stable9: Duplicated www-authenticate header on new remote.php/dav endpoint #26412

Closed
ghost opened this Issue Oct 19, 2016 · 8 comments

Projects

None yet

3 participants

@ghost
ghost commented Oct 19, 2016 edited

Steps to reproduce

  1. Run curl -I http://example.com/remote.php/dav
  2. Run curl -I http://example.com/remote.php/webdav
  3. See that the first call contains two WWW-Authenticate: Basic realm="sabre/dav"
  4. See that the second call contains one WWW-Authenticate: Basic realm="sabre/dav"

Expected behaviour

Only one WWW-Authenticate header is sent back in the new remote.php/dav endpoint

Actual behaviour

Two WWW-Authenticate header are sent back in the new remote.php/dav endpoint

Server configuration

ownCloud version: 9.0.5

Everything else is unrelated from my PoV as this was observed on various other oC 9.0.x systems available out there found with a google dork like:

inurl:/status.php owncloud

@PVince81
Collaborator

Yeah, I've seen this before in newer versions: #26351 (comment)

Might be because we have multiple DAV Auth backends registered and they all fail in a series and each one sets that header again. (IIRC)

Need to find another approach.

@PVince81 PVince81 added this to the 9.2 milestone Oct 19, 2016
@ghost
ghost commented Oct 19, 2016

Yeah, just also noticed this at #26351 :-)

@PVince81
Collaborator

Looks like @DeepDiver1975 found a solution, maybe we can backport that piece #26353 (comment)

@adduxa
adduxa commented Nov 15, 2016

Issue side effect:
Double auth header makes Windows WebDav client unable to connect.

It trying to perform Negotiate Authentication instead of Basic for no reason, except for the double WWW-Authenticate header.

Network log for /remote.php/webdav/:

> OPTIONS /remote.php/webdav HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/webdav HTTP/1.1
  Authorization: Basic BasicAuthTokenHere=
< HTTP/1.1 200 OK

Network log for /remote.php/dav/USERNAME/:

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

> OPTIONS /remote.php/dav/files/USERNAME HTTP/1.1
  Authorization: Negotiate ReallyLongManyCharactersNegotiateAuthorizationTokenHere==
< HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="ownCloud"
  WWW-Authenticate: Basic realm="ownCloud"

(Identical headers for both requests are removed)

@PVince81 PVince81 added sev2-high and removed sev3-medium labels Nov 16, 2016
@PVince81
Collaborator

Duplicate headers should be fixed in 9.2 / master already but we can try and backport some parts of the fixes for older versions.

@PVince81 PVince81 modified the milestone: 9.0.7, 9.2 Nov 16, 2016
@PVince81
Collaborator

@DeepDiver1975 can you backport #26353 (comment) to 9.1 and 9.0 ?

@PVince81
Collaborator

AFAIK the fix is only for the remote.php/dav endpoint. There was no duplicate header on the "remote.php/webdav" header. Maybe the issue from @adduxa is different and is still causing duplicate headers. Can you test with #26688 ?

@adduxa
adduxa commented Nov 23, 2016

@PVince81 yep, only one header and now it's working. Thanks @DeepDiver1975 for fix!
P.S. I have 9.1, so #26687 for me

@PVince81 PVince81 closed this Nov 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment