Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public share link requests for credentials. #18731

Closed
SergioBertolinSG opened this issue Sep 1, 2015 · 30 comments · Fixed by #19402
Closed

Public share link requests for credentials. #18731

SergioBertolinSG opened this issue Sep 1, 2015 · 30 comments · Fixed by #19402

Comments

@SergioBertolinSG
Copy link
Contributor

Steps to reproduce

EDIT II 1. Share publicly a plain text file by link
EDIT I 2. Add a password to the public link.
3. Open the link from a different browser without being logged in.

Expected behaviour

Anonymous user can open the link.

Actual behaviour

Link redirects to the login page.

Server configuration

Operating system:
Ubuntu 14.04

Web server:
Apache

Database:
MySQL

PHP version:
5.5.9

ownCloud version: (see ownCloud admin page)
master branch (8.2alpha)

Updated from an older ownCloud or fresh install:
Fresh

List of activated apps:
Default in community edition..

The content of config/config.php:


Are you using external storage, if yes which one: local/smb/sftp/...
No

Are you using encryption:
No

Logs

Client configuration

browser
Chrome 41

@PVince81
Copy link
Contributor

PVince81 commented Sep 1, 2015

@SergioBertolinSG is this a regression on master ?

@PVince81
Copy link
Contributor

PVince81 commented Sep 1, 2015

Works for me on master (85b62c7).
Link was created in Chromium 44 and opened in Firefox 39.0.3

@SergioBertolinSG
Copy link
Contributor Author

Yes a regression.

@PVince81
Copy link
Contributor

PVince81 commented Sep 1, 2015

Clear the cache maybe ?

This is not enough information to be able to reproduce or fix it.

@SergioBertolinSG
Copy link
Contributor Author

Same problem with cache cleared. I forgot to mention that the public share has to have a password (edited in the steps).

@SergioBertolinSG
Copy link
Contributor Author

I've fixed the problem installing the last version of Firefox.

@SergioBertolinSG
Copy link
Contributor Author

It is still happening. It happens only with plain text files. When opening the share and entering the password a dialog for credentials appears. (And it shouldn't).
Observed on chrome and safari for ipad.

@oparoz
Copy link
Contributor

oparoz commented Sep 10, 2015

Confirmed.... And it's probably because of that ¦@#°% Gallery app ;)

@oparoz
Copy link
Contributor

oparoz commented Sep 10, 2015

Apparently, it's not phewww... But I still need to see if I can prevent making Ajax calls before the password is entered.

What I'm seeing in the POST request is a 307 and 2 oc_sessionPassphrase with different passwords in them.
@LukasReschke must be able to fix this :)

@oparoz
Copy link
Contributor

oparoz commented Sep 12, 2015

Could be related to #18891 (double passphrase)

@SergioBertolinSG
Copy link
Contributor Author

Still happening on master from git. Tested on safari. (Working fine in firefox)

@PVince81
Copy link
Contributor

Is Safari maybe somehow auto-filling the password field ? Can you try clearing the autofill cache ?

@davitol
Copy link
Contributor

davitol commented Sep 18, 2015

I've cleaned all the browsing data, and using chrome it happens the same behaviour as @SergioBertolinSG has said.

@PVince81
Copy link
Contributor

@LukasReschke are you able to reproduce this on your mac?

@nickvergessen
Copy link
Contributor

Can reproduce, the issue is the preview.
For plain text files we don't show an image, but make a webdav request and write the first characters into the preview box instead of an image, which requires authentification:
bildschirmfoto vom 2015-09-25 10 25 40

@PVince81
Copy link
Contributor

@oparoz is the text preview sending the password to the Webdav endpoint ?

@oparoz
Copy link
Contributor

oparoz commented Sep 28, 2015

@PVince81
Copy link
Contributor

Hmm, but the password isn't appended behind the ":".

Let me check how I did it with the "move to webdav" branch.

@PVince81
Copy link
Contributor

Hmm, it seems I'm not passing the password either. If the browser has a session cookie related to this public share, it should be able to reuse it when doing webdav requests.

@oparoz
Copy link
Contributor

oparoz commented Sep 28, 2015

The token is used as the username. There is no password

@PVince81
Copy link
Contributor

Steps to reproduce (for clarity)

  1. Create a text file
  2. Share text file with link
  3. Set password to "test"
  4. Open the link
  5. Enter the password "test"

At this point the popup appears for the Webdav call.

@PVince81
Copy link
Contributor

I suspect it might be related to the recent refactoring in publicwebdav to use "ServerFactory". I'll try and debug the server.

@PVince81
Copy link
Contributor

Hmmm no, it looks like this never worked before.
Stable8.1 is broken too and so is v8.1.1.

@PVince81
Copy link
Contributor

Hmmmmmmm it works on my Webdav branch #16902 which uses public webdav for the file list and also text preview.

I'll try and find out why it works there...

@PVince81
Copy link
Contributor

Aha, this one: e6f007d

I'll make a separate PR for that

@oparoz
Copy link
Contributor

oparoz commented Sep 28, 2015

👯

@PVince81
Copy link
Contributor

Fix is here #19402

@oparoz
Copy link
Contributor

oparoz commented Sep 28, 2015

awesome

@SergioBertolinSG
Copy link
Contributor Author

@PVince81 This happens in stable8.1 as well. backport?

@lock
Copy link

lock bot commented Aug 7, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants