Merge #252 [backport25] No session on DAV API call

nextmcloud · Jan 3, 2024 · c83cda9 · c83cda9
2 parents 1d2c103 + 311ff80
commit c83cda9
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/apps/files/lib/Controller/ViewController.php b/apps/files/lib/Controller/ViewController.php
@@ -158,6 +158,7 @@ protected function getStorageInfo() {
 	/**
 	 * @NoCSRFRequired
 	 * @NoAdminRequired
+     * @UseSession
 	 *
 	 * @param string $fileid
 	 * @return TemplateResponse|RedirectResponse

diff --git a/lib/base.php b/lib/base.php
@@ -66,6 +66,7 @@
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Group\Events\UserRemovedEvent;
 use OCP\ILogger;
+use OCP\IRequest;
 use OCP\Server;
 use OCP\Share;
 use OC\Encryption\HookManager;
@@ -414,8 +415,22 @@ private static function printUpgradePage(\OC\SystemConfig $systemConfig) {
 		$tmpl->printPage();
 	}
 
-	public static function initSession() {
-		if (self::$server->getRequest()->getServerProtocol() === 'https') {
+	public static function initSession(): void {
+		$request = Server::get(IRequest::class);
+
+		// TODO: Temporary disabled again to solve issues with CalDAV/CardDAV clients like DAVx5 that use cookies
+		// TODO: See https://github.com/nextcloud/server/issues/37277#issuecomment-1476366147 and the other comments
+		// TODO: for further information.
+        // MagentaCLOUD stays with original version of the solution from production
+		$isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || 
+                           strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
+		if ($request->getHeader('Authorization') !== '' && $isDavRequest && !isset($_COOKIE['nc_session_id'])) {
+		   // Do not initialize the session if a request is authenticated directly
+		   // unless there is a session cookie already sent along
+		   return;
+		}
+
+		if ($request->getServerProtocol() === 'https') {
 			ini_set('session.cookie_secure', 'true');
 		}
 

diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php
@@ -42,6 +42,7 @@
 use OCP\IConfig;
 use OCP\ISession;
 use OCP\IUser;
+use OCP\Session\Exceptions\SessionNotAvailableException;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\EventDispatcher\GenericEvent;
@@ -362,7 +363,7 @@ public function needsSecondFactor(IUser $user = null): bool {
 					$this->session->set(self::SESSION_UID_DONE, $user->getUID());
 					return false;
 				}
-			} catch (InvalidTokenException $e) {
+			} catch (InvalidTokenException|SessionNotAvailableException $e) {
 			}
 		}