Do not setup a session when not required on WebDAV requests

If basic auth is used on WebDAV endpoints, we will not setup a session by default but instead set a test cookie. Clients which handle session cookies properly will send back the cookie then on the second request and a session will be initialized which can be resued for authentication. Signed-off-by: Julius Härtl <[email protected]>
nextcloud · juliusknorr · Dec 21, 2022 · Aug 4, 2021 · Dec 21, 2022 · 6abb37317f9a5e0dd4744b0c4a221ee04ffc700f
commit 6abb37317f9a5e0dd4744b0c4a221ee04ffc700f
@@ -175,6 +175,7 @@ public function showFile(string $fileid = null, int $openfile = 1): Response {
 	/**
 	 * @NoCSRFRequired
 	 * @NoAdminRequired
+	 * @UseSession
 	 *
 	 * @param string $dir
 	 * @param string $view

@@ -73,6 +73,7 @@
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Group\Events\UserRemovedEvent;
 use OCP\ILogger;
+use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUserSession;
 use OCP\Server;
@@ -408,7 +409,16 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig): void {
 	}
 
 	public static function initSession(): void {
-		if (Server::get(\OCP\IRequest::class)->getServerProtocol() === 'https') {
+		$request = Server::get(IRequest::class);
+		$isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
+		if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) {
+			setcookie('cookie_test', 'test', time() + 3600);
+			// Do not initialize the session if a request is authenticated directly
+			// unless there is a session cookie already sent along
+			return;
+		}
+
+		if ($request->getServerProtocol() === 'https') {
 			ini_set('session.cookie_secure', 'true');
 		}
 
@@ -516,7 +526,7 @@ private static function sendSameSiteCookies(): void {
 	 * also we can't directly interfere with PHP's session mechanism.
 	 */
 	private static function performSameSiteCookieProtection(\OCP\IConfig $config): void {
-		$request = Server::get(\OCP\IRequest::class);
+		$request = Server::get(IRequest::class);
 
 		// Some user agents are notorious and don't really properly follow HTTP
 		// specifications. For those, have an automated opt-out. Since the protection
@@ -778,7 +788,7 @@ public static function init(): void {
 			return;
 		}
 
-		$request = Server::get(\OCP\IRequest::class);
+		$request = Server::get(IRequest::class);
 		$host = $request->getInsecureServerHost();
 		/**
 		 * if the host passed in headers isn't trusted
@@ -840,7 +850,7 @@ public static function registerCleanupHooks(\OC\SystemConfig $systemConfig): voi
 				if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) {
 					// reset brute force delay for this IP address and username
 					$uid = $userSession->getUser()->getUID();
-					$request = Server::get(\OCP\IRequest::class);
+					$request = Server::get(IRequest::class);
 					$throttler = Server::get(\OC\Security\Bruteforce\Throttler::class);
 					$throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]);
 				}
@@ -970,7 +980,7 @@ public static function handleRequest(): void {
 			exit();
 		}
 
-		$request = Server::get(\OCP\IRequest::class);
+		$request = Server::get(IRequest::class);
 		$requestPath = $request->getRawPathInfo();
 		if ($requestPath === '/heartbeat') {
 			return;

@@ -42,6 +42,7 @@
 use OCP\IConfig;
 use OCP\ISession;
 use OCP\IUser;
+use OCP\Session\Exceptions\SessionNotAvailableException;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\EventDispatcher\GenericEvent;
@@ -362,7 +363,7 @@ public function needsSecondFactor(IUser $user = null): bool {
 					$this->session->set(self::SESSION_UID_DONE, $user->getUID());
 					return false;
 				}
-			} catch (InvalidTokenException $e) {
+			} catch (InvalidTokenException|SessionNotAvailableException $e) {
 			}
 		}