Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Case sensitive usernames when logging in with an app password via webdav #29708

Closed
mdusher opened this issue Nov 29, 2017 · 5 comments
Closed

Case sensitive usernames when logging in with an app password via webdav #29708

mdusher opened this issue Nov 29, 2017 · 5 comments
Labels
bug-analysis comp:authentication sev3-medium

Comments

@mdusher
Copy link
Contributor

mdusher commented Nov 29, 2017

Steps to reproduce

  1. Create an app password
  2. Try and login with your username in a different case as to what is stored in ownCloud

Expected behaviour

The login should be case insensitive for the login.

Actual behaviour

The login is rejected because it does not match what is stored in ownCloud

Server configuration

Operating system: Redhat 7

Web server: Apache 2.2.15

Database: MariaDB 10.0.27 with Galera 25.3.18

PHP version: 7.0.23

ownCloud version: 10.0.3

Updated from an older ownCloud or fresh install: Updated from 8.2.11

Where did you install ownCloud from: https://owncloud.org/install/#edition

Signing status (ownCloud 9.0 and above):

Integrity checker has been disabled. Integrity cannot be verified.

The content of config/config.php:

{
    "system": {
        "instanceid": "5230042dc1897",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "cloudstor.aarnet.edu.au"
        },
        "datadirectory": "\/cloudstor\/data\/owncloud\/data",
        "version": "10.0.3.3",
        "dbtype": "mysql",
        "dbname": "owncloud",
        "dbhost": "127.0.0.1:3306",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "",
        "installed": true,
        "operation.mode": "clustered-instance",
        "default_language": "en_GB",
        "defaultapp": "files",
        "knowledgebaseenabled": true,
        "enable_avatars": false,
        "allow_user_to_change_display_name": false,
        "session_lifetime": 86400,
        "session_keepalive": true,
        "token_auth_enforced": false,
        "mail_domain": "aarnet.edu.au",
        "mail_from_address": "cloudstor-noreply",
        "mail_smtpmode": "php",
        "overwriteprotocol": "https",
        "overwrite.cli.url": "https:\/\/cloudstor.aarnet.edu.au\/plus",
        "htaccess.RewriteBase": "\/plus",
        "trashbin_retention_obligation": "30, auto, auto",
        "appcodechecker": false,
        "updatechecker": false,
        "has_internet_connection": true,
        "check_for_working_webdav": false,
        "check_for_working_htaccess": true,
        "log_type": "owncloud",
        "logfile": "\/cloudstor\/logs\/owncloud\/owncloud.log",
        "loglevel": 3,
        "logtimezone": "UTC",
        "log_query": false,
        "customclient_desktop": "https:\/\/cloudstor.aarnet.edu.au\/client-download\/",
        "customclient_android": "https:\/\/play.google.com\/store\/apps\/details?id=au.edu.aarnet.cloudstor.android",
        "customclient_ios": "https:\/\/itunes.apple.com\/au\/app\/cloudstor\/id1215476371?mt=8",
        "cron_log": true,
        "appstore.experimental.enabled": false,
        "apps_paths": [
            {
                "path": "\/cloudstor\/www\/owncloud\/apps",
                "url": "\/apps",
                "writable": true
            },
            {
                "path": "\/cloudstor\/www\/owncloud\/3rdparty-apps",
                "url": "\/3rdparty-apps",
                "writable": true
            }
        ],
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\Illustrator",
            "OC\\Preview\\Postscript",
            "OC\\Preview\\Photoshop",
            "OC\\Preview\\Movie"
        ],
        "maintenance": false,
        "singleuser": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "127.0.0.1",
            "port": 6380,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "memcached_servers": [
            [
                "127.0.0.1",
                11211
            ]
        ],
        "blacklisted_files": [
            ".htaccess"
        ],
        "share_folder": "\/Shared",
        "cipher": "AES-256-CFB",
        "minimum.supported.desktop.version": "1.5.0",
        "quota_include_external_storage": false,
        "filesystem_check_changes": 0,
        "filesystem_cache_readonly": false,
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED",
            "HTTP_FORWARDED_FOR"
        ],
        "filelocking.enabled": true,
        "filelocking.ttl": 3600,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "upgrade.disable-web": true,
        "upgrade.automatic-app-update": false,
        "integrity.check.disabled": true,
        "cache_path": "\/cloudstor\/data\/tmp",
        "tempdirectory": "\/cloudstor\/data\/tmp",
        "mail_smtpdebug": false,
        "mail_smtphost": "smtp.aarnet.edu.au",
        "mail_smtpport": "25",
        "mail_smtptimeout": 10,
        "preview_office_cl_parameters": "",
        "preview_max_scale_factor": 10,
        "preview_max_filesize_image": 100,
        "openssl": [],
        "activity_expire_days": 365
    }
}

List of activated apps:

  - aarnet-hooks: 0.0.1
  - activity: 2.3.4
  - cloudstortheme: 1.0.0
  - collections: 1.1.1
  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.3.0
  - direct_menu: 0.1.0
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_clipboard: 0.6.4
  - files_external: 0.7.1
  - files_pdfviewer: 0.8.2
  - files_sharing: 0.10.1
  - files_texteditor: 2.2
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - filescan: 0.0.1
  - filesenderapp: 1.0
  - firstrunwizard: 1.1
  - gallery: 16.0.2
  - impersonate: 0.1.0
  - market: 0.2.2
  - notifications: 0.3.1
  - provisioning_api: 0.5.0
  - renaming_api: 0.0.1
  - tenant_portal: 1.0.6
  - terms: 0.1
  - updatenotification: 0.2.1
  - user_saml: 0.4

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: user_saml

Logs

I don't think any of the logs are relevant. But here's the header responses from a simple curl (truncated, only difference is the capital letters in my username):

$ curl -I -X PROPFIND -u"michael.usher@aarnet.edu.au:XXXX-XXXX-XXXX-XXXX" https://cloudstor.aarnet.edu.au/plus/remote.php/webdav/
Enter host password for user 'michael.usher@aarnet.edu.au':
HTTP/1.1 401 Unauthorized

$ curl -I -X PROPFIND -u"Michael.Usher@aarnet.edu.au:XXXX-XXXX-XXXX-XXXX" https://cloudstor.aarnet.edu.au/plus/remote.php/webdav/
Enter host password for user 'Michael.Usher@aarnet.edu.au':
HTTP/1.1 207 Multi-Status
@ownclouders
Copy link
Contributor

GitMate.io thinks a possibly related issue is #29063: Generic Share Exception when attempting to create new shares (OC10.0.3).

@PVince81 PVince81 added this to the triage milestone Nov 29, 2017
@PVince81
Copy link
Contributor

At first I'd think it's only a matter of adding strtolower when comparing the user name in some of the auth code. However I think there is more involved: some user backends are case sensitive. So the bug fix will need to take this into account.

@PVince81
Copy link
Contributor

@DeepDiver1975

@PVince81
Copy link
Contributor

From what I remember, app passwords are created based on the login you have used for the session in which you created the app password. There is some information that is encrypted in the database using this specific user id. So using a different user id in combination with that password cannot work.

This is not only about casing but also affects setups where LDAP allows a single user to login with several different login names. Only one can be used in combination with an app password. This is why it is currently displayed in the settings page along with the token. They need to be copy-pasted as is.

Also app passwords are usually designed to be stored and saved once. So the user only ever enters this once in their apps. So there is no UX benefit of allowing different username casings anyway.

Closing as "by design".

@felixboehm felixboehm removed this from the triage milestone Apr 10, 2018
@ownclouders ownclouders mentioned this issue Nov 12, 2018
Open
@ownclouders ownclouders mentioned this issue Feb 15, 2019
Closed
@lock
Copy link

lock bot commented Jul 30, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Jul 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug-analysis comp:authentication sev3-medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@PVince81 @felixboehm @mdusher @ownclouders