Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow cookie auth for cors requests stable7 #16581

Merged
merged 1 commit into from
Jun 23, 2015
Merged

Disallow cookie auth for cors requests stable7 #16581

merged 1 commit into from
Jun 23, 2015

Conversation

BernhardPosselt
Copy link
Contributor

Backport of #16532

No cherry pick, manually migrated and tested with the news app, please review more closely

@LukasReschke @DeepDiver1975 @MorrisJobke @PVince81

@scrutinizer-notifier
Copy link

A new inspection was created.

@LukasReschke LukasReschke added this to the 7.0.7-next-maintenance milestone May 27, 2015
@DeepDiver1975
Copy link
Member

@LukasReschke okay to merge?

@DeepDiver1975
Copy link
Member

👍

@LukasReschke
Copy link
Member

🚢

LukasReschke added a commit that referenced this pull request Jun 23, 2015
@LukasReschke
Merge pull request #16581 from owncloud/stable7-cors-no-cookie-auth
063b8ea 
Disallow cookie auth for cors requests stable7
@LukasReschke LukasReschke merged commit 063b8ea into stable7 Jun 23, 2015
@LukasReschke LukasReschke deleted the stable7-cors-no-cookie-auth branch June 23, 2015 11:37
@jvillafanez
Copy link
Member

The error response is a HTML page... 😕 Is this intended? I expected a JSON response...

I'm putting the "QA seal of approval" because it's blocking the request using only cookie auth (as intended), but I'm not sure if I should open a new issue for the response.

curl -X GET -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'requesttoken: 502fcb3bda2318933d55' -H 'Cookie: oc081c7cf55a=onpfc64er4kju7gg2v6penkkc3; path=/' -H 'Origin: http://foo/bar' -v http://xxxxx:yyy/index.php/apps/news/api/v1-2/folders
* Hostname was NOT found in DNS cache
*   Trying a.b.c.d...
* Connected to a.b.c.d (a.b.c.d) port X (#0)
> GET http://xxxxx:yyyy/index.php/apps/news/api/v1-2/folders HTTP/1.1
> User-Agent: curl/7.35.0
> Host: xxxxxx:yyyyy
> Proxy-Connection: Keep-Alive
> Accept: application/json, text/javascript, */*; q=0.01
> requesttoken: 502fcb3bda2318933d55
> Cookie: oc081c7cf55a=onpfc64er4kju7gg2v6penkkc3; path=/
> Origin: http://foo/bar
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Tue, 30 Jun 2015 15:35:59 GMT
< Server: Apache/2.4.7 (Ubuntu)
< X-Powered-By: PHP/5.5.9-1ubuntu4.9
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: Sameorigin
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *
< X-Robots-Tag: none
< Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
< Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
< Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
< Set-Cookie: oc_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
< Set-Cookie: oc_token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
< Set-Cookie: oc_remember_login=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from squid.xxxx
< X-Cache-Lookup: MISS from squid.xxxx:3128
< Via: 1.0 squid.xxxx.prv (squid/3.1.19)
< Connection: close
< 
<!DOCTYPE html>
<!--[if lt IE 7]><html class="ng-csp ie ie6 lte9 lte8 lte7" data-placeholder-focus="false"><![endif]-->
<!--[if IE 7]><html class="ng-csp ie ie7 lte9 lte8 lte7" data-placeholder-focus="false"><![endif]-->
<!--[if IE 8]><html class="ng-csp ie ie8 lte9 lte8" data-placeholder-focus="false"><![endif]-->
<!--[if IE 9]><html class="ng-csp ie ie9 lte9" data-placeholder-focus="false"><![endif]-->
<!--[if gt IE 9]><html class="ng-csp ie" data-placeholder-focus="false"><![endif]-->
<!--[if !IE]><!--><html class="ng-csp" data-placeholder-focus="false"><!--<![endif]-->

    <head data-requesttoken="502fcb3bda2318933d55">
        <title>
        ownCloud Enterprise Edition     </title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
        <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0">
        <meta name="apple-itunes-app" content="app-id=543672169">
        <link rel="shortcut icon" href="/themes/default/core/img/favicon.png" />
        <link rel="apple-touch-icon-precomposed" href="/themes/default/core/img/favicon-touch.png" />
                    <link rel="stylesheet" href="/core/css/styles.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/header.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/mobile.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/icons.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/fonts.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/apps.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/fixes.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/multiselect.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/jquery-ui-1.10.0.custom.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/jquery-tipsy.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/jquery.ocdialog.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/core/css/share.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/apps/files_versions/css/versions.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/apps/firstrunwizard/css/colorbox.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/apps/firstrunwizard/css/firstrunwizard.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                    <link rel="stylesheet" href="/themes/default/core/css/styles.css?v=907dfe2313c2162860515130eeb40c5f" type="text/css" media="screen" />
                            <script type="text/javascript" src="/core/js/jquery-1.10.0.min.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery-migrate-1.2.1.min.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery-ui-1.10.0.custom.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery-showpassword.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/placeholders.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery-tipsy.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/compatibility.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/underscore.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery.ocdialog.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/oc-dialogs.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/js.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/octemplate.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/eventsource.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/config.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/search/js/result.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/oc-requesttoken.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/apps.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/snap.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/placeholder.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/3rdparty/js/md5/md5.min.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/jquery.avatar.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/avatar.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/backgroundjobs.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/enterprise_key/js/notice.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/core/js/share.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/files_sharing/js/share.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/files_sharing/js/external.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/files_versions/js/versions.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/sharepoint/js/app.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/sharepoint/js/sharepointUtils.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/sharepoint/js/rollingQueue.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/sharepoint/js/connectivity_check.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/firstrunwizard/js/jquery.colorbox.js?v=907dfe2313c2162860515130eeb40c5f"></script>
                    <script type="text/javascript" src="/apps/firstrunwizard/js/firstrunwizard.js?v=907dfe2313c2162860515130eeb40c5f"></script>

            </head>
    <body id="body-login">
        <noscript><div id="nojavascript"><div>This application requires JavaScript for correct operation. Please <a href="http://enable-javascript.com/" target="_blank">enable JavaScript</a> and reload the page.</div></div></noscript>
        <div class="wrapper"><!-- for sticky footer -->
            <div class="v-align"><!-- vertically centred box -->
                <header><div id="header">
                    <div class="logo svg"></div>
                    <div id="logo-claim" style="display:none;">Enterprise Edition</div>
                </div></header>

                <ul class="error-wide">
            <li class='error'>
            CORS requires basic auth<br/>
            <p class='hint'></p>
        </li>
    </ul>
            <div class="push"></div><!-- for sticky footer -->
            </div>
        </div>

        <footer>
            <p class="info">
                © 2015 <a href="https://owncloud.com" target="_blank">ownCloud Inc.</a><br/>Your Cloud, Your Data, Your Way!           </p>
        </footer>
    </body>
</html>
* Closing connection 0

@LukasReschke
Copy link
Member

The error response is a HTML page... 😕 Is this intended? I expected a JSON response...

This is the expected behaviour as the error handling is done in core which has no way to differentiate at the moment: #15357

@lock lock bot locked as resolved and limited conversation to collaborators Aug 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
3 - To Review security
Projects
None yet
Milestone
7.0.7
Development

Successfully merging this pull request may close these issues.
5 participants
@BernhardPosselt @scrutinizer-notifier @DeepDiver1975 @LukasReschke @jvillafanez