New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stable9: Duplicated www-authenticate header on new remote.php/dav endpoint #26412

Closed
ghost opened this Issue Oct 19, 2016 · 8 comments

Comments

Projects
None yet
4 participants
@ghost

ghost commented Oct 19, 2016

Steps to reproduce

  1. Run curl -I http://example.com/remote.php/dav
  2. Run curl -I http://example.com/remote.php/webdav
  3. See that the first call contains two WWW-Authenticate: Basic realm="sabre/dav"
  4. See that the second call contains one WWW-Authenticate: Basic realm="sabre/dav"

Expected behaviour

Only one WWW-Authenticate header is sent back in the new remote.php/dav endpoint

Actual behaviour

Two WWW-Authenticate header are sent back in the new remote.php/dav endpoint

Server configuration

ownCloud version: 9.0.5

Everything else is unrelated from my PoV as this was observed on various other oC 9.0.x systems available out there found with a google dork like:

inurl:/status.php owncloud

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Oct 19, 2016

Member

Yeah, I've seen this before in newer versions: #26351 (comment)

Might be because we have multiple DAV Auth backends registered and they all fail in a series and each one sets that header again. (IIRC)

Need to find another approach.

Member

PVince81 commented Oct 19, 2016

Yeah, I've seen this before in newer versions: #26351 (comment)

Might be because we have multiple DAV Auth backends registered and they all fail in a series and each one sets that header again. (IIRC)

Need to find another approach.

@PVince81 PVince81 added this to the 9.2 milestone Oct 19, 2016

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Oct 19, 2016

Yeah, just also noticed this at #26351 :-)

ghost commented Oct 19, 2016

Yeah, just also noticed this at #26351 :-)

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Oct 21, 2016

Member

Looks like @DeepDiver1975 found a solution, maybe we can backport that piece #26353 (comment)

Member

PVince81 commented Oct 21, 2016

Looks like @DeepDiver1975 found a solution, maybe we can backport that piece #26353 (comment)

@adduxa

This comment has been minimized.

Show comment
Hide comment
@adduxa

adduxa Nov 15, 2016

Issue side effect:
Double auth header makes Windows WebDav client unable to connect.

It trying to perform Negotiate Authentication instead of Basic for no reason, except for the double WWW-Authenticate header.

Network log for /remote.php/webdav/:

> OPTIONS /remote.php/webdav HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/webdav HTTP/1.1
  Authorization: Basic BasicAuthTokenHere=
< HTTP/1.1 200 OK

Network log for /remote.php/dav/USERNAME/:

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
  Authorization: Negotiate ReallyLongManyCharactersNegotiateAuthorizationTokenHere==
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

(Identical headers for both requests are removed)

adduxa commented Nov 15, 2016

Issue side effect:
Double auth header makes Windows WebDav client unable to connect.

It trying to perform Negotiate Authentication instead of Basic for no reason, except for the double WWW-Authenticate header.

Network log for /remote.php/webdav/:

> OPTIONS /remote.php/webdav HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/webdav HTTP/1.1
  Authorization: Basic BasicAuthTokenHere=
< HTTP/1.1 200 OK

Network log for /remote.php/dav/USERNAME/:

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
  Authorization: Negotiate ReallyLongManyCharactersNegotiateAuthorizationTokenHere==
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

(Identical headers for both requests are removed)

@PVince81 PVince81 added sev2-high and removed sev3-medium labels Nov 16, 2016

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Nov 16, 2016

Member

Duplicate headers should be fixed in 9.2 / master already but we can try and backport some parts of the fixes for older versions.

Member

PVince81 commented Nov 16, 2016

Duplicate headers should be fixed in 9.2 / master already but we can try and backport some parts of the fixes for older versions.

@PVince81 PVince81 modified the milestones: 9.0.7, 9.2 Nov 16, 2016

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Nov 21, 2016

Member

@DeepDiver1975 can you backport #26353 (comment) to 9.1 and 9.0 ?

Member

PVince81 commented Nov 21, 2016

@DeepDiver1975 can you backport #26353 (comment) to 9.1 and 9.0 ?

@PVince81

This comment has been minimized.

Show comment
Hide comment
@PVince81

PVince81 Nov 23, 2016

Member

AFAIK the fix is only for the remote.php/dav endpoint. There was no duplicate header on the "remote.php/webdav" header. Maybe the issue from @adduxa is different and is still causing duplicate headers. Can you test with #26688 ?

Member

PVince81 commented Nov 23, 2016

AFAIK the fix is only for the remote.php/dav endpoint. There was no duplicate header on the "remote.php/webdav" header. Maybe the issue from @adduxa is different and is still causing duplicate headers. Can you test with #26688 ?

@adduxa

This comment has been minimized.

Show comment
Hide comment
@adduxa

adduxa Nov 23, 2016

@PVince81 yep, only one header and now it's working. Thanks @DeepDiver1975 for fix!
P.S. I have 9.1, so #26687 for me

adduxa commented Nov 23, 2016

@PVince81 yep, only one header and now it's working. Thanks @DeepDiver1975 for fix!
P.S. I have 9.1, so #26687 for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment