x/net/webdav: Etags in WebDAV "If" header conditions are ignored (fails litmus test) #44493
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Run the litmus WebDAV testsuite against the x/net/webdav test server at https://github.com/golang/net/blob/master/webdav/litmus_test_server.go:
The following playground can also be used https://play.golang.org/p/FHdp-wHU4me.
What did you expect to see?
Expected lock test
20. fail_complex_cond_put
to succeed.What did you see instead?
Test failed:
20. fail_complex_cond_put. FAIL (PUT with complex bogus conditional should fail with 412: 201 Created)
The
fail_complex_cond_put
test sends a conditional PUT request using the headerIf: (<1613993752> ["16660e5ed893542e30"]) (Not <DAV:no-lock> ["16660e5ed893542e30"])
where<1613993752>
is the valid lock token for the resource and"16660e5ed893542e30"
is a corrupted etag of the resource (the second to last digit is incremented, i.e. changed from"...20"
->"...30"
).Note: The token/tag values are arbitrary and exact values are only used in the example tin order o avoid confusion arising from the
If:
header syntax.This condition means the following:
IF (resource_is_locked_ by(<lock-tok>) AND resource_matches(<invalid etag>)) OR (NOT (resource_is_not_locked()) AND resource_matches(<invalid etag>))
.The webdav library implements full parsing for
If
headers but only validates the locked_by portions of conditions.The comment at https://github.com/golang/net/blob/5f55cee0dc0dc168ce29222f077fe7fcd4be72c5/webdav/lock.go#L193 seems to imply that, in addition to Etag conditions, negation is also not implemented at all.
See https://tools.ietf.org/html/rfc4918#section-10.4 for the definition of the
If
header in the WebDAV RFC.The text was updated successfully, but these errors were encountered: