00000013och3q2wgdlyf
Content-Length: 0
ETag: "21a13a0f65697b11d14af0874be678c1"
OC-ETag: "21a13a0f65697b11d14af0874be678c1"
Content-Type: text/html; charset=UTF-8
File overwrite
% curl -u J7PLLaPvZcassmR: -D - 'http://localhost/owncloud/public.php/webdav/emptypublic.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:50:11 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=ot79bbt87umc0fmbu4oaj4eodl; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=LR1XNneUN4k7HamSgkJ7JnSLp2hJmxSZT%2FVpvoHBi1KLKxUp6Tfoi52MX0Lrfz%2FI8pzvdN4KPISWjA3DOuXBrZWhJz0JqHllFxgYvZii%2FPESdGLpRuse8%2FJGzQIXMzzh; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
OC-FileId: 00000013och3q2wgdlyf
ETag: "67bc4da24cbc151f5ffd884c8878182f"
OC-ETag: "67bc4da24cbc151f5ffd884c8878182f"

Public folder share new public Webdav API

File creation
% curl -D - 'http://localhost/owncloud/remote.php/dav/public-files/J7PLLaPvZcassmR/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:51:58 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=9v36pqokqa16fhsrrq8d4tlc21; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=3GKxoLP1uFKysNHuwT0Pq7xrAtoHLcXrSXpwDFjLZcRQl%2Fu%2FYkXCSFam7q0Svgs00QgFhl%2B%2BK%2BcvGvvXpP9T4oYlLBkqtZTeWcz9NaXB2if5bpUfWubV1QAkcJW9sFUg; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Length: 0
ETag: "4c058c34059fd2a90dea4a69ec39a217"
OC-ETag: "4c058c34059fd2a90dea4a69ec39a217"
Content-Type: text/html; charset=UTF-8
File overwrite
% curl -D - 'http://localhost/owncloud/remote.php/dav/public-files/J7PLLaPvZcassmR/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:52:00 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=e2ln9h288dl6dtramtikp5mdi8; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=FXeSYUYMbUhCnasuDGFdJ0YRFpD4nGLDwU4IEOWDqh6gNgh2q7IFo%2F6hNbw5Mcf1ZT7D2jb6p567DXVXI4hSQ%2FbUrVGtFS289I4du6b6op0b%2Fww%2BCc9WzqcP288gBujA; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
ETag: e100f49447f18a292bdcb98d15450a48
OC-ETag: e100f49447f18a292bdcb98d15450a48

@PVince81
Copy link
Contributor Author

OCIS

Using cs3org/reva#877

Also seems to work fine

File creation

% curl -k -D - 'https://localhost:9200/remote.php/dav/public-files/nmUtYcGzaZtr/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Content-Length: 0
Content-Security-Policy: default-src 'none';
Content-Type: text/plain; charset=utf-8
Date: Wed, 24 Jun 2020 15:55:08 GMT
Etag: "3bff67224e0f27d15d4fa26bf0b0c8b9"
Last-Modified: Wed, 24 Jun 2020 17:55:08 +0200
Oc-Etag: "3bff67224e0f27d15d4fa26bf0b0c8b9"
Oc-Fileid: MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOmM3YTg4YmM2LTg4YWUtNDI4Zi1iYzhmLWY1MzMyMTRjYWQwMw==
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

File overwrite

% curl -k -D - 'https://localhost:9200/remote.php/dav/public-files/nmUtYcGzaZtr/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none';
Content-Type: text/plain; charset=utf-8
Date: Wed, 24 Jun 2020 15:55:10 GMT
Etag: "5f02332114b51b00a9447af23489e4ba"
Last-Modified: Wed, 24 Jun 2020 17:55:10 +0200
Oc-Etag: "5f02332114b51b00a9447af23489e4ba"
Oc-Fileid: MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOmM3YTg4YmM2LTg4YWUtNDI4Zi1iYzhmLWY1MzMyMTRjYWQwMw==
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

@PVince81
Copy link
Contributor Author

I rechecked owncloud/core#37552 and those tests still fail:

    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:22
    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:283

they are related to upload-only permissions.

@PVince81 PVince81 changed the title Webdav PUT should return 201 for new files, not 204 Webdav PUT should always return 201 after upload for upload-only link shares Jun 24, 2020
@PVince81 PVince81 changed the title Webdav PUT should always return 201 after upload for upload-only link shares Upload-only shares must not overwrite but create a separate file Jun 26, 2020
@PVince81
Copy link
Contributor Author

Upload-only is more complicated than just the status code.

The bug is that the current reva code is overwriting an existing file.
This should not be possible because it means another user who has the link could overwrite already existing data.

The way it's done in OC 10 is that the server is detecting conflicts and then automatically renames the file in the backend, and since it's creating a new file the status becomes 201.

So this is more about security.

@PVince81
Copy link
Contributor Author

This is already covered by the tests with tag @issue-ocis-reva-286

@PVince81
Copy link
Contributor Author

PVince81 commented Jul 6, 2020

note: need to have a look at the Webdav code from OC 10. As far as I remember there's an extra header "OC-Autorename" to trigger or notify that behavior.

@PVince81
Copy link
Contributor Author

PVince81 commented Jul 7, 2020

this feels less important than https://github.com/owncloud/ocis-reva/issues/292 and as the latter is not planned until later, let's defer this one as well

@micbar @refs

@butonic butonic transferred this issue from owncloud/ocis-reva Jan 18, 2021
@refs refs added Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced p3-medium labels Jan 18, 2021
@stale
Copy link

stale bot commented Mar 30, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

@wkloucek
Copy link
Contributor

Discussion in REVA cs3org/reva#2480

@ScharfViktor
Copy link
Contributor

fixed via #8340

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Interaction:Needs-help Asking some hints to engineering when the issue can't be reproduced Type:Technical-Debt
Projects
None yet
Development

No branches or pull requests

4 participants