diff --git a/apps/dav/appinfo/v1/caldav.php b/apps/dav/appinfo/v1/caldav.php
index f860ced3877a114b81b9e68db2423aab8af8b3eb..333e8bbb3c439db968ac9df180ab67016571ad39 100644
--- a/apps/dav/appinfo/v1/caldav.php
+++ b/apps/dav/appinfo/v1/caldav.php
@@ -30,6 +30,7 @@ use Sabre\CalDAV\CalendarRoot;
$authBackend = new Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
+ \OC::$server->getRequest(),
'principals/'
);
$principalBackend = new Principal(
diff --git a/apps/dav/appinfo/v1/carddav.php b/apps/dav/appinfo/v1/carddav.php
index e0c79c75b72fc30bed8fde16ee1d4c7fbb70c999..54f0d259bb9d53df156a5dbca9335ae6b7f17ac3 100644
--- a/apps/dav/appinfo/v1/carddav.php
+++ b/apps/dav/appinfo/v1/carddav.php
@@ -32,6 +32,7 @@ use Sabre\CardDAV\Plugin;
$authBackend = new Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
+ \OC::$server->getRequest(),
'principals/'
);
$principalBackend = new Principal(
diff --git a/apps/dav/appinfo/v1/webdav.php b/apps/dav/appinfo/v1/webdav.php
index 3d3e51e84bc8aa09cf46b75183d43790360c5a6f..211ffabef84d2ac9783c4b8a994fdc026bea830e 100644
--- a/apps/dav/appinfo/v1/webdav.php
+++ b/apps/dav/appinfo/v1/webdav.php
@@ -41,6 +41,7 @@ $serverFactory = new \OCA\DAV\Connector\Sabre\ServerFactory(
$authBackend = new \OCA\DAV\Connector\Sabre\Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
+ \OC::$server->getRequest(),
'principals/'
);
$requestUri = \OC::$server->getRequest()->getRequestUri();
diff --git a/apps/dav/lib/connector/sabre/auth.php b/apps/dav/lib/connector/sabre/auth.php
index a046e0784827b099c2e3edb204241962d7eef70e..4bb07c5f0ed88970c3755ca1d9b9df0ba72b78f4 100644
--- a/apps/dav/lib/connector/sabre/auth.php
+++ b/apps/dav/lib/connector/sabre/auth.php
@@ -30,6 +30,7 @@
namespace OCA\DAV\Connector\Sabre;
use Exception;
+use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use Sabre\DAV\Auth\Backend\AbstractBasic;
@@ -45,17 +46,22 @@ class Auth extends AbstractBasic {
private $session;
/** @var IUserSession */
private $userSession;
+ /** @var IRequest */
+ private $request;
/**
* @param ISession $session
* @param IUserSession $userSession
+ * @param IRequest $request
* @param string $principalPrefix
*/
public function __construct(ISession $session,
IUserSession $userSession,
+ IRequest $request,
$principalPrefix = 'principals/users/') {
$this->session = $session;
$this->userSession = $userSession;
+ $this->request = $request;
$this->principalPrefix = $principalPrefix;
}
@@ -106,26 +112,6 @@ class Auth extends AbstractBasic {
}
}
- /**
- * Returns information about the currently logged in username.
- *
- * If nobody is currently logged in, this method should return null.
- *
- * @return string|null
- */
- public function getCurrentUser() {
- $user = $this->userSession->getUser() ? $this->userSession->getUser()->getUID() : null;
- if($user !== null && $this->isDavAuthenticated($user)) {
- return $user;
- }
-
- if($user !== null && is_null($this->session->get(self::DAV_AUTHENTICATED))) {
- return $user;
- }
-
- return null;
- }
-
/**
* @param RequestInterface $request
* @param ResponseInterface $response
@@ -150,8 +136,19 @@ class Auth extends AbstractBasic {
* @param RequestInterface $request
* @param ResponseInterface $response
* @return array
+ * @throws NotAuthenticated
*/
private function auth(RequestInterface $request, ResponseInterface $response) {
+ // If request is not GET and not authenticated via WebDAV a requesttoken is required
+ if($this->userSession->isLoggedIn() &&
+ $this->request->getMethod() !== 'GET' &&
+ !$this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
+ if(!$this->request->passesCSRFCheck()) {
+ $response->setStatus(401);
+ throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
+ }
+ }
+
if (\OC_User::handleApacheAuth() ||
//Fix for broken webdav clients
($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||
diff --git a/apps/dav/lib/dav/sharing/plugin.php b/apps/dav/lib/dav/sharing/plugin.php
index f6e2cceebd9c29d8258bd82319a3d823d0b28ad0..e6eab3539b3b87f14d5fd5722150be2c0f3c8649 100644
--- a/apps/dav/lib/dav/sharing/plugin.php
+++ b/apps/dav/lib/dav/sharing/plugin.php
@@ -129,9 +129,6 @@ class Plugin extends ServerPlugin {
return;
}
- // CSRF protection
- $this->protectAgainstCSRF();
-
$requestBody = $request->getBodyAsString();
// If this request handler could not deal with this POST request, it
@@ -201,18 +198,4 @@ class Plugin extends ServerPlugin {
}
}
- private function protectAgainstCSRF() {
- $user = $this->auth->getCurrentUser();
- if ($this->auth->isDavAuthenticated($user)) {
- return true;
- }
-
- if ($this->request->passesCSRFCheck()) {
- return true;
- }
-
- throw new BadRequest();
- }
-
-
}
diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php
index f5f1875a48062c5953af812619d102c0d6dc80b7..ed1ee6840497d9c36d0d162dcb65c1dc54f60570 100644
--- a/apps/dav/lib/server.php
+++ b/apps/dav/lib/server.php
@@ -53,7 +53,8 @@ class Server {
// Backends
$authBackend = new Auth(
\OC::$server->getSession(),
- \OC::$server->getUserSession()
+ \OC::$server->getUserSession(),
+ \OC::$server->getRequest()
);
// Set URL explicitly due to reverse-proxy situations
diff --git a/apps/dav/tests/unit/connector/sabre/auth.php b/apps/dav/tests/unit/connector/sabre/auth.php
index 5ff736664f394c76ae5b95c25e5512c6ab3b3a29..57ed44f01c0f043605c0e23f4769be8baf40e3b1 100644
--- a/apps/dav/tests/unit/connector/sabre/auth.php
+++ b/apps/dav/tests/unit/connector/sabre/auth.php
@@ -24,6 +24,7 @@
namespace OCA\DAV\Tests\Unit\Connector\Sabre;
+use OCP\IRequest;
use OCP\IUser;
use Test\TestCase;
use OCP\ISession;
@@ -42,6 +43,8 @@ class Auth extends TestCase {
private $auth;
/** @var IUserSession */
private $userSession;
+ /** @var IRequest */
+ private $request;
public function setUp() {
parent::setUp();
@@ -49,7 +52,13 @@ class Auth extends TestCase {
->disableOriginalConstructor()->getMock();
$this->userSession = $this->getMockBuilder('\OCP\IUserSession')
->disableOriginalConstructor()->getMock();
- $this->auth = new \OCA\DAV\Connector\Sabre\Auth($this->session, $this->userSession);
+ $this->request = $this->getMockBuilder('\OCP\IRequest')
+ ->disableOriginalConstructor()->getMock();
+ $this->auth = new \OCA\DAV\Connector\Sabre\Auth(
+ $this->session,
+ $this->userSession,
+ $this->request
+ );
}
public function testIsDavAuthenticatedWithoutDavSession() {
@@ -189,51 +198,57 @@ class Auth extends TestCase {
$this->assertFalse($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
}
- public function testGetCurrentUserWithoutBeingLoggedIn() {
- $this->assertSame(null, $this->auth->getCurrentUser());
- }
-
- public function testGetCurrentUserWithValidDAVLogin() {
+ /**
+ * @expectedException \Sabre\DAV\Exception\NotAuthenticated
+ * @expectedExceptionMessage CSRF check not passed.
+ */
+ public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForNonGet() {
+ $request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->userSession
+ ->expects($this->once())
+ ->method('isLoggedIn')
+ ->will($this->returnValue(true));
+ $this->session
+ ->expects($this->once())
+ ->method('get')
+ ->with('AUTHENTICATED_TO_DAV_BACKEND')
+ ->will($this->returnValue(null));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->once())
->method('getUID')
- ->will($this->returnValue('MyTestUser'));
+ ->will($this->returnValue('MyWrongDavUser'));
$this->userSession
- ->expects($this->exactly(2))
+ ->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
- $this->session
- ->expects($this->exactly(2))
- ->method('get')
- ->with('AUTHENTICATED_TO_DAV_BACKEND')
- ->will($this->returnValue('MyTestUser'));
- $this->assertSame('MyTestUser', $this->auth->getCurrentUser());
+ $response = $this->auth->check($request, $response);
+ $this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
}
- public function testGetCurrentUserWithoutAnyDAVLogin() {
- $user = $this->getMockBuilder('\OCP\IUser')
+ public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForGet() {
+ $request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
->disableOriginalConstructor()
->getMock();
- $user->expects($this->once())
- ->method('getUID')
- ->will($this->returnValue('MyTestUser'));
$this->userSession
->expects($this->exactly(2))
- ->method('getUser')
- ->will($this->returnValue($user));
+ ->method('isLoggedIn')
+ ->will($this->returnValue(true));
$this->session
- ->expects($this->exactly(2))
+ ->expects($this->once())
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue(null));
-
- $this->assertSame('MyTestUser', $this->auth->getCurrentUser());
- }
-
- public function testGetCurrentUserWithWrongDAVUser() {
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
@@ -241,47 +256,49 @@ class Auth extends TestCase {
->method('getUID')
->will($this->returnValue('MyWrongDavUser'));
$this->userSession
- ->expects($this->exactly(2))
+ ->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
- $this->session
- ->expects($this->exactly(3))
- ->method('get')
- ->with('AUTHENTICATED_TO_DAV_BACKEND')
- ->will($this->returnValue('AnotherUser'));
+ $this->request
+ ->expects($this->once())
+ ->method('getMethod')
+ ->willReturn('GET');
- $this->assertSame(null, $this->auth->getCurrentUser());
+ $response = $this->auth->check($request, $response);
+ $this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
}
- public function testAuthenticateAlreadyLoggedIn() {
+
+ public function testAuthenticateAlreadyLoggedInWithCsrfTokenForGet() {
$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
- ->disableOriginalConstructor()
- ->getMock();
+ ->disableOriginalConstructor()
+ ->getMock();
$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
- ->disableOriginalConstructor()
- ->getMock();
+ ->disableOriginalConstructor()
+ ->getMock();
$this->userSession
- ->expects($this->once())
+ ->expects($this->exactly(2))
->method('isLoggedIn')
->will($this->returnValue(true));
$this->session
- ->expects($this->once())
+ ->expects($this->exactly(2))
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue(null));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
- $user->expects($this->once())
+ $user->expects($this->exactly(2))
->method('getUID')
->will($this->returnValue('MyWrongDavUser'));
$this->userSession
- ->expects($this->once())
+ ->expects($this->exactly(2))
->method('getUser')
->will($this->returnValue($user));
- $this->session
+ $this->request
->expects($this->once())
- ->method('close');
+ ->method('passesCSRFCheck')
+ ->willReturn(true);
$response = $this->auth->check($request, $response);
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
diff --git a/core/js/files/client.js b/core/js/files/client.js
index a7f393d325fd56d0879e900812ef7c39eb9588a9..0bf5a69e19c99016c3358f60c71a80d095a423fb 100644
--- a/core/js/files/client.js
+++ b/core/js/files/client.js
@@ -37,7 +37,10 @@
}
url += options.host + this._root;
- this._defaultHeaders = options.defaultHeaders || {'X-Requested-With': 'XMLHttpRequest'};
+ this._defaultHeaders = options.defaultHeaders || {
+ 'X-Requested-With': 'XMLHttpRequest',
+ 'requesttoken': OC.requestToken
+ };
this._baseUrl = url;
var clientOptions = {
diff --git a/core/js/oc-backbone-webdav.js b/core/js/oc-backbone-webdav.js
index ba678a32fcf3629a4555060ab7de03feae2310d4..1c1b5c71d81a02fca6c254f870eb5b3b158ecdfb 100644
--- a/core/js/oc-backbone-webdav.js
+++ b/core/js/oc-backbone-webdav.js
@@ -240,7 +240,8 @@
return options.url;
};
var headers = _.extend({
- 'X-Requested-With': 'XMLHttpRequest'
+ 'X-Requested-With': 'XMLHttpRequest',
+ 'requesttoken': OC.requestToken
}, options.headers);
if (options.type === 'PROPFIND') {
return callPropFind(client, options, model, headers);