Upload-only shares must not overwrite but create a separate file

[PVince81]

curl -D - 'https://localhost:9200/remote.php/webdav/empty%20file' \                                                           
  -X 'PUT' \    
  -H 'Content-Length: 0' \
  --insecure \
  -u einstein:relativity
HTTP/1.1 204 No Content

Discovered while running tests/acceptance/features/apiSharePublicLink1/changingPublicLinkShare.feature:171

[PVince81]

Ohh, this is a regression that only exists in cs3org/reva#822.

I'll submit the fix there...

[PVince81]

now I'm confused... some other tests are failing now, the test is obviously overwriting the file but is expecting a 201 status and not 204.

either I remembered the specs wrong and so does whoever wrote the put.go code, or maybe the old API was already returning the wrong value for public links... needs further research...

I've enabled the tests that work correctly now on owncloud/core#37552

The remaining ones are here:

    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:22
    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:283

[PVince81]

Here is another test for uploading + overwriting a file in a another non-public link context, and here we expect 204: https://github.com/owncloud/core/blob/master/tests/acceptance/features/apiShareOperations/uploadToShare.feature#L111

I suspect that the public webdav API when it was added was not consistent with the non-public one, but the test got added to comply with the buggy result.

For the time being we could write a separate set of tests for OCIS that requires 204 and later on we might need to fix OC 10 public webdav to also return 204 on overwrite.

@individual-it

[PVince81]

ownCloud 10

tldr; all is fine there: creation returns 201 on all endpoints and overwrite returns 204.

Logged-in user

File creation

% curl -u admin:admin -D - 'http://localhost/owncloud/remote.php/dav/files/admin/empty.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:48:26 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=4ghltf4cbcrcef0gjkprs03l9k; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=PYh8Qd3dEFDzKeY5uc5TsIiJnpBD2zpzz5mXAuNjP7RZ5JZKNjwqhGXVdCq9v%2BsmMiKayPbHiS%2Fo%2BGyRgGUyHO%2Forh1JcuJzwHUz8R%2BaKly73%2BAeiI8f6XML6wZWr%2B6f; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: och3q2wgdlyf=bi03cqm8a02p0to50m6ojgdg1j; path=/owncloud; HttpOnly
Set-Cookie: cookie_test=test; expires=Wed, 24-Jun-2020 16:48:27 GMT; Max-Age=3600
OC-FileId: 00000012och3q2wgdlyf
Content-Length: 0
ETag: "926768092c070d9a64e1e79324369897"
OC-ETag: "926768092c070d9a64e1e79324369897"
Content-Type: text/html; charset=UTF-8

File overwrite

% curl -u admin:admin -D - 'http://localhost/owncloud/remote.php/dav/files/admin/empty.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:48:29 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=ocrcbibpermglgvb8hhlmj906q; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=iYnC2tIj%2BawUc%2F%2ByvhYEpTTiSjGbuhGPy0zB58ab%2FyH4v5KK9cz6s9TlHV10RpudDoUobnbz1cPQ%2B%2Fr8i9IE%2Bx6EvF2i4BjsgscWJ5x5TjfE5Xz46jUUx6m9YEA6%2ByuZ; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: och3q2wgdlyf=fj4r69t38r1m5096k9p3g9cv7g; path=/owncloud; HttpOnly
Set-Cookie: cookie_test=test; expires=Wed, 24-Jun-2020 16:48:29 GMT; Max-Age=3600
OC-FileId: 00000012och3q2wgdlyf
ETag: "1734319668252544057ce2268ec79120"
OC-ETag: "1734319668252544057ce2268ec79120"

Public folder share old public Webdav API

File creation

% curl -u J7PLLaPvZcassmR: -D - 'http://localhost/owncloud/public.php/webdav/emptypublic.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:50:09 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=lok0dpbtu1vpq11psbjrnlvt60; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=8zbPpBRsZacZP%2FYAoGqs3l%2B01fxwZJRtWyEoPyCZSrBlBQM%2Fq7Xn%2FTYwGXWyrOrk4pLRiNrG%2BDQEOqJBVJRllpawjbmPXqO8beY0KDYb0PReV90w492JbOqjH4587HYK; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
OC-FileId: 00000013och3q2wgdlyf
Content-Length: 0
ETag: "21a13a0f65697b11d14af0874be678c1"
OC-ETag: "21a13a0f65697b11d14af0874be678c1"
Content-Type: text/html; charset=UTF-8

File overwrite

% curl -u J7PLLaPvZcassmR: -D - 'http://localhost/owncloud/public.php/webdav/emptypublic.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:50:11 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=ot79bbt87umc0fmbu4oaj4eodl; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=LR1XNneUN4k7HamSgkJ7JnSLp2hJmxSZT%2FVpvoHBi1KLKxUp6Tfoi52MX0Lrfz%2FI8pzvdN4KPISWjA3DOuXBrZWhJz0JqHllFxgYvZii%2FPESdGLpRuse8%2FJGzQIXMzzh; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
OC-FileId: 00000013och3q2wgdlyf
ETag: "67bc4da24cbc151f5ffd884c8878182f"
OC-ETag: "67bc4da24cbc151f5ffd884c8878182f"

Public folder share new public Webdav API

File creation

% curl -D - 'http://localhost/owncloud/remote.php/dav/public-files/J7PLLaPvZcassmR/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Date: Wed, 24 Jun 2020 15:51:58 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=9v36pqokqa16fhsrrq8d4tlc21; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=3GKxoLP1uFKysNHuwT0Pq7xrAtoHLcXrSXpwDFjLZcRQl%2Fu%2FYkXCSFam7q0Svgs00QgFhl%2B%2BK%2BcvGvvXpP9T4oYlLBkqtZTeWcz9NaXB2if5bpUfWubV1QAkcJW9sFUg; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Length: 0
ETag: "4c058c34059fd2a90dea4a69ec39a217"
OC-ETag: "4c058c34059fd2a90dea4a69ec39a217"
Content-Type: text/html; charset=UTF-8

File overwrite

% curl -D - 'http://localhost/owncloud/remote.php/dav/public-files/J7PLLaPvZcassmR/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Date: Wed, 24 Jun 2020 15:52:00 GMT
Server: Apache
X-Powered-By: PHP/7.4.6
Set-Cookie: och3q2wgdlyf=e2ln9h288dl6dtramtikp5mdi8; path=/owncloud; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=FXeSYUYMbUhCnasuDGFdJ0YRFpD4nGLDwU4IEOWDqh6gNgh2q7IFo%2F6hNbw5Mcf1ZT7D2jb6p567DXVXI4hSQ%2FbUrVGtFS289I4du6b6op0b%2Fww%2BCc9WzqcP288gBujA; path=/owncloud; HttpOnly; SameSite=strict
Content-Security-Policy: default-src 'none';
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
ETag: e100f49447f18a292bdcb98d15450a48
OC-ETag: e100f49447f18a292bdcb98d15450a48

[PVince81]

OCIS

Using cs3org/reva#877

Also seems to work fine

File creation

% curl -k -D - 'https://localhost:9200/remote.php/dav/public-files/nmUtYcGzaZtr/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Content-Length: 0
Content-Security-Policy: default-src 'none';
Content-Type: text/plain; charset=utf-8
Date: Wed, 24 Jun 2020 15:55:08 GMT
Etag: "3bff67224e0f27d15d4fa26bf0b0c8b9"
Last-Modified: Wed, 24 Jun 2020 17:55:08 +0200
Oc-Etag: "3bff67224e0f27d15d4fa26bf0b0c8b9"
Oc-Fileid: MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOmM3YTg4YmM2LTg4YWUtNDI4Zi1iYzhmLWY1MzMyMTRjYWQwMw==
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

File overwrite

% curl -k -D - 'https://localhost:9200/remote.php/dav/public-files/nmUtYcGzaZtr/emptypublic-newapi.txt' \
  -X 'PUT' \
  -H 'Content-Length: 0'
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Content-Security-Policy: default-src 'none';
Content-Type: text/plain; charset=utf-8
Date: Wed, 24 Jun 2020 15:55:10 GMT
Etag: "5f02332114b51b00a9447af23489e4ba"
Last-Modified: Wed, 24 Jun 2020 17:55:10 +0200
Oc-Etag: "5f02332114b51b00a9447af23489e4ba"
Oc-Fileid: MTI4NGQyMzgtYWE5Mi00MmNlLWJkYzQtMGIwMDAwMDA5MTYyOmM3YTg4YmM2LTg4YWUtNDI4Zi1iYzhmLWY1MzMyMTRjYWQwMw==
Vary: Origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block

[PVince81]

I rechecked owncloud/core#37552 and those tests still fail:

    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:22
    /srv/www/htdocs/owncloud/tests/acceptance/features/apiSharePublicLink2/uploadToPublicLinkShare.feature:283

they are related to upload-only permissions.

[PVince81]

Upload-only is more complicated than just the status code.

The bug is that the current reva code is overwriting an existing file.
This should not be possible because it means another user who has the link could overwrite already existing data.

The way it's done in OC 10 is that the server is detecting conflicts and then automatically renames the file in the backend, and since it's creating a new file the status becomes 201.

So this is more about security.

[PVince81]

This is already covered by the tests with tag @issue-ocis-reva-286

[PVince81]

note: need to have a look at the Webdav code from OC 10. As far as I remember there's an extra header "OC-Autorename" to trigger or notify that behavior.

[PVince81]

this feels less important than https://github.com/owncloud/ocis-reva/issues/292 and as the latter is not planned until later, let's defer this one as well

@micbar @refs

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[wkloucek]

Discussion in REVA cs3org/reva#2480

[ScharfViktor]

fixed via #8340