From 6b521f249f5167351416ad15ebb518937bd96677 Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Wed, 3 Jul 2024 10:33:55 +0200 Subject: [PATCH 1/6] fix: quotes in content-disposition header Replaces the quotes by actually encoding the filename in the dav `Content-Disposition` header. The value of the `filename*` parameter must not be surrounded by any quotes, but rather be encoded in the first place. See RFC-6266 for more details. The quotes caused an issue where certain browsers would decode the quotes and falsely prepend them to the filename. --- .../unreleased/fix-quotes-in-content-disposition-headers.md | 6 ++++++ internal/http/services/owncloud/ocdav/net/builders.go | 3 ++- tests/acceptance/expected-failures-on-OCIS-storage.md | 5 +++++ tests/acceptance/expected-failures-on-S3NG-storage.md | 5 +++++ 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/fix-quotes-in-content-disposition-headers.md diff --git a/changelog/unreleased/fix-quotes-in-content-disposition-headers.md b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md new file mode 100644 index 0000000000..49fe471f28 --- /dev/null +++ b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md @@ -0,0 +1,6 @@ +Bugfix: Quotes in dav Content-Disposition header + +We've fixed the the quotes in the dav `Content-Disposition` header. They caused an issue where certain browsers would decode the quotes and falsely prepend them to the filename. + +https://github.com/cs3org/reva/pull/4748 +https://github.com/owncloud/web/issues/11031 diff --git a/internal/http/services/owncloud/ocdav/net/builders.go b/internal/http/services/owncloud/ocdav/net/builders.go index be7b8fdeec..f9bd903b43 100644 --- a/internal/http/services/owncloud/ocdav/net/builders.go +++ b/internal/http/services/owncloud/ocdav/net/builders.go @@ -19,6 +19,7 @@ package net import ( + "net/url" "time" cs3types "github.com/cs3org/go-cs3apis/cs3/types/v1beta1" @@ -27,7 +28,7 @@ import ( // ContentDispositionAttachment builds a ContentDisposition Attachment header with various filename encodings func ContentDispositionAttachment(filename string) string { - return "attachment; filename*=UTF-8''\"" + filename + "\"; filename=\"" + filename + "\"" + return "attachment; filename*=UTF-8''" + url.QueryEscape(filename) + "; filename=\"" + filename + "\"" } // RFC1123Z formats a CS3 Timestamp to be used in HTTP headers like Last-Modified diff --git a/tests/acceptance/expected-failures-on-OCIS-storage.md b/tests/acceptance/expected-failures-on-OCIS-storage.md index 48480e62db..62bef5a2c9 100644 --- a/tests/acceptance/expected-failures-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-on-OCIS-storage.md @@ -281,5 +281,10 @@ _The below features have been added after I last categorized them. AFAICT they a - [coreApiWebdavMove2/moveFile.feature:121](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavMove2/moveFile.feature#L121) - [coreApiWebdavMove2/moveFile.feature:126](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavMove2/moveFile.feature#L126) +### [Fix Content-Disposition header for download requests](https://github.com/cs3org/reva/pull/4748) + +- [coreApiVersions/fileVersions.feature:158](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L158) +- [coreApiVersions/fileVersions.feature:176](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L176) + - Note: always have an empty line at the end of this file. The bash script that processes this file may not process a scenario reference on the last line. diff --git a/tests/acceptance/expected-failures-on-S3NG-storage.md b/tests/acceptance/expected-failures-on-S3NG-storage.md index 4804098da2..78924f7279 100644 --- a/tests/acceptance/expected-failures-on-S3NG-storage.md +++ b/tests/acceptance/expected-failures-on-S3NG-storage.md @@ -284,5 +284,10 @@ _The below features have been added after I last categorized them. AFAICT they a - [coreApiWebdavMove2/moveFile.feature:121](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavMove2/moveFile.feature#L121) - [coreApiWebdavMove2/moveFile.feature:126](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavMove2/moveFile.feature#L126) +### [Fix Content-Disposition header for download requests](https://github.com/cs3org/reva/pull/4748) + +- [coreApiVersions/fileVersions.feature:158](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L158) +- [coreApiVersions/fileVersions.feature:176](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L176) + Note: always have an empty line at the end of this file. The bash script that processes this file may not process a scenario reference on the last line. From b6bdbac2b83868462357ef4381f73d777375036f Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Wed, 10 Jul 2024 09:58:31 +0200 Subject: [PATCH 2/6] docs: fix PR link in changelog --- .../unreleased/fix-quotes-in-content-disposition-headers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/unreleased/fix-quotes-in-content-disposition-headers.md b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md index 49fe471f28..90e6da016c 100644 --- a/changelog/unreleased/fix-quotes-in-content-disposition-headers.md +++ b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md @@ -2,5 +2,5 @@ Bugfix: Quotes in dav Content-Disposition header We've fixed the the quotes in the dav `Content-Disposition` header. They caused an issue where certain browsers would decode the quotes and falsely prepend them to the filename. -https://github.com/cs3org/reva/pull/4748 +https://github.com/cs3org/reva/pull/4761 https://github.com/owncloud/web/issues/11031 From 016716ad21daf21ff7e93a7afd2f56f35fca35da Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Thu, 11 Jul 2024 10:29:25 +0200 Subject: [PATCH 3/6] test: skip expected failures --- .../acceptance/expected-failures-on-OCIS-storage.md | 12 ++++++++++++ .../acceptance/expected-failures-on-S3NG-storage.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/tests/acceptance/expected-failures-on-OCIS-storage.md b/tests/acceptance/expected-failures-on-OCIS-storage.md index 62bef5a2c9..9f04163222 100644 --- a/tests/acceptance/expected-failures-on-OCIS-storage.md +++ b/tests/acceptance/expected-failures-on-OCIS-storage.md @@ -285,6 +285,18 @@ _The below features have been added after I last categorized them. AFAICT they a - [coreApiVersions/fileVersions.feature:158](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L158) - [coreApiVersions/fileVersions.feature:176](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L176) +- [coreApiWebdavOperations/downloadFile.feature:284](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L284) +- [coreApiWebdavOperations/downloadFile.feature:285](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L285) +- [coreApiWebdavOperations/downloadFile.feature:286](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L286) +- [coreApiWebdavOperations/downloadFile.feature:287](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L287) +- [coreApiWebdavOperations/downloadFile.feature:288](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L288) +- [coreApiWebdavOperations/downloadFile.feature:289](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L289) +- [coreApiWebdavOperations/downloadFile.feature:294](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L294) +- [coreApiWebdavOperations/downloadFile.feature:295](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L295) +- [coreApiWebdavOperations/downloadFile.feature:296](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L296) +- [coreApiWebdavOperations/downloadFile.feature:317](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L317) +- [coreApiWebdavOperations/downloadFile.feature:318](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L318) +- [coreApiWebdavOperations/downloadFile.feature:323](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L323) - Note: always have an empty line at the end of this file. The bash script that processes this file may not process a scenario reference on the last line. diff --git a/tests/acceptance/expected-failures-on-S3NG-storage.md b/tests/acceptance/expected-failures-on-S3NG-storage.md index 78924f7279..81ee8a5579 100644 --- a/tests/acceptance/expected-failures-on-S3NG-storage.md +++ b/tests/acceptance/expected-failures-on-S3NG-storage.md @@ -288,6 +288,18 @@ _The below features have been added after I last categorized them. AFAICT they a - [coreApiVersions/fileVersions.feature:158](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L158) - [coreApiVersions/fileVersions.feature:176](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiVersions/fileVersions.feature#L176) +- [coreApiWebdavOperations/downloadFile.feature:284](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L284) +- [coreApiWebdavOperations/downloadFile.feature:285](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L285) +- [coreApiWebdavOperations/downloadFile.feature:286](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L286) +- [coreApiWebdavOperations/downloadFile.feature:287](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L287) +- [coreApiWebdavOperations/downloadFile.feature:288](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L288) +- [coreApiWebdavOperations/downloadFile.feature:289](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L289) +- [coreApiWebdavOperations/downloadFile.feature:294](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L294) +- [coreApiWebdavOperations/downloadFile.feature:295](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L295) +- [coreApiWebdavOperations/downloadFile.feature:296](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L296) +- [coreApiWebdavOperations/downloadFile.feature:317](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L317) +- [coreApiWebdavOperations/downloadFile.feature:318](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L318) +- [coreApiWebdavOperations/downloadFile.feature:323](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/coreApiWebdavOperations/downloadFile.feature#L323) Note: always have an empty line at the end of this file. The bash script that processes this file may not process a scenario reference on the last line. From 5de9f7c9bc5a0dc2037499bfce9f6c7e1c29affc Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Wed, 10 Jul 2024 09:55:20 +0200 Subject: [PATCH 4/6] fix: blanks in dav Content-Disposition header Fixes the encoding of blanks in the dav `Content-Disposition` header. This is a regression caused by #4748. --- .../unreleased/fix-blanks-in-content-disposition-headers.md | 6 ++++++ internal/http/services/owncloud/ocdav/net/builders.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/fix-blanks-in-content-disposition-headers.md diff --git a/changelog/unreleased/fix-blanks-in-content-disposition-headers.md b/changelog/unreleased/fix-blanks-in-content-disposition-headers.md new file mode 100644 index 0000000000..0e4e0c82ec --- /dev/null +++ b/changelog/unreleased/fix-blanks-in-content-disposition-headers.md @@ -0,0 +1,6 @@ +Bugfix: Blanks in dav Content-Disposition header + +We've fixed the encoding of blanks in the dav `Content-Disposition` header. + +https://github.com/cs3org/reva/pull/4762 +https://github.com/owncloud/web/issues/11169 diff --git a/internal/http/services/owncloud/ocdav/net/builders.go b/internal/http/services/owncloud/ocdav/net/builders.go index f9bd903b43..727c59c03f 100644 --- a/internal/http/services/owncloud/ocdav/net/builders.go +++ b/internal/http/services/owncloud/ocdav/net/builders.go @@ -28,7 +28,7 @@ import ( // ContentDispositionAttachment builds a ContentDisposition Attachment header with various filename encodings func ContentDispositionAttachment(filename string) string { - return "attachment; filename*=UTF-8''" + url.QueryEscape(filename) + "; filename=\"" + filename + "\"" + return "attachment; filename*=UTF-8''" + url.PathEscape(filename) + "; filename=\"" + filename + "\"" } // RFC1123Z formats a CS3 Timestamp to be used in HTTP headers like Last-Modified From 09ff1be84f1088a18f47b4eef446a9850da91dd8 Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Thu, 11 Jul 2024 16:21:51 +0200 Subject: [PATCH 5/6] docs: combine changelog items --- .../unreleased/fix-blanks-in-content-disposition-headers.md | 6 ------ .../unreleased/fix-quotes-in-content-disposition-headers.md | 1 + 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 changelog/unreleased/fix-blanks-in-content-disposition-headers.md diff --git a/changelog/unreleased/fix-blanks-in-content-disposition-headers.md b/changelog/unreleased/fix-blanks-in-content-disposition-headers.md deleted file mode 100644 index 0e4e0c82ec..0000000000 --- a/changelog/unreleased/fix-blanks-in-content-disposition-headers.md +++ /dev/null @@ -1,6 +0,0 @@ -Bugfix: Blanks in dav Content-Disposition header - -We've fixed the encoding of blanks in the dav `Content-Disposition` header. - -https://github.com/cs3org/reva/pull/4762 -https://github.com/owncloud/web/issues/11169 diff --git a/changelog/unreleased/fix-quotes-in-content-disposition-headers.md b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md index 90e6da016c..65b1b6182d 100644 --- a/changelog/unreleased/fix-quotes-in-content-disposition-headers.md +++ b/changelog/unreleased/fix-quotes-in-content-disposition-headers.md @@ -4,3 +4,4 @@ We've fixed the the quotes in the dav `Content-Disposition` header. They caused https://github.com/cs3org/reva/pull/4761 https://github.com/owncloud/web/issues/11031 +https://github.com/owncloud/web/issues/11169 From c4335084d78f87c2569ee5b4768af3a9c0a915b6 Mon Sep 17 00:00:00 2001 From: Jannik Stehle Date: Fri, 26 Jul 2024 08:30:44 +0200 Subject: [PATCH 6/6] chore: pick Dockerfile changes from #4776 --- Dockerfile.revad-ceph | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile.revad-ceph b/Dockerfile.revad-ceph index b3c22996e9..0e82a5b46e 100644 --- a/Dockerfile.revad-ceph +++ b/Dockerfile.revad-ceph @@ -20,10 +20,18 @@ FROM quay.io/ceph/ceph:v18 # replace repo url with one that allows downloading the repo metadata # if http://download.ceph.com/rpm-reef/el8/x86_64/repodata/repomd.xml works again this can be dropped -RUN sed -i 's/download.ceph.com/fr.ceph.com/' /etc/yum.repos.d/ceph.repo -RUN mkdir -p /etc/selinux/config +# RUN sed -i 's/download.ceph.com/fr.ceph.com/' /etc/yum.repos.d/ceph.repo +# RUN mkdir -p /etc/selinux/config -RUN dnf update --exclude=ceph-iscsi,chrony -y && dnf install -y \ +# RUN dnf update --exclude=ceph-iscsi,chrony -y && dnf install -y \ +# git \ +# gcc \ +# make \ +# libcephfs-devel \ +# librbd-devel \ +# librados-devel + +RUN dnf update --exclude=ceph-iscsi -y && dnf install -y \ git \ gcc \ make \