Skip to content

Comments

Soften the cookie check if no cookies are sent#110

Merged
LukasReschke merged 1 commit intostable9from
stable9-soften-policy-if-no-cookie-is-sent
Jun 20, 2016
Merged

Soften the cookie check if no cookies are sent#110
LukasReschke merged 1 commit intostable9from
stable9-soften-policy-if-no-cookie-is-sent

Conversation

@LukasReschke
Copy link
Member

@LukasReschke LukasReschke commented Jun 15, 2016

When no cookies are sent it is not required to perform any check for the strict or lax cookie, it does not provide any significant security advantage.

It does however interfer with the Android client which requests thumbnails from the unofficial API at /index.php/apps/files/api/v1/thumbnail/256/256/{filename}. This endpoint expects the strict cookie to be existent to not leak the existence of files. The Android client authenticates against this endpoint using Basic Auth and without cookies in some cases at least. This will make these endpoints work again with such cases.

To test this issue the following cURL command once without the patch and once with:

curl http://localhost/index.php/apps/files/api/v1/thumbnail/256/256/welcome.txt -u admin -v

Without the patch the request is redirected (which the client does not obey) and with the patch the preview is returned.

Fixes #101

@nextcloud/android Any chance that meanwhile we can push a hotfix to the Android app that sends the cookies nc_sameSiteCookielax and nc_sameSiteCookiestrict with the value of true to all preview API requests? (or just to all). We can remove this patch later then but in the meanwhile users wouldn't have this bug 😉

@LukasReschke
Soften the cookie check if no cookies are sent
202530f 
When no cookies are sent it is not required to perform any check for the strict or lax cookie, it does not provide any significant security advantage.

It does however interfer with the Android client which requests thumbnails from the unofficial API at `/index.php/apps/files/api/v1/thumbnail/256/256/{filename}`. This endpoint expects the strict cookie to be existent to not leak the existence of files. The Android client authenticates against this endpoint using Basic Auth and without cookies in some cases at least. This will make these endpoints work again with such cases.

To test this issue the following cURL command once without the patch and once with:

> curl http://localhost/index.php/apps/files/api/v1/thumbnail/256/256/welcome.txt  -u admin -v

Without the patch the request is redirected (which the client does not obey) and with the patch the preview is returned.
@LukasReschke LukasReschke added the 3. to review Waiting for reviews label Jun 15, 2016
@LukasReschke LukasReschke added this to the Nextcloud 9.1 milestone Jun 15, 2016
@LukasReschke LukasReschke mentioned this pull request Jun 15, 2016
Closed
@MorrisJobke
Copy link
Member

MorrisJobke commented Jun 15, 2016
edited
Loading

Tested, works and code looks good 👍

@blizzz
Copy link
Member

blizzz commented Jun 16, 2016

My wife has the issue, gonne apply it on production 👷 and report back

@blizzz
Copy link
Member

blizzz commented Jun 16, 2016

I am still seeing 503s:

"PROPFIND /remote.php/dav/principals/users/$USER/ HTTP/1.1" 207 2283 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/principals/groups/$GROUP1/ HTTP/1.1" 503 1301 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/principals/groups/$GROUP"/ HTTP/1.1" 503 1462 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/calendars/$USER/ HTTP/1.1" 503 1462 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/calendars/$USER/contact_birthdays/ HTTP/1.1" 207 3307 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/calendars/$USER/default%20calendar/ HTTP/1.1" 207 3578 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/calendars/$USER/default%20calendar_shared_by_$USER2/ HTTP/1.1" 207 3610 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"
"PROPFIND /remote.php/dav/calendars/$USER/feiertageberlin_shared_by_$USER2/ HTTP/1.1" 207 3274 "-" "DAVdroid/1.0.9.2 (2016/06/11; dav4android; okhttp3) Android/4.4.2"

@blizzz
Copy link
Member

blizzz commented Jun 16, 2016

Earlier today, @LukasReschke and I debugged this a bit. DavDroid just does not sent back the sameSite cookies as required by the server, ending up with the 503s.

tobiasKaminsky added a commit to nextcloud/android that referenced this pull request Jun 19, 2016
@tobiasKaminsky
hofix: nextcloud/server#110
0e4243c
@tobiasKaminsky tobiasKaminsky mentioned this pull request Jun 19, 2016
Merged
@tobiasKaminsky
Copy link
Member

tobiasKaminsky commented Jun 19, 2016

@LukasReschke I have created a PR for this on Android: nextcloud/android#37

@LukasReschke
Copy link
Member Author

LukasReschke commented Jun 20, 2016

Let's merge this for now and debug the DAVDroid problem independently. LGTM

@LukasReschke LukasReschke merged commit 1d5d777 into stable9 Jun 20, 2016
@LukasReschke LukasReschke deleted the stable9-soften-policy-if-no-cookie-is-sent branch June 20, 2016 13:03
@MorrisJobke MorrisJobke mentioned this pull request Jun 21, 2016
Closed
@akuhl
Copy link

akuhl commented Jun 22, 2016

This fixed the Issue for me, too.

@enoch85 enoch85 mentioned this pull request Jul 31, 2017
Closed
@bpcurse bpcurse mentioned this pull request Aug 8, 2017
Closed
This was referenced Aug 14, 2017
Closed
Closed
@SURFsara-e-infra SURFsara-e-infra mentioned this pull request Nov 5, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug

Projects

None yet

Milestone

Nextcloud 9.0.51

Development

Successfully merging this pull request may close these issues.

5 participants

@LukasReschke @MorrisJobke @blizzz @tobiasKaminsky @akuhl