Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Upload only" public link leaks content via propfind #4657

Closed
kulmann opened this issue Sep 26, 2022 · 1 comment
Closed

"Upload only" public link leaks content via propfind #4657

kulmann opened this issue Sep 26, 2022 · 1 comment
Assignees
@rhafer
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Topic:Security Type:Bug
Milestone
2.0.0 General Ava...

Comments

@kulmann
Copy link
Contributor

kulmann commented Sep 26, 2022

Describe the bug

Having a public link with role "Upload" still lists the content via PROPFIND.

Steps to reproduce

Steps to reproduce the behavior:

  1. Create a folder with some files
  2. Create a public link with "Upload" role
  3. Do a propfind, e.g. with curl: curl --insecure -X PROPFIND -H "Depth: 1" -H "Content-Type: text/xml" 'https://host.docker.internal:9200/remote.php/dav/public-files/dEbwwApymmGZhSd' | xmllint --format - (set your public link token in the URL according to your public link)

Expected behavior

Some 404 or whatever. But folder listing must be prevented.

Actual behavior

PROPFIND lists all files and folders as if the link had read or higher permissions.

Setup

oCIS single binary on commit hash ca66a9f7516734e7a3c64074d37f266dd90f702f.
@micbar micbar added Priority:p2-high Escalation, on top of current planning, release blocker GA-Blocker labels Sep 26, 2022
@micbar micbar added this to the 2.0.0 General Availability milestone Sep 26, 2022
@ScharfViktor
Copy link
Contributor

Ahh, I wondered why it worked correctly for the web. for "upload permissions" PROPFIND request use depth=0. In this way we block the content for public.
Screenshot 2022-09-26 at 11 01 52

@rhafer rhafer self-assigned this Sep 26, 2022
@rhafer rhafer mentioned this issue Sep 26, 2022
Merged
rhafer added a commit to cs3org/reva that referenced this issue Sep 26, 2022
@rhafer
Fix permissions for the "uploader" Role
83c796b 
The "Uploade" role should not be able to list contents of the shared
resource.

owncloud/ocis#4657
rhafer added a commit to rhafer/ocis that referenced this issue Sep 26, 2022
@rhafer
Bump reva to latest edge
08c09bc 
Fixes: owncloud#4628, owncloud#4657
@rhafer rhafer mentioned this issue Sep 26, 2022
Merged
butonic pushed a commit that referenced this issue Sep 27, 2022
@rhafer
Bump reva to latest edge (#4660)
918bc85 
Fixes: #4628, #4657
@rhafer rhafer closed this as completed Sep 27, 2022
ownclouders pushed a commit that referenced this issue Sep 27, 2022
@rhafer
commit 918bc85
a07db2c 
Author: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date:   Tue Sep 27 10:36:42 2022 +0200

    Bump reva to latest edge (#4660)

    Fixes: #4628, #4657
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhafer rhafer

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Topic:Security Type:Bug
Projects
None yet
Milestone
2.0.0 General Availability
Development

No branches or pull requests
4 participants
@rhafer @kulmann @micbar @ScharfViktor