Merge pull request #19180 from nextcloud/bugfix/office-anonymous-empty-auth

Check for empty authorization headers for office requests
This commit is contained in:
Roeland Jago Douma 2020-02-05 20:08:49 +01:00 committed by GitHub
commit bef906b518
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 4 deletions

View file

@ -62,8 +62,11 @@ class AnonymousOptionsPlugin extends ServerPlugin {
*/
public function handleAnonymousOptions(RequestInterface $request, ResponseInterface $response) {
$isOffice = preg_match('/Microsoft Office/i', $request->getHeader('User-Agent'));
$isAnonymousOption = ($request->getMethod() === 'OPTIONS' && ($request->getHeader('Authorization') === null || trim($request->getHeader('Authorization')) === 'Bearer') && $this->isRequestInRoot($request->getPath()));
$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $request->getHeader('Authorization') === 'Bearer';
$emptyAuth = $request->getHeader('Authorization') === null
|| $request->getHeader('Authorization') === ''
|| trim($request->getHeader('Authorization')) === 'Bearer';
$isAnonymousOption = $request->getMethod() === 'OPTIONS' && $emptyAuth;
$isOfficeHead = $request->getMethod() === 'HEAD' && $isOffice && $emptyAuth;
if ($isAnonymousOption || $isOfficeHead) {
/** @var CorePlugin $corePlugin */
$corePlugin = $this->server->getPlugin('core');

View file

@ -33,7 +33,7 @@ use Sabre\HTTP\Sapi;
use Test\TestCase;
class AnonymousOptionsTest extends TestCase {
private function sendRequest($method, $path) {
private function sendRequest($method, $path, $userAgent = '') {
$server = new Server();
$server->addPlugin(new AnonymousOptionsPlugin());
$server->addPlugin(new Plugin(new BasicCallBack(function() {
@ -42,6 +42,7 @@ class AnonymousOptionsTest extends TestCase {
$server->httpRequest->setMethod($method);
$server->httpRequest->setUrl($path);
$server->httpRequest->setHeader('User-Agent', $userAgent);
$server->sapi = new SapiMock();
$server->exec();
@ -63,7 +64,19 @@ class AnonymousOptionsTest extends TestCase {
public function testAnonymousOptionsNonRootSubDir() {
$response = $this->sendRequest('OPTIONS', 'foo/bar');
$this->assertEquals(401, $response->getStatus());
$this->assertEquals(200, $response->getStatus());
}
public function testAnonymousHead() {
$response = $this->sendRequest('HEAD', '', 'Microsoft Office does strange things');
$this->assertEquals(200, $response->getStatus());
}
public function testAnonymousHeadNoOffice() {
$response = $this->sendRequest('HEAD', '');
$this->assertEquals(401, $response->getStatus(), 'curl');
}
}