projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
14716: Fix accidentally accepting credentials at public download URL.
[arvados.git] / services / keep-web / handler.go
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 6aeb7b9c48dfb2859841c72f19e2ff78c282e5aa..837579fe25acfbff5283b28bbb7f4375a3322280 100644 (file)
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -25,7 +25,7 @@ import (
        "git.curoverse.com/arvados.git/sdk/go/health"
        "git.curoverse.com/arvados.git/sdk/go/httpserver"
        "git.curoverse.com/arvados.git/sdk/go/keepclient"
-       log "github.com/Sirupsen/logrus"
+       log "github.com/sirupsen/logrus"
        "golang.org/x/net/webdav"
 )
 
@@ -141,26 +141,28 @@ var (
                "Depth", "Destination", "If", "Lock-Token", "Overwrite", "Timeout",
        }, ", ")
        writeMethod = map[string]bool{
-               "COPY":   true,
-               "DELETE": true,
-               "LOCK":   true,
-               "MKCOL":  true,
-               "MOVE":   true,
-               "PUT":    true,
-               "RMCOL":  true,
-               "UNLOCK": true,
+               "COPY":      true,
+               "DELETE":    true,
+               "LOCK":      true,
+               "MKCOL":     true,
+               "MOVE":      true,
+               "PROPPATCH": true,
+               "PUT":       true,
+               "RMCOL":     true,
+               "UNLOCK":    true,
        }
        webdavMethod = map[string]bool{
-               "COPY":     true,
-               "DELETE":   true,
-               "LOCK":     true,
-               "MKCOL":    true,
-               "MOVE":     true,
-               "OPTIONS":  true,
-               "PROPFIND": true,
-               "PUT":      true,
-               "RMCOL":    true,
-               "UNLOCK":   true,
+               "COPY":      true,
+               "DELETE":    true,
+               "LOCK":      true,
+               "MKCOL":     true,
+               "MOVE":      true,
+               "OPTIONS":   true,
+               "PROPFIND":  true,
+               "PROPPATCH": true,
+               "PUT":       true,
+               "RMCOL":     true,
+               "UNLOCK":    true,
        }
        browserMethod = map[string]bool{
                "GET":  true,
@@ -216,7 +218,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
                        return
                }
                w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
-               w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PUT, RMCOL")
+               w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
                w.Header().Set("Access-Control-Allow-Origin", "*")
                w.Header().Set("Access-Control-Max-Age", "86400")
                statusCode = http.StatusOK
@@ -281,8 +283,11 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
                } else {
                        // /collections/ID/PATH...
                        collectionID = parseCollectionIDFromURL(pathParts[1])
-                       tokens = h.Config.AnonymousTokens
                        stripParts = 2
+                       // This path is only meant to work for public
+                       // data. Tokens provided with the request are
+                       // ignored.
+                       credentialsOK = false
                }
        }
 
@@ -296,6 +301,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
                forceReload = true
        }
 
+       if credentialsOK {
+               reqTokens = auth.CredentialsFromRequest(r).Tokens
+       }
+
        formToken := r.FormValue("api_token")
        if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" {
                // The client provided an explicit token in the POST
@@ -311,7 +320,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
                //
                // * The token isn't embedded in the URL, so we don't
                //   need to worry about bookmarks and copy/paste.
-               tokens = append(tokens, formToken)
+               reqTokens = append(reqTokens, formToken)
        } else if formToken != "" && browserMethod[r.Method] {
                // The client provided an explicit token in the query
                // string, or a form in POST body. We must put the
@@ -323,10 +332,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
        }
 
        if useSiteFS {
-               if tokens == nil {
-                       tokens = auth.CredentialsFromRequest(r).Tokens
-               }
-               h.serveSiteFS(w, r, tokens, credentialsOK, attachment)
+               h.serveSiteFS(w, r, reqTokens, credentialsOK, attachment)
                return
        }
 
@@ -345,9 +351,6 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
        }
 
        if tokens == nil {
-               if credentialsOK {
-                       reqTokens = auth.CredentialsFromRequest(r).Tokens
-               }
                tokens = append(reqTokens, h.Config.AnonymousTokens...)
        }