new config to disallow webdav clients using user agent strings
authorPaul Mehrer <p.mehrer@metaways.de>
Fri, 9 Jun 2017 15:31:33 +0000 (17:31 +0200)
committerPaul Mehrer <p.mehrer@metaways.de>
Mon, 12 Jun 2017 07:05:17 +0000 (09:05 +0200)
config option denyWebDavClientList can contain a list of regex
that will be tested against the user agent. If one of them matches
the request will be aborted with
HTTP/1.1 420 Policy Not Fulfilled User Agent Not Accepted

Change-Id: I43f0a68a801901dd9e69d2f755a6f98a4a2705e3
Reviewed-on: http://gerrit.tine20.com/customers/4852
Tested-by: Jenkins CI (http://ci.tine20.com/)
Reviewed-by: Paul Mehrer <p.mehrer@metaways.de>
Tested-by: Paul Mehrer <p.mehrer@metaways.de>
tests/tine20/ServerTestCase.php
tests/tine20/Tinebase/Server/WebDAVTests.php
tine20/Tinebase/Config.php
tine20/Tinebase/Server/WebDAV.php

index b9c1876..5405048 100644 (file)
@@ -29,6 +29,8 @@ abstract class ServerTestCase extends PHPUnit_Framework_TestCase
      * @var Zend_Config
      */
     protected $_config;
+
+    protected $_oldDenyList;
     
     /**
      * set up tests
@@ -48,6 +50,8 @@ abstract class ServerTestCase extends PHPUnit_Framework_TestCase
         $this->_config = new Zend_Config($configData);
         
         $this->_transactionId = Tinebase_TransactionManager::getInstance()->startTransaction(Tinebase_Core::getDb());
+
+        $this->_oldDenyList = Tinebase_Config::getInstance()->get(Tinebase_Config::DENY_WEBDAV_CLIENT_LIST);
     }
     
     /**
@@ -60,6 +64,8 @@ abstract class ServerTestCase extends PHPUnit_Framework_TestCase
         if ($this->_transactionId) {
             Tinebase_TransactionManager::getInstance()->rollBack();
         }
+
+        Tinebase_Config::getInstance()->set(Tinebase_Config::DENY_WEBDAV_CLIENT_LIST, $this->_oldDenyList);
     }
     
     /**
index 0c8bbff..8251b9e 100644 (file)
@@ -21,7 +21,7 @@ class Tinebase_Server_WebDAVTests extends ServerTestCase
      * test general functionality of Tinebase_Server_WebDAV
      * @group ServerTests
      */
-    public function testServer()
+    public function testServer($noAssert = false)
     {
         $request = \Zend\Http\PhpEnvironment\Request::fromString(<<<EOS
 PROPFIND /calendars/64d7fdf9202f7b1faf7467f5066d461c2e75cf2b/4/ HTTP/1.1
@@ -54,9 +54,21 @@ EOS
         $result = ob_get_contents();
         
         ob_end_clean();
-        
+
+        if (true === $noAssert) {
+            return $result;
+        }
+
         $this->assertEquals('PD94bWwgdmVyc2lvbj0iMS4wIiBlbm', substr(base64_encode($result),0,30));
     }
+
+    public function testDenyingWebDavClient()
+    {
+        Tinebase_Config::getInstance()->set(Tinebase_Config::DENY_WEBDAV_CLIENT_LIST, array('/deniedClient/'));
+
+        $_SERVER['HTTP_USER_AGENT'] = 'deniedClient';
+        static::assertTrue(empty($this->testServer(true)));
+    }
     
     /**
      * test general functionality of Tinebase_Server_WebDAV
index ab5222e..9597a8b 100644 (file)
@@ -459,6 +459,11 @@ class Tinebase_Config extends Tinebase_Config_Abstract
     /**
      * @var string
      */
+    const DENY_WEBDAV_CLIENT_LIST = 'denyWebDavClientList';
+
+    /**
+     * @var string
+     */
     const VERSION_CHECK = 'versionCheck';
 
     /**
@@ -1400,6 +1405,17 @@ class Tinebase_Config extends Tinebase_Config_Abstract
             'setBySetupModule'      => FALSE,
             'default'               => FALSE,
         ),
+        self::DENY_WEBDAV_CLIENT_LIST  => array(
+            //_('List of WebDav agent strings that will be denied')
+            'label'                 => 'List of WebDav agent strings that will be denied',
+            //_('List of WebDav agent strings that will be denied.')
+            'description'           => 'List of WebDav agent strings that will be denied.',
+            'type'                  => 'array',
+            'clientRegistryInclude' => FALSE,
+            'setByAdminModule'      => FALSE,
+            'setBySetupModule'      => FALSE,
+            'default'               => NULL,
+        ),
         self::FILESYSTEM => array(
             //_('Filesystem settings')
             'label'                 => 'Filesystem settings',
index 334b974..529bc14 100644 (file)
@@ -53,6 +53,16 @@ class Tinebase_Server_WebDAV extends Tinebase_Server_Abstract implements Tinebas
             Tinebase_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ .' is CalDav, CardDAV or WebDAV request.');
         
         Tinebase_Core::initFramework();
+
+        if (null !== ($denyList = Tinebase_Config::getInstance()->get(Tinebase_Config::DENY_WEBDAV_CLIENT_LIST)) &&
+                is_array($denyList)) {
+            foreach ($denyList as $deny) {
+                if (preg_match($deny, $_SERVER['HTTP_USER_AGENT'])) {
+                    header('HTTP/1.1 420 Policy Not Fulfilled User Agent Not Accepted');
+                    return;
+                }
+            }
+        }
         
         if (Tinebase_Controller::getInstance()->login(
             $loginName,