Case sensitive usernames when logging in with an app password via webdav

[T0mWz]

This issue is previously reported (here #29708), but we are now encountering it ourselves too. The way a webdav password is generated and how it is then accepted is not always consistent.

Steps to reproduce

1. Create user with a uppercase character
2. Generate a App passwords (Security tab by your personal settings) with a completely lower case username and a webdav token with the normal username which contains one of more uppercase characters
3. try to login with both

Expected behaviour

Expected behaviour should be that both accounts should work and the casing of username doesn't makes a difference.

Actual behaviour

Depends how the webdav token is generated, how the application response;

tomw@M0421014 ~ % curl -u 'u3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%
tomw@M0421014 ~ % curl -u 'U3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>Username or password was incorrect, Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured</s:message>
</d:error>

tomw@M0421014 ~ % curl -u 'U3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%
tomw@M0421014 ~ % curl -u 'u3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%

Server configuration

Operating system:
CentOS Linux release 7.9.2009 (Core)

Web server:
Apache/2.4.6 (CentOS)

Database:
MariaDB 10.3

PHP version:
PHP 7.4.29

ownCloud version:
OwnCloud 10.9.1

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.

The content of config/config.php:

{
    "system": {
        "instanceid": "abcde",
        "license-key": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "miskatonic.data.surfsara.nl"
        ],
        "datadirectory": "\/var\/www\/owncloud\/data",
        "overwrite.cli.url": "https:\/\/miskatonic.data.surfsara.nl",
        "overwriteprotocol": "https",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR",
            "HTTP_FORWARDED_FOR"
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "ocredis",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "dbindex": 0
        },
        "filelocking.enabled": true,
        "filelocking.ttl": 28800,
        "http.cookie.samesite": "None",
        "trusted_proxies": [
            "1.2.3.4"
        ],
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "dbname": "miskatonic_oc",
        "dbhost": "proxysql:6033",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "appcodechecker": false,
        "updatechecker": false,
        "enable_avatars": false,
        "enable_previews": true,
        "preview_max_x": 1024,
        "preview_max_y": 1024,
        "preview_max_filesize_image": 100,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "appstoreenabled": false,
        "has_internet_connection": true,
        "minimum.supported.desktop.version": "2.3.0",
        "objectstore_multibucket": {
            "class": "OCA\\ObjectStore\\S3",
            "arguments": {
                "autocreate": true,
                "bucket": "owncloud",
                "part_size": "52428800",
                "options": {
                    "use_arn_region": false,
                    "version": "2006-03-01",
                    "region": "NL",
                    "credentials": {
                        "key": "1234",
                        "secret": "abcd"
                    },
                    "endpoint": "https:\/\/proxy.swift.surfsara.nl:443",
                    "command.params": {
                        "PathStyle": true
                    }
                }
            }
        },
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "version": "10.9.1.2",
        "installed": true,
        "log_type": "owncloud",
        "logfile": "\/var\/log\/xcloud\/miskatonic.b08e414dc310.owncloud.log",
        "loglevel": "0",
        "logtimezone": "Europe\/Amsterdam",
        "log.condition": {
            "apps": [
                "cron"
            ],
            "logfile": "\/var\/log\/xcloud\/miskatonic.b08e414dc310.owncloud.cron.log"
        },
        "cron_log": true,
        "logdateformat": "d\/M\/Y:H:i:s",
        "ldapIgnoreNamingRules": false,
        "skeletondirectory": "",
        "maintenance": false,
        "cache_chunk_gc_ttl": 86400,
        "dav.chunk_base_dir": "\/tmp",
        "trashbin_retention_obligation": "30, 32",
        "versions_retention_obligation": "auto, 14",
        "activity_expire_days": "14",
        "shibboleth": {
            "loginButtonName": "Login via SURFconext"
        }
    }
}

List of activated apps:

Enabled:
  - activity:
    - Version: 2.6.1
    - Path: /var/www/owncloud/apps/activity
  - admin_audit:
    - Version: 2.1.3
    - Path: /var/www/owncloud/apps/admin_audit
  - comments:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/comments
  - configreport:
    - Version: 0.2.0
    - Path: /var/www/owncloud/apps/configreport
  - customgroups:
    - Version: 0.6.2
    - Path: /var/www/owncloud/apps/customgroups
  - dav:
    - Version: 0.7.0
    - Path: /var/www/owncloud/apps/dav
  - diagnostics:
    - Version: 0.1.4
    - Path: /var/www/owncloud/apps/diagnostics
  - drawio:
    - Version: 0.9.2
    - Path: /var/www/owncloud/apps/drawio
  - enterprise_key:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/enterprise_key
  - external4groups:
    - Version: 1.2
    - Path: /var/www/owncloud/apps/external4groups
  - federatedfilesharing:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/federatedfilesharing
  - federation:
    - Version: 0.1.0
    - Path: /var/www/owncloud/apps/federation
  - files:
    - Version: 1.5.2
    - Path: /var/www/owncloud/apps/files
  - files_clipboard:
    - Version: 1.0.3
    - Path: /var/www/owncloud/apps/files_clipboard
  - files_external:
    - Version: 0.8.0
    - Path: /var/www/owncloud/apps/files_external
  - files_external_s3:
    - Version: 1.0.0
    - Path: /var/www/owncloud/apps/files_external_s3
  - files_markdown:
    - Version: 0.1
    - Path: /var/www/owncloud/apps/files_markdown
  - files_mediaviewer:
    - Version: 1.0.5
    - Path: /var/www/owncloud/apps/files_mediaviewer
  - files_pdfviewer:
    - Version: 1.0.1
    - Path: /var/www/owncloud/apps/files_pdfviewer
  - files_sharing:
    - Version: 0.14.0
    - Path: /var/www/owncloud/apps/files_sharing
  - files_texteditor:
    - Version: 2.4.1
    - Path: /var/www/owncloud/apps/files_texteditor
  - files_trashbin:
    - Version: 0.9.1
    - Path: /var/www/owncloud/apps/files_trashbin
  - firewall:
    - Version: 2.10.3
    - Path: /var/www/owncloud/apps/firewall
  - firstrunwizard:
    - Version: 1.2.0
    - Path: /var/www/owncloud/apps/firstrunwizard
  - impersonate:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/impersonate
  - market:
    - Version: 0.6.2
    - Path: /var/www/owncloud/apps/market
  - music:
    - Version: 1.5.1
    - Path: /var/www/owncloud/apps/music
  - notifications:
    - Version: 0.5.4
    - Path: /var/www/owncloud/apps/notifications
  - oauth2:
    - Version: 0.5.2
    - Path: /var/www/owncloud/apps/oauth2
  - objectstore:
    - Version: 0.5.1
    - Path: /var/www/owncloud/apps/objectstore
  - onlyoffice:
    - Version: 7.3.1
    - Path: /var/www/owncloud/apps/onlyoffice
  - password_policy:
    - Version: 2.1.3
    - Path: /var/www/owncloud/apps/password_policy
  - provisioning_api:
    - Version: 0.5.0
    - Path: /var/www/owncloud/apps/provisioning_api
  - researchdrive_help:
    - Version: 1.0.0
    - Path: /var/www/owncloud/apps/researchdrive_help
  - systemtags:
    - Version: 0.3.0
    - Path: /var/www/owncloud/apps/systemtags
  - systemtags_management:
    - Version: 0.4.1
    - Path: /var/www/owncloud/apps/systemtags_management
  - templateeditor:
    - Version: 0.4.0
    - Path: /var/www/owncloud/apps/templateeditor
  - theme-miskatonic:
    - Version: 1.0.0
    - Path: /var/www/owncloud/apps/theme-miskatonic
  - twofactor_backup_codes:
    - Version: 0.1.0
    - Path: /var/www/owncloud/apps/twofactor_backup_codes
  - twofactor_totp:
    - Version: 0.7.4
    - Path: /var/www/owncloud/apps/twofactor_totp
  - updatenotification:
    - Version: 0.2.1
    - Path: /var/www/owncloud/apps/updatenotification
  - user_ldap:
    - Version: 0.16.0
    - Path: /var/www/owncloud/apps/user_ldap
  - user_shibboleth:
    - Version: 3.5.0
    - Path: /var/www/owncloud/apps/user_shibboleth
  - webdav_hooks:
    - Version: 0.0.1
    - Path: /var/www/owncloud/apps/webdav_hooks
  - windows_network_drive:
    - Version: 2.1.0
    - Path: /var/www/owncloud/apps/windows_network_drive
  - workflow:
    - Version: 0.5.3
    - Path: /var/www/owncloud/apps/workflow

Logs

Nothing specials in the server logs. Header response;

$ curl -u 'U3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
HTTP/1.1 401 Unauthorized

$ curl -u 'u3342109@exchange-example.edu:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
HTTP/1.1 207 Multi-Status

[pako81]

The issue seems to be around the comparison done in https://github.com/owncloud/core/blob/master/lib/private/User/Session.php#L922

I propose to change

if ($user !== null && $dbToken->getLoginName() !== $user) to

if ($user !== null && \strcasecmp ($dbToken->getLoginName(), $user) !== 0)

This will make the username <--> token login name comparison to be case-insensitive and will allow authentication with different case.

[phil-davis]

See PR #40281 - it ended up being easy to demonstrate the problem with a failing test scenario, and the suggested fix makes the test scenario pass.

[pako81]

@phil-davis thanks! closing then #40280 ?

[phil-davis]

@phil-davis thanks! closing then #40280 ?

yes - sorry I didn't ping here in time to say that I was looking at a test that could demonstrate the problem, and confirm the fix.