Merge pull request #20609 from owncloud/dav-donotauththroughajax

Do not authenticate over ajax Webdav
2015-11-23 13:33:08 +01:00 · 2015-11-23 13:33:08 +01:00 · 7e9cf00e34
commit 7e9cf00e34
parent 021137d7ae 055d58bfc3
2 changed files with 41 additions and 2 deletions
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@ -164,6 +164,13 @@ class Auth extends AbstractBasic {
 			return true;
 		}

+		if ($server->httpRequest->getHeader('X-Requested-With') === 'XMLHttpRequest') {
+			// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
+			$server->httpResponse->addHeader('WWW-Authenticate','DummyBasic realm="' . $realm . '"');
+			$server->httpResponse->setStatus(401);
+			throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
+		}
+
 		return parent::authenticate($server, $realm);
 	}
 }
--- a/apps/dav/tests/unit/connector/sabre/auth.php
+++ b/apps/dav/tests/unit/connector/sabre/auth.php
@ -295,6 +295,28 @@ class Auth extends TestCase {
 		$this->auth->authenticate($server, 'TestRealm');
 	}

+	/**
+	 * @expectedException \Sabre\DAV\Exception\NotAuthenticated
+	 * @expectedExceptionMessage Cannot authenticate over ajax calls
+	 */
+	public function testAuthenticateNoBasicAuthenticateHeadersProvidedWithAjax() {
+		$server = $this->getMockBuilder('\Sabre\DAV\Server')
+			->disableOriginalConstructor()
+			->getMock();
+		$server->httpRequest = $this->getMockBuilder('\Sabre\HTTP\RequestInterface')
+			->disableOriginalConstructor()
+			->getMock();
+		$server->httpResponse = $this->getMockBuilder('\Sabre\HTTP\ResponseInterface')
+			->disableOriginalConstructor()
+			->getMock();
+		$server->httpRequest
+			->expects($this->once())
+			->method('getHeader')
+			->with('X-Requested-With')
+			->will($this->returnValue('XMLHttpRequest'));
+		$this->auth->authenticate($server, 'TestRealm');
+	}
+
 	public function testAuthenticateValidCredentials() {
 		$server = $this->getMockBuilder('\Sabre\DAV\Server')
 			->disableOriginalConstructor()
@ -303,7 +325,12 @@ class Auth extends TestCase {
 			->disableOriginalConstructor()
 			->getMock();
 		$server->httpRequest
-			->expects($this->once())
+			->expects($this->at(0))
+			->method('getHeader')
+			->with('X-Requested-With')
+			->will($this->returnValue(null));
+		$server->httpRequest
+			->expects($this->at(1))
 			->method('getHeader')
 			->with('Authorization')
 			->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ='));
@ -340,7 +367,12 @@ class Auth extends TestCase {
 			->disableOriginalConstructor()
 			->getMock();
 		$server->httpRequest
-			->expects($this->once())
+			->expects($this->at(0))
+			->method('getHeader')
+			->with('X-Requested-With')
+			->will($this->returnValue(null));
+		$server->httpRequest
+			->expects($this->at(1))
 			->method('getHeader')
 			->with('Authorization')
 			->will($this->returnValue('basic dXNlcm5hbWU6cGFzc3dvcmQ='));