report not requiring auth
25 views
Skip to first unread message
codiq
Oct 10, 2016, 4:21:05 AM10/10/16
to SabreDAV Discussion
REPORT method ignores lack of auth headers.
Is that normal?
curl -v -X REPORT -H "Depth: 2" -H "Content-Type: application/xml; charset=utf-8" --data '<?xml version="1.0" encoding="UTF-8"?><C:calendar-query xmlns:d="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:A="http://apple.com/ns/ical/"><d:prop><d:getetag/><C:calendar-data/></d:prop><C:filter><C:comp-filter name="VCALENDAR"><C:comp-filter name="VEVENT"><C:time-range start="20160324T220000Z" end="20161105T230000Z"/></C:comp-filter></C:comp-filter></C:filter></C:calendar-query>' http://x/calendars/admin/default/
* Hostname was NOT found in DNS cache
* Trying x...
* Connected to x (x) port 80 (#0)
> REPORT /calendars/dmin/default/ HTTP/1.1
> User-Agent: curl/7.38.0
> Host: x
> Accept: */*
> Depth: 2
> Content-Type: application/xml; charset=utf-8
> Content-Length: 390
>
* upload completely sent off: 390 out of 390 bytes
< HTTP/1.1 207 Multi-Status
< Date: Mon, 10 Oct 2016 08:06:41 GMT
* Server Apache/2.4.10 (Debian) is not blacklisted
< Server: Apache/2.4.10 (Debian)
< X-Sabre-Version: 3.2.0
< Vary: Brief,Prefer
< Content-Length: 214
< Content-Type: application/xml; charset=utf-8
<
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:cal="urn:ietf:params:xml:ns:caldav" xmlns:cs="http://calendarserver.org/ns/" xmlns:card="urn:ietf:params:xml:ns:carddav"/>
* Connection #0 to host x left intact
Evert Pot
Oct 10, 2016, 4:47:41 PM10/10/16
to sabredav...@googlegroups.com
Hi,
Auth-headers are only checked for operations where an access control
check was done, and that check failed. Basically, you are accessing the
server as a 'public user'.
The REPORT case is a bit interesting, because access control _would_ be
checked on every item in the result. My guess is that your REPORT
yielded 0 responses, so no ACL check is done, and therefore no Auth
check is done.
Looking at this response I do worry a little bit if this is entirely the
correct thing to do. Without credentials you would be able to see if a
certain time-range has items or not.
I opened a bug for this here:
https://github.com/fruux/sabre-dav/issues/895
On another note, "Depth: 2" is not a thing.
Evert
> --
> You received this message because you are subscribed to the Google
> Groups "SabreDAV Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to sabredav-discu...@googlegroups.com
> <mailto:sabredav-discu...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/sabredav-discuss/fb280a63-5299-4956-9a47-825192ec8e94%40googlegroups.com
> <https://groups.google.com/d/msgid/sabredav-discuss/fb280a63-5299-4956-9a47-825192ec8e94%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Auth-headers are only checked for operations where an access control
check was done, and that check failed. Basically, you are accessing the
server as a 'public user'.
The REPORT case is a bit interesting, because access control _would_ be
checked on every item in the result. My guess is that your REPORT
yielded 0 responses, so no ACL check is done, and therefore no Auth
check is done.
Looking at this response I do worry a little bit if this is entirely the
correct thing to do. Without credentials you would be able to see if a
certain time-range has items or not.
I opened a bug for this here:
https://github.com/fruux/sabre-dav/issues/895
On another note, "Depth: 2" is not a thing.
Evert
> You received this message because you are subscribed to the Google
> Groups "SabreDAV Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to sabredav-discu...@googlegroups.com
> <mailto:sabredav-discu...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/sabredav-discuss/fb280a63-5299-4956-9a47-825192ec8e94%40googlegroups.com
> <https://groups.google.com/d/msgid/sabredav-discuss/fb280a63-5299-4956-9a47-825192ec8e94%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
codiq
Oct 11, 2016, 2:19:28 PM10/11/16
to SabreDAV Discussion
Probably this made problem when I used agendav with digest auth. curl was not sending message body when auth was provided and sabre didnt require it (you can test if you add digest user and pass to above curl command). Maybe some other problem but this is what I found. This was strange because agendav v1 was working fine (i was not going trough code to see why).
Also it should get me results as I tried to access calendar with events in range from agendav v2 and curl commandline - but it failed - curl was not sending body.
Yep depth 2 was accidental.
Thx for response.
> <mailto:sabredav-discuss+unsub...@googlegroups.com>.
Reply all
Reply to author
Forward
0 new messages