Project

General

Profile

Actions
Copy link

Bug #1359

closed

alias, auth etc are not checked for destination path for webdav operations

Added by HenrikHolst about 17 years ago. Updated 9 months ago.

Status:
Fixed
Priority:
Normal
Category:
mod_webdav
Target version:
-
ASK QUESTIONS IN Forums:
No

Description

Webdav operations such as MOVE and COPY have a destination URL inside the header. Since mod_webdav is the only module that parses this destination URL there can be troubly if one has set up alias, auth or other rules since these other modules does not parse the destination URL.

For example if one has an alias, then the source URL will be set to the correct physical path while the destination will point to the wrong physical path (and will likely fail for that reason).

And possible since mod_auth is not involved I guess that there is also a chance that one can overwrite other users files with COPY and MOVE since only the source is validated (haven't tested this though).

Perhaps the core should decode all URLs and pass them to the modules as an array of URLs and then for example mod_alias would be changed to alias all the URLs in the array while other modules still only performs action on the first URL like they do today.

Related issues 1 (0 open1 closed)

Related to Bug #1787: Bug in mod_webdav when using aliases and MOVE commandFixedActions
Actions
Copy link
 #1

Updated by stbuehler over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to wontfix

webdav is a stupid protocol imho, and so there are just some things we cannot do. There could be many modules modifying a path (think of mod_magnet scripts)...

Actions
Copy link
 #2

Updated by stbuehler about 16 years ago

  • Status changed from Fixed to Wontfix
Actions
Copy link
 #3

Updated by gstrauss over 8 years ago

  • Related to Bug #1787: Bug in mod_webdav when using aliases and MOVE command added
Actions
Copy link
 #4

Updated by gstrauss 9 months ago

  • Description updated (diff)
  • Category changed from core to mod_webdav
  • Status changed from Wontfix to Fixed
  • Target version deleted (1.4.20)
  • ASK QUESTIONS IN Forums set to No

Fixed in lighttpd 1.4.40 in #1787 in commit e0115208 as long as aliases are above the webdav root.
As noted in the commit message:

This will work if the aliased physical path is above the webdav root.
It is not a good idea to remap physical paths within a webdav root.

The same applies to auth and other modules. The auth should apply to the webdav root, or else mod_magnet with a custom lua script can be used to apply custom auth to Destination.

Actions
Copy link

Also available in: Atom