Project

General

Profile

Bug #1787

Bug in mod_webdav when using aliases and MOVE command

Added by Anonymous over 8 years ago. Updated 11 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_webdav
Target version:
Start date:
Due date:
% Done:

100%

Missing in 1.5.x:
No

Description

If an aliased directory is used as a webdav mount point (a "virtual directory") and the webdav client issues a MOVE command (possibly this bug extends to other commands like COPY), it uses the server.document-root rather than the virtual directory.

For example, if we have the following in the config file:


server.document-root = "/var/www/" 

alias.url = ( "/webdav/" => "/usr/local/public/" )

$HTTP["url"] =~ "^/webdav($|/)" {
  webdav.activate = "enable" 
  webdav.is-readonly = "disable" 
}

and then we mount the server at http://192.168.1.1/webdav/ and create a folder, then we try to rename that folder, at about line 1901 it issues a "No such file or directory" because p->physical.path->ptr points to "/var/www/webdav/foldername" instead of the aliased directory.

-- kurtzmarc

1787-webdav.c.patch View (2.88 KB) giuse_pes, 2013-12-03 22:49


Related issues

Related to Bug #1359: alias, auth etc are not checked for destination path for webdav operations Wontfix

Associated revisions

Revision e0115208 (diff)
Added by gstrauss 11 months ago

[mod_webdav] map COPY/MOVE Destination to aliases (fixes #1787)

attempt to remap COPY/MOVE Destination to aliased physical paths
by finding common URI prefix between request URI and Destination
and finding how that part of the request URI was mapped to a
physical path.

This will work if the aliased physical path is above the webdav root.
It is not a good idea to remap physical paths within a webdav root.

Note: webdav paths and webdav properties are managed by mod_webdav,
so do not modify paths externally or else undefined behavior
or corruption may occur

x-ref:
"Bug in mod_webdav when using aliases and MOVE command"
https://redmine.lighttpd.net/issues/1787

History

#1 Updated by tibob over 8 years ago

I can confirm this bug on lighttpd 1.4.13-4etch11 (debian etch).

#2 Updated by icy about 8 years ago

  • Target version changed from 1.4.21 to 1.4.22
  • Patch available set to No

#3 Updated by stbuehler about 8 years ago

  • Target version changed from 1.4.22 to 1.4.23

#4 Updated by stbuehler almost 8 years ago

  • Target version changed from 1.4.23 to 1.4.24

#5 Updated by stbuehler over 7 years ago

  • Target version changed from 1.4.24 to 1.4.x

#6 Updated by DenisKlimek almost 7 years ago

Hello,

I can confirm this bad bug too.

Got two systems with Lighttpd and this failure behavoir.

system a:
lighttpd 1.4.19-5+lenny1
lighttpd-mod-webdav 1.4.19-5+lenny1

system b:
lighttpd 1.4.26-1.1
lighttpd-mod-webdav 1.4.26-1.1

Any workarounds or solutions available?

My configuration looks like:

$HTTP["host"] =~ "(www\.)?(website)\.(de)" {
        server.indexfiles               =       ( "index.php" )
        server.document-root            =       "/var/cluster/web/website/old" 
        accesslog.filename              =       "/var/log/lighttpd/website/old/access.log" 
        server.errorlog                 =       "/var/log/lighttpd/website/old/error.log" 
        alias.url                       +=      ( "/forum" => "/var/cluster/web/website/www/forum", )
        alias.url                       +=      ( "/icon" => "/var/cluster/web/website/services/awstats/icon", )
        alias.url                       +=      ( "/users" => "/var/cluster/web/website/users", )
        $HTTP["url"] =~ "^/users/denis/webdav($|/)" {
                server.document-root            =       "/var/cluster/web/website/users/denis/webdav/" 
                webdav.activate                 =       "enable" 
                webdav.is-readonly              =       "disable" 
                webdav.sqlite-db-name           =       "/var/run/lighttpd/lighttpd.webdav_lock.db" 
                auth.backend                    =       "plain" 
                auth.backend.plain.userfile     =       "/var/cluster/web/website/users/denis.pwd" 
                auth.require                    =       ( "" => ( "method" => "basic", "realm" => "Webdav", "require" => "valid-user" ) )
        }
}

#7 Updated by tomas.srnka over 4 years ago

Hello,

I confirm that this problem is still valid with lighttpd-1.4.31-1.el6.x86_64, tested on Scientific Linux 6.3.

Can you please have a look at it?

#8 Updated by stbuehler over 4 years ago

  • Assignee deleted (jan)
  • Target version changed from 1.4.x to 1.4.32
  • Missing in 1.5.x set to No
Implementation note:
  • Working across aliases is probably not possible (doc-root similar settings might be in url conditionals, so we'd need to simulate a complete second request to evaluate the config options)
  • it should use the same "doc-root"/"alias" base

#9 Updated by stbuehler over 4 years ago

  • Target version changed from 1.4.32 to 1.4.33

#10 Updated by stbuehler over 3 years ago

  • Target version changed from 1.4.33 to 1.4.34

#11 Updated by darix over 3 years ago

  • Target version changed from 1.4.34 to 1.4.35

#12 Updated by giuse_pes over 3 years ago

Fix MOVE and COPY requests when an aliased directory is specified as WEBDAV folder. Please let me know if there is any problem and if it is required more testing.

Thanks
Giuseppe

Configuration used for testing :

server.document-root = "/home/giuseppe/www"
server.port = 8080

server.username = "giuseppe"
server.groupname = "giuseppe"

server.modules = ("mod_access", "mod_auth", "mod_setenv", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_redirect", "mod_helloworld", "mod_webdav" )
server.modules += ("mod_accesslog")
server.errorlog = "/home/giuseppe/git/lighttpd1.4/error.log"

debug.log-file-not-found = "enable"
debug.log-request-header = "enable"
debug.log-request-handling = "enable"
debug.log-response-header = "enable"
webdav.log-xml = "enable"

server.network-backend = "linux-sendfile"

dir-listing.activate = "enable"

mimetype.assign = (
".html" => "text/html",
".htm" => "text/html",
".jpg" => "image/jpeg",
".png" => "image/png"
)

fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php-fastcgi.socket"
)))

static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
index-file.names = ( "index.html" )
index-file.names += ( "index.htm" )
index-file.names += ( "index.php" )

auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/giuseppe/Dropbox/PlayGround/lighttpd/lighttpd.user"
auth.require = ( "/private/index.html" =>
(
"method" => "basic",
"realm" => "test",
"require" => "user=test"
)
)

auth.require += ( "/test/index.htm" =>
(
"method" => "basic",
"realm" => "test",
"require" => "user=test"
)
)

alias.url = ( "/webdav" => "/home/giuseppe/dav/" )
$HTTP["url"] =~ "^/webdav($|/)" {
webdav.activate = "enable"
webdav.is-readonly = "disable"
}

$HTTP["url"] =~ "^/test($|/)" {
server.document-root = "/home/giuseppe/"
webdav.activate = "enable"
webdav.is-readonly = "disable"
}

url.rewrite-once = ("^/music$" => "/redirect/")

#13 Updated by giuse_pes over 3 years ago

HI guys,

As it has been pointed out in the chat, this patch has some drawbacks. Can someone show me a context on which this patch may be dangerous or not work properly?
I am sorry for being stubborn, but I just want to understand better my errors and improve my knowledge regarding Lighttpd.

Thanks for your time.

#14 Updated by stbuehler about 3 years ago

  • Target version changed from 1.4.35 to 1.4.36

#15 Updated by stbuehler over 1 year ago

  • Target version changed from 1.4.36 to 1.4.x

#16 Updated by gstrauss 12 months ago

  • Related to Bug #1359: alias, auth etc are not checked for destination path for webdav operations added

#17 Updated by gstrauss 11 months ago

Anyone still watching this ticket who would be willing to test out a patch I wrote?

#18 Updated by gstrauss 11 months ago

  • Target version changed from 1.4.x to 1.4.40

#19 Updated by gstrauss 11 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom