Project

General

Profile

Bug #1787

Bug in mod_webdav when using aliases and MOVE command

Added by Anonymous about 9 years ago. Updated over 1 year ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_webdav
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

If an aliased directory is used as a webdav mount point (a "virtual directory") and the webdav client issues a MOVE command (possibly this bug extends to other commands like COPY), it uses the server.document-root rather than the virtual directory.

For example, if we have the following in the config file:


server.document-root = "/var/www/" 

alias.url = ( "/webdav/" => "/usr/local/public/" )

$HTTP["url"] =~ "^/webdav($|/)" {
  webdav.activate = "enable" 
  webdav.is-readonly = "disable" 
}

and then we mount the server at http://192.168.1.1/webdav/ and create a folder, then we try to rename that folder, at about line 1901 it issues a "No such file or directory" because p->physical.path->ptr points to "/var/www/webdav/foldername" instead of the aliased directory.

-- kurtzmarc

1787-webdav.c.patch (2.88 KB) 1787-webdav.c.patch giuse_pes, 2013-12-03 22:49

Related issues

Related to Bug #1359: alias, auth etc are not checked for destination path for webdav operationsWontfix

Associated revisions

Revision e0115208 (diff)
Added by gstrauss over 1 year ago

[mod_webdav] map COPY/MOVE Destination to aliases (fixes #1787)

attempt to remap COPY/MOVE Destination to aliased physical paths
by finding common URI prefix between request URI and Destination
and finding how that part of the request URI was mapped to a
physical path.

This will work if the aliased physical path is above the webdav root.
It is not a good idea to remap physical paths within a webdav root.

Note: webdav paths and webdav properties are managed by mod_webdav,
so do not modify paths externally or else undefined behavior
or corruption may occur

x-ref:
"Bug in mod_webdav when using aliases and MOVE command"
https://redmine.lighttpd.net/issues/1787

History

#1

Updated by tibob about 9 years ago

I can confirm this bug on lighttpd 1.4.13-4etch11 (debian etch).

#2

Updated by icy almost 9 years ago

  • Target version changed from 1.4.21 to 1.4.22
  • Patch available set to No
#3

Updated by stbuehler over 8 years ago

  • Target version changed from 1.4.22 to 1.4.23
#4

Updated by stbuehler over 8 years ago

  • Target version changed from 1.4.23 to 1.4.24
#5

Updated by stbuehler about 8 years ago

  • Target version changed from 1.4.24 to 1.4.x
#6

Updated by DenisKlimek over 7 years ago

Hello,

I can confirm this bad bug too.

Got two systems with Lighttpd and this failure behavoir.

system a:
lighttpd 1.4.19-5+lenny1
lighttpd-mod-webdav 1.4.19-5+lenny1

system b:
lighttpd 1.4.26-1.1
lighttpd-mod-webdav 1.4.26-1.1

Any workarounds or solutions available?

My configuration looks like:

$HTTP["host"] =~ "(www\.)?(website)\.(de)" {
        server.indexfiles               =       ( "index.php" )
        server.document-root            =       "/var/cluster/web/website/old" 
        accesslog.filename              =       "/var/log/lighttpd/website/old/access.log" 
        server.errorlog                 =       "/var/log/lighttpd/website/old/error.log" 
        alias.url                       +=      ( "/forum" => "/var/cluster/web/website/www/forum", )
        alias.url                       +=      ( "/icon" => "/var/cluster/web/website/services/awstats/icon", )
        alias.url                       +=      ( "/users" => "/var/cluster/web/website/users", )
        $HTTP["url"] =~ "^/users/denis/webdav($|/)" {
                server.document-root            =       "/var/cluster/web/website/users/denis/webdav/" 
                webdav.activate                 =       "enable" 
                webdav.is-readonly              =       "disable" 
                webdav.sqlite-db-name           =       "/var/run/lighttpd/lighttpd.webdav_lock.db" 
                auth.backend                    =       "plain" 
                auth.backend.plain.userfile     =       "/var/cluster/web/website/users/denis.pwd" 
                auth.require                    =       ( "" => ( "method" => "basic", "realm" => "Webdav", "require" => "valid-user" ) )
        }
}
#7

Updated by tomas.srnka about 5 years ago

Hello,

I confirm that this problem is still valid with lighttpd-1.4.31-1.el6.x86_64, tested on Scientific Linux 6.3.

Can you please have a look at it?

#8

Updated by stbuehler about 5 years ago

  • Assignee deleted (jan)
  • Target version changed from 1.4.x to 1.4.32
  • Missing in 1.5.x set to No
Implementation note:
  • Working across aliases is probably not possible (doc-root similar settings might be in url conditionals, so we'd need to simulate a complete second request to evaluate the config options)
  • it should use the same "doc-root"/"alias" base
#9

Updated by stbuehler about 5 years ago

  • Target version changed from 1.4.32 to 1.4.33
#10

Updated by stbuehler about 4 years ago

  • Target version changed from 1.4.33 to 1.4.34
#11

Updated by darix almost 4 years ago

  • Target version changed from 1.4.34 to 1.4.35
#12

Updated by giuse_pes almost 4 years ago

Fix MOVE and COPY requests when an aliased directory is specified as WEBDAV folder. Please let me know if there is any problem and if it is required more testing.

Thanks
Giuseppe

Configuration used for testing :

server.document-root = "/home/giuseppe/www"
server.port = 8080

server.username = "giuseppe"
server.groupname = "giuseppe"

server.modules = ("mod_access", "mod_auth", "mod_setenv", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_redirect", "mod_helloworld", "mod_webdav" )
server.modules += ("mod_accesslog")
server.errorlog = "/home/giuseppe/git/lighttpd1.4/error.log"

debug.log-file-not-found = "enable"
debug.log-request-header = "enable"
debug.log-request-handling = "enable"
debug.log-response-header = "enable"
webdav.log-xml = "enable"

server.network-backend = "linux-sendfile"

dir-listing.activate = "enable"

mimetype.assign = (
".html" => "text/html",
".htm" => "text/html",
".jpg" => "image/jpeg",
".png" => "image/png"
)

fastcgi.server = ( ".php" => ((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php-fastcgi.socket"
)))

static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
index-file.names = ( "index.html" )
index-file.names += ( "index.htm" )
index-file.names += ( "index.php" )

auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/giuseppe/Dropbox/PlayGround/lighttpd/lighttpd.user"
auth.require = ( "/private/index.html" =>
(
"method" => "basic",
"realm" => "test",
"require" => "user=test"
)
)

auth.require += ( "/test/index.htm" =>
(
"method" => "basic",
"realm" => "test",
"require" => "user=test"
)
)

alias.url = ( "/webdav" => "/home/giuseppe/dav/" )
$HTTP["url"] =~ "^/webdav($|/)" {
webdav.activate = "enable"
webdav.is-readonly = "disable"
}

$HTTP["url"] =~ "^/test($|/)" {
server.document-root = "/home/giuseppe/"
webdav.activate = "enable"
webdav.is-readonly = "disable"
}

url.rewrite-once = ("^/music$" => "/redirect/")

#13

Updated by giuse_pes almost 4 years ago

HI guys,

As it has been pointed out in the chat, this patch has some drawbacks. Can someone show me a context on which this patch may be dangerous or not work properly?
I am sorry for being stubborn, but I just want to understand better my errors and improve my knowledge regarding Lighttpd.

Thanks for your time.

#14

Updated by stbuehler over 3 years ago

  • Target version changed from 1.4.35 to 1.4.36
#15

Updated by stbuehler over 2 years ago

  • Target version changed from 1.4.36 to 1.4.x
#16

Updated by gstrauss over 1 year ago

  • Related to Bug #1359: alias, auth etc are not checked for destination path for webdav operations added
#17

Updated by gstrauss over 1 year ago

Anyone still watching this ticket who would be willing to test out a patch I wrote?

#18

Updated by gstrauss over 1 year ago

  • Target version changed from 1.4.x to 1.4.40
#19

Updated by gstrauss over 1 year ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom