core
core copied to clipboard
owncloud
Case sensitive usernames when logging in with an app password via webdav
This issue is previously reported (here https://github.com/owncloud/core/issues/29708), but we are now encountering it ourselves too. The way a webdav password is generated and how it is then accepted is not always consistent.
Steps to reproduce
- Create user with a uppercase character
- Generate a App passwords (Security tab by your personal settings) with a completely lower case username and a webdav token with the normal username which contains one of more uppercase characters
- try to login with both
Expected behaviour
Expected behaviour should be that both accounts should work and the casing of username doesn't makes a difference.
Actual behaviour
Depends how the webdav token is generated, how the application response;
tomw@M0421014 ~ % curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%
tomw@M0421014 ~ % curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>Username or password was incorrect, Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured</s:message>
</d:error>
tomw@M0421014 ~ % curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%
tomw@M0421014 ~ % curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
This is the WebDAV interface. It can only be accessed by WebDAV clients such as the ownCloud desktop sync client.%
Server configuration
Operating system: CentOS Linux release 7.9.2009 (Core)
Web server: Apache/2.4.6 (CentOS)
Database: MariaDB 10.3
PHP version: PHP 7.4.29
ownCloud version: OwnCloud 10.9.1
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results into https://gist.github.com/ and puth the link here.
The content of config/config.php:
{
"system": {
"instanceid": "abcde",
"license-key": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"miskatonic.data.surfsara.nl"
],
"datadirectory": "\/var\/www\/owncloud\/data",
"overwrite.cli.url": "https:\/\/miskatonic.data.surfsara.nl",
"overwriteprotocol": "https",
"forwarded_for_headers": [
"HTTP_X_FORWARDED_FOR",
"HTTP_FORWARDED_FOR"
],
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "ocredis",
"port": 6379,
"timeout": 0,
"password": "***REMOVED SENSITIVE VALUE***",
"dbindex": 0
},
"filelocking.enabled": true,
"filelocking.ttl": 28800,
"http.cookie.samesite": "None",
"trusted_proxies": [
"1.2.3.4"
],
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"dbname": "miskatonic_oc",
"dbhost": "proxysql:6033",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"appcodechecker": false,
"updatechecker": false,
"enable_avatars": false,
"enable_previews": true,
"preview_max_x": 1024,
"preview_max_y": 1024,
"preview_max_filesize_image": 100,
"enabledPreviewProviders": [
"OC\\Preview\\PNG",
"OC\\Preview\\JPEG",
"OC\\Preview\\GIF",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown"
],
"appstoreenabled": false,
"has_internet_connection": true,
"minimum.supported.desktop.version": "2.3.0",
"objectstore_multibucket": {
"class": "OCA\\ObjectStore\\S3",
"arguments": {
"autocreate": true,
"bucket": "owncloud",
"part_size": "52428800",
"options": {
"use_arn_region": false,
"version": "2006-03-01",
"region": "NL",
"credentials": {
"key": "1234",
"secret": "abcd"
},
"endpoint": "https:\/\/proxy.swift.surfsara.nl:443",
"command.params": {
"PathStyle": true
}
}
}
},
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"version": "10.9.1.2",
"installed": true,
"log_type": "owncloud",
"logfile": "\/var\/log\/xcloud\/miskatonic.b08e414dc310.owncloud.log",
"loglevel": "0",
"logtimezone": "Europe\/Amsterdam",
"log.condition": {
"apps": [
"cron"
],
"logfile": "\/var\/log\/xcloud\/miskatonic.b08e414dc310.owncloud.cron.log"
},
"cron_log": true,
"logdateformat": "d\/M\/Y:H:i:s",
"ldapIgnoreNamingRules": false,
"skeletondirectory": "",
"maintenance": false,
"cache_chunk_gc_ttl": 86400,
"dav.chunk_base_dir": "\/tmp",
"trashbin_retention_obligation": "30, 32",
"versions_retention_obligation": "auto, 14",
"activity_expire_days": "14",
"shibboleth": {
"loginButtonName": "Login via SURFconext"
}
}
}
List of activated apps:
Enabled:
- activity:
- Version: 2.6.1
- Path: /var/www/owncloud/apps/activity
- admin_audit:
- Version: 2.1.3
- Path: /var/www/owncloud/apps/admin_audit
- comments:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/comments
- configreport:
- Version: 0.2.0
- Path: /var/www/owncloud/apps/configreport
- customgroups:
- Version: 0.6.2
- Path: /var/www/owncloud/apps/customgroups
- dav:
- Version: 0.7.0
- Path: /var/www/owncloud/apps/dav
- diagnostics:
- Version: 0.1.4
- Path: /var/www/owncloud/apps/diagnostics
- drawio:
- Version: 0.9.2
- Path: /var/www/owncloud/apps/drawio
- enterprise_key:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/enterprise_key
- external4groups:
- Version: 1.2
- Path: /var/www/owncloud/apps/external4groups
- federatedfilesharing:
- Version: 0.5.0
- Path: /var/www/owncloud/apps/federatedfilesharing
- federation:
- Version: 0.1.0
- Path: /var/www/owncloud/apps/federation
- files:
- Version: 1.5.2
- Path: /var/www/owncloud/apps/files
- files_clipboard:
- Version: 1.0.3
- Path: /var/www/owncloud/apps/files_clipboard
- files_external:
- Version: 0.8.0
- Path: /var/www/owncloud/apps/files_external
- files_external_s3:
- Version: 1.0.0
- Path: /var/www/owncloud/apps/files_external_s3
- files_markdown:
- Version: 0.1
- Path: /var/www/owncloud/apps/files_markdown
- files_mediaviewer:
- Version: 1.0.5
- Path: /var/www/owncloud/apps/files_mediaviewer
- files_pdfviewer:
- Version: 1.0.1
- Path: /var/www/owncloud/apps/files_pdfviewer
- files_sharing:
- Version: 0.14.0
- Path: /var/www/owncloud/apps/files_sharing
- files_texteditor:
- Version: 2.4.1
- Path: /var/www/owncloud/apps/files_texteditor
- files_trashbin:
- Version: 0.9.1
- Path: /var/www/owncloud/apps/files_trashbin
- firewall:
- Version: 2.10.3
- Path: /var/www/owncloud/apps/firewall
- firstrunwizard:
- Version: 1.2.0
- Path: /var/www/owncloud/apps/firstrunwizard
- impersonate:
- Version: 0.5.0
- Path: /var/www/owncloud/apps/impersonate
- market:
- Version: 0.6.2
- Path: /var/www/owncloud/apps/market
- music:
- Version: 1.5.1
- Path: /var/www/owncloud/apps/music
- notifications:
- Version: 0.5.4
- Path: /var/www/owncloud/apps/notifications
- oauth2:
- Version: 0.5.2
- Path: /var/www/owncloud/apps/oauth2
- objectstore:
- Version: 0.5.1
- Path: /var/www/owncloud/apps/objectstore
- onlyoffice:
- Version: 7.3.1
- Path: /var/www/owncloud/apps/onlyoffice
- password_policy:
- Version: 2.1.3
- Path: /var/www/owncloud/apps/password_policy
- provisioning_api:
- Version: 0.5.0
- Path: /var/www/owncloud/apps/provisioning_api
- researchdrive_help:
- Version: 1.0.0
- Path: /var/www/owncloud/apps/researchdrive_help
- systemtags:
- Version: 0.3.0
- Path: /var/www/owncloud/apps/systemtags
- systemtags_management:
- Version: 0.4.1
- Path: /var/www/owncloud/apps/systemtags_management
- templateeditor:
- Version: 0.4.0
- Path: /var/www/owncloud/apps/templateeditor
- theme-miskatonic:
- Version: 1.0.0
- Path: /var/www/owncloud/apps/theme-miskatonic
- twofactor_backup_codes:
- Version: 0.1.0
- Path: /var/www/owncloud/apps/twofactor_backup_codes
- twofactor_totp:
- Version: 0.7.4
- Path: /var/www/owncloud/apps/twofactor_totp
- updatenotification:
- Version: 0.2.1
- Path: /var/www/owncloud/apps/updatenotification
- user_ldap:
- Version: 0.16.0
- Path: /var/www/owncloud/apps/user_ldap
- user_shibboleth:
- Version: 3.5.0
- Path: /var/www/owncloud/apps/user_shibboleth
- webdav_hooks:
- Version: 0.0.1
- Path: /var/www/owncloud/apps/webdav_hooks
- windows_network_drive:
- Version: 2.1.0
- Path: /var/www/owncloud/apps/windows_network_drive
- workflow:
- Version: 0.5.3
- Path: /var/www/owncloud/apps/workflow
Logs
Nothing specials in the server logs. Header response;
$ curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
HTTP/1.1 401 Unauthorized
$ curl -u '[email protected]:app-token-is-here' https://miskatonic.data.surfsara.nl/remote.php/nonshib-webdav
HTTP/1.1 207 Multi-Status
The issue seems to be around the comparison done in https://github.com/owncloud/core/blob/master/lib/private/User/Session.php#L922
I propose to change
if ($user !== null && $dbToken->getLoginName() !== $user) to
if ($user !== null && \strcasecmp ($dbToken->getLoginName(), $user) !== 0)
This will make the username <--> token login name comparison to be case-insensitive and will allow authentication with different case.
See PR #40281 - it ended up being easy to demonstrate the problem with a failing test scenario, and the suggested fix makes the test scenario pass.
@phil-davis thanks! closing then https://github.com/owncloud/core/pull/40280 ?
@phil-davis thanks! closing then #40280 ?
yes - sorry I didn't ping here in time to say that I was looking at a test that could demonstrate the problem, and confirm the fix.