Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.0.2] Basic auth does not trigger login hook #11129

Closed
PVince81 opened this issue Sep 17, 2014 · 1 comment · Fixed by #11130
Closed

[7.0.2] Basic auth does not trigger login hook #11129

PVince81 opened this issue Sep 17, 2014 · 1 comment · Fixed by #11130
Assignees
@LukasReschke
Labels
security sev2-high Type:Bug
Milestone
2014-sprint-04

Comments

@PVince81
Copy link
Contributor

Steps to reproduce:

  1. Put a breakpoint in apps/files_encryption/hooks/hooks.php in the function login
  2. Run curl -D - http://user:password@localhost/owncloud/
  3. Run curl -D - http://user:password@localhost/owncloud/remote.php/webdav

Expected result

Both curl calls return a session cookie and both run the login hook.

Actual result

Basic auth on the root at step 2. does NOT call the login hook.
Result: if that session is used to upload files, encryption is disabled and files are not encrypted.
I'd expect the encryption library to throw an exception instead of just not encrypting files. CC @schiesbn (`shouldEncrypt() simply returns false when encryption was not initialized)

Note: this doesn't happen with the known WebDAV clients (sync client, dolphin, cadaver, etc) because they all authenticate directly against "remote.php/webdav".
But ownCloud aware libraries might do it like pyocclient and authenticate on the root, because the library might be used for OCS as well as for WebDAV.

I'll fix pyocclient for now to use the Webdav endpoint in the mean time.

Versions

ownCloud 7.0.2
Apache 2.4

@LukasReschke @DeepDiver1975 @schiesbn
@PVince81 PVince81 mentioned this issue Sep 17, 2014
Closed
@LukasReschke LukasReschke self-assigned this Sep 17, 2014
@LukasReschke
Copy link
Member

Let me take this.

@LukasReschke LukasReschke added this to the 2014-sprint-04-current milestone Sep 17, 2014
LukasReschke added a commit that referenced this issue Sep 17, 2014
@LukasReschke
Move basic auth check
c19bc19 
At the previous point not all apps were initialized. Now the basic auth check happens together at the same location as all others.

Fixes #11129
@LukasReschke LukasReschke mentioned this issue Sep 17, 2014
Merged
LukasReschke added a commit that referenced this issue Sep 18, 2014
@LukasReschke
Move basic auth check
749c519 
At the previous point not all apps were initialized. Now the basic auth check happens together at the same location as all others.

Fixes #11129
@LukasReschke LukasReschke mentioned this issue Sep 18, 2014
Merged
@LukasReschke LukasReschke mentioned this issue Dec 17, 2014
Merged
@lock lock bot locked as resolved and limited conversation to collaborators Aug 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@LukasReschke LukasReschke

Labels
security sev2-high Type:Bug
Projects
None yet
Milestone
2014-sprint-04
Development

Successfully merging a pull request may close this issue.

Move basic auth check owncloud/core
4 participants
@craigpg @PVince81 @LukasReschke @MTRichards