Skip to content

Anonymous options are fine #21691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rullzer wants to merge 1 commit into from
Closed

Anonymous options are fine #21691

rullzer wants to merge 1 commit into from

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Jul 5, 2020

There is no reason to block those anonymous options requests. Right now they don't return anything. But they could at some point of course 😉

@rullzer
Anonymous options are fine
7692560 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer rullzer added enhancement 3. to review Waiting for reviews labels Jul 5, 2020
@rullzer rullzer added this to the Nextcloud 20 milestone Jul 5, 2020
@MorrisJobke
Copy link
Member

MorrisJobke commented Jul 5, 2020

There is no reason to block those anonymous options requests. Right now they don't return anything. But they could at some point of course 😉

You now made it block more and not less. Before it returned an empty response for anonymous request coming from office only. Now it does this for all anonymous requests. 🤔

@rullzer
Copy link
Member Author

rullzer commented Jul 6, 2020

Yeah. But before I threw a 403 now at least you get something back.

juliusknorr
juliusknorr requested changes Jul 7, 2020
View reviewed changes
apps/dav/lib/Connector/Sabre/AnonymousOptionsPlugin.php
$emptyAuth = $request->getHeader('Authorization') === null
|| $request->getHeader('Authorization') === ''
|| trim($request->getHeader('Authorization')) === 'Bearer';
$isAnonymousOfficeOption = $request->getMethod() === 'OPTIONS' && $isOffice && $emptyAuth;
Copy link
Member

@juliusknorr juliusknorr Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason we only handle anonymous options for Office were because this was breaking evolution and macOS sync when there was no 404 returned for those. See #20632

@rullzer Any more details on what this PR supposes to fix?

Copy link
Member Author

@rullzer rullzer Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically it is about becomming RFC compliant. OPTIONS request are usually unauthenticated and that is fine.

Copy link
Member

@juliusknorr juliusknorr Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then we probably should just limit the options plugin to requests to the files app dav path?

@MorrisJobke MorrisJobke mentioned this pull request Aug 11, 2020
Merged
57 tasks
@rullzer rullzer closed this Nov 9, 2020
@MorrisJobke MorrisJobke deleted the fix/dav_anonymous_options_are_fine branch November 10, 2020 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr requested changes

@MorrisJobke MorrisJobke Awaiting requested review from MorrisJobke

@icewind1991 icewind1991 Awaiting requested review from icewind1991

Assignees

No one assigned

Labels

3. to review Waiting for reviews enhancement

Projects

None yet

Milestone

Nextcloud 21

Development

Successfully merging this pull request may close these issues.

4 participants

@rullzer @MorrisJobke @juliusknorr