Block old legacy clients #15683
Block old legacy clients #15683
Conversation
|
In the future we need to come up with something that also works for regular third-party WebDAV clients… Creating tens of thousands of sessions for single users is not really what we should do. This is only a drop on the hot stone (though a big one…) |
|
… please let's discuss the impact of this first before merging :) … also @MTRichards we really need to define which desktop versions are supported and which ones not :) |
| if(isset($versionMatches[1]) && version_compare($versionMatches[1], '1.6.0') === -1) { | ||
| // FIXME: Why can't we uset he ResponseInterface here? | ||
| http_response_code(503); | ||
| exit(); |
There was a problem hiding this comment.
@evert Sorry for disturbing but I somewhat had problems to use the ResponseInterface here and then the setStatus stuff etc. – Do you have any idea what I am doing wrong here? Would be totally awesome if you could give me a hint 👯 🍻
There was a problem hiding this comment.
(I also returned false)
There was a problem hiding this comment.
@LukasReschke I'd simple throw an exception - specifically ServiceUnavailable
There was a problem hiding this comment.
Not sure why it didn't work, but @DeepDiver1975 is right, it's better to throw the exception there.
Also: $request->getHeader('User-Agent') instead of $request->getRawServerValue('HTTP_USER_AGENT');
|
Refer to this link for build results (access rights to CI server needed): |
|
While I reserve the right to change this, or have exceptions based on real customer scenarios, my plan is to support the current release (1.8.x) and the previous major release (1.7.x). We would support any 1.7.x and 1.8.x, but that means we would need to force the update to the latest in that line if there is a problem. This also provides the opportunity for a customer to test the latest release before updating. Once we ship the updater for on premise, and document how to host a linux package, there is no longer a good reason for not pushing upgrades. BUT, it is still up to the customer, and there are scenarios where this can't fully work. So...Please don't just block older clients. This will lead to all sorts of unintended problems! It needs a graceful error message, or a notice of deprecation or something... |
| function beforeHandler(RequestInterface $request) { | ||
| $userAgent = $request->getRawServerValue('HTTP_USER_AGENT'); | ||
| preg_match("/(?:mirall\\/)([\d.]+)/i", $userAgent, $versionMatches); | ||
| if(isset($versionMatches[1]) && version_compare($versionMatches[1], '1.6.0') === -1) { |
|
I also agree with @LukasReschke that sessions should ideally not ever be started =) |
|
I agree with @MTRichards We need to guide the users to update the client first before we block it completely. |
|
For customers we need this configurable (as in allow all, 1.6.0+ or 1.7.0 ....) - for the community we should by default disallow 1.6.0 and less - it is know that this client has issues and purely talking about the community: most recent clients are available in any linux distro or via OBS, Mac and Windows are already on our own update mechanism. I'm all in for merging this into 8.1 with a config option. @MTRichards @karlitschek does that make sense? THX |
|
i think it makes sense with a config option. what would be the default? |
|
I agree - with a config option, a release note and some documentation, and a line in sample.config.php, A configurable value is acceptable. Clearly the versions allowed should be configurable (such as allow this version or newer, or deny this version or earlier where the admin enters the version), since we could see an oC client 2.4.1 accessing ownCloud 8.0.2 in the future. That said, we can't expect our customers to know our version history numbering, so we need something better than enter something, such as comments in the config file that say the release date of the latest versions as of the time of release. And also in the documentation. @carlaschroder adding release note tag for you. |
from a technical perspective we can only check on the explicit version number - the history is within the changelog of the client I assume. Would that be enough @MTRichards - or do I miss anything? |
|
I don't mind checking explicit version numbers in the code somewhere, but we can't expect an admin to know the explicit version numbers, or change a config option when a new client is released - they won't do it. An admin should just be able to say (and our default for new installations should be) the current version minus 2, so right now 1.7 and 1.8 clients would be allowed by default. 1.6 and earlier would be denied. Then also of course 1.9 or 2.0 or 2.1 etc would be allowed in this situation. In other words <=1.6 would be denied. All the admin has to do is know to leave the 1.6 in there, and all 1.6.x versions and earlier will be denied. When we release each ownCloud version, we just would need to increment the config file properly using autoconfig or the ee config file so that at the time of release, the latest 2 dot releases for clients can access. Of course if we are upgrading customers, this should not be forced on our customers and users, rather it is optional. |
So with every ownCloud major release you want us to update the default config value for the blocked clients to be current version - 2 ? |
|
FYI |
|
@MTRichards is there a need to have the same functionality for mobile clients? THX @jnfrmarks for the hint 😉 |
Ideally, current major version - 2. 1.8 or 1.7 = major version. That said, how deep down this hole do we want to get? It is possible that a problem in QT that we found makes 1.7.3 work, but not 1.7.2, 1.7.1 or 1.7.0. And 1.8.2, but not 1.8.1. So a customer would want to enable this for 1.7.2 and 1.8.2 and greater only. The end solution might be
For example, a setting such as 1.7.1, blacklist: 1.8.0, 1.8.1 For now, I would stick with 1) above and not worry about 2). |
Probably. I know how we do propfinds in 8.1 changes, so older mobile versions will not work correctly. Asking @rperezb for more thoughts. The main difference in mobile is that most people upgrade the mobile to the latest when they find they have a problem (or automatically), so the scale of the issue is a lot smaller. The problem really comes in older versions out there that can't upgrade, like iOS 5 devices. This is a really small %, but we should cover it anyway. Same rule in my head: @carlaschroder more documentation / release note fun! |
I was not precise enough - I was talking about ownCloud Server major releases (as in 8.1, 8.2 ...). |
well - as of today: as soon as we are delivering e.g. 1.8.0 - there will be no further development in previous major versions. Based on this assumption we can keep the config entry quite simple. 'minimum_desktop_client_version' => 1.6.2 |
|
I think to do that properly, you need to split the version into its three parts: 1.8.0 => major => 1, minor => 8 and patch => 0. With that, the implementation can support fine granular checks, such as A lot of projects handle the versions according to that theme. If the code checks for hard coded release strings, it might become tricky. I would not recommend that. |
|
@dragotin doing version comparison the right way is for sure necessary - this is out of question. |
Cool, I like fun :) |
Now I am confused. How does this work with server version? I am missing something. |
well - checking and rejecting a client is job of the server - we have to provide a default minimum client version - right? |
|
@owncloud-bot Retest this please. |
|
Refer to this link for build results (access rights to CI server needed): |
|
@LukasReschke please add this to the feature wiki - THX |
okay - looks like - ability to read helps - THX @carlaschroder |
@LukasReschke this has been resolved from my understanding - right? |
|
ready to merge from my understanding 👍 |
Yes.
Done. |
| * @throws \Sabre\DAV\Exception\Forbidden If the client version is not supported | ||
| */ | ||
| public function beforeHandler(RequestInterface $request) { | ||
| $userAgent = $request->getHeader('User-Agent'); |
There was a problem hiding this comment.
what happens if no user agent is defined?
There was a problem hiding this comment.
Indeed. That will probably fail as \Sabre\HTTP\MessageInterface::getHeader returns null then. Let me add a unit test for this as well as a test. Nice catch 🚀
In case of an not sent UA header consider the client as valid
|
@owncloud-bot Retest this please. |
|
Refer to this link for build results (access rights to CI server needed): |
|
|
|
one more review please @nickvergessen @th3fallen THX |
|
The inspection completed: 8 new issues, 8 updated code elements |
| @@ -0,0 +1,129 @@ | |||
| <?php | |||
There was a problem hiding this comment.
lower case file names as per DeepDiver somewhere else in the PRs
There was a problem hiding this comment.
Honestly, I will not change this on my own. If @DeepDiver1975 wants this then we shall document this properly and enforce this in Jenkins. We have a hell of test files that use upper case and PHPStorm will highlight PHPUnit files only using this syntax. Since we don't have that mad autoloader madness problem here it will also work quite well…
There was a problem hiding this comment.
As in: Needs to get documented at https://doc.owncloud.org/server/8.0/developer_manual/general/codingguidelines.html 🙈
|
@DeepDiver1975 I don't see a comment on https://github.com/owncloud/core/pull/15683/files#r28717907 yet. Other then that, fine by me |
|
doc updates owncloud-archive/documentation#1077 |
Block old legacy clients
This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance.
This has multiple reasons:
In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client
@danimo @dragotin @DeepDiver1975 @karlitschek @butonic … and whoever might feel involved 🙈