Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ocis]Creating folder with & character makes the UI act weird #4474

Closed
SwikritiT opened this issue Aug 25, 2022 · 4 comments · Fixed by #4629
Closed

[ocis]Creating folder with & character makes the UI act weird #4474

SwikritiT opened this issue Aug 25, 2022 · 4 comments · Fixed by #4629
Assignees
@rhafer
Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Milestone
2.0.0 General Ava...

Comments

@SwikritiT
Copy link
Contributor

Steps to reproduce

  1. As user einstein create a folder folder through API
curl -vk -X MKCOL -u einstein:relativity 'https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/folder'
  1. Login as einstein and see the folder in the webui

Screenshot from 2022-08-25 17-09-39
It is displayed
3. Now create a folder named new&folder through API

curl -vk -X MKCOL -u einstein:relativity 'https://host.docker.internal:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/new&folder'


*   Trying 127.0.0.1:9200...
* TCP_NODELAY set
* Connected to host.docker.internal (127.0.0.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=Acme Corp; CN=OCIS
*  start date: Aug 25 11:22:43 2022 GMT
*  expire date: Aug 25 11:22:43 2023 GMT
*  issuer: O=Acme Corp; CN=OCIS
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Server auth using Basic with user 'einstein'
> MKCOL /dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/new&folder HTTP/1.1
> Host: host.docker.internal:9200
> Authorization: Basic ZWluc3RlaW46cmVsYXRpdml0eQ==
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Access-Control-Allow-Origin: *
< Content-Length: 0
< Content-Security-Policy: default-src 'none';
< Date: Thu, 25 Aug 2022 11:24:52 GMT
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: none
< X-Xss-Protection: 1; mode=block
< 
* Connection #0 to host host.docker.internal left intact

The folder gets created
4. Now reload the UI . It shows Resource not found
Screenshot from 2022-08-25 17-11-51
5. Upon looking at the network it gives me, I created two folders but only one is in the response
network

  1. But upon PROPFIND through curl it gives correct response
<d:multistatus xmlns:s="http://sabredav.org/ns" xmlns:d="DAV:" xmlns:oc="http://owncloud.org/ns"><d:response><d:href>/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/</d:href><d:propstat><d:prop><oc:id>1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51!4c510ada-c86b-4815-8820-42cdf82c3d51</oc:id><oc:fileid>1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51!4c510ada-c86b-4815-8820-42cdf82c3d51</oc:fileid><oc:spaceid>4c510ada-c86b-4815-8820-42cdf82c3d51</oc:spaceid><d:getetag>&#34;783124389e537b46d74b478dd5562393&#34;</d:getetag><oc:permissions>RDNVCK</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>0</oc:size><d:getlastmodified>Thu, 25 Aug 2022 11:24:52 GMT</d:getlastmodified><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response><d:response><d:href>/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/new&amp;folder/</d:href><d:propstat><d:prop><oc:id>1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51!c9a2c990-b880-4a08-bb17-af98b0acaf4e</oc:id><oc:fileid>1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51!c9a2c990-b880-4a08-bb17-af98b0acaf4e</oc:fileid><oc:spaceid>4c510ada-c86b-4815-8820-42cdf82c3d51</oc:spaceid><oc:name>new&folder</oc:name><d:getetag>&#34;4a96bec058d0e6a889b88a7a61c47f56&#34;</d:getetag><oc:permissions>RDNVCK</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>0</oc:size><d:getlastmodified>Thu, 25 Aug 2022 11:24:52 GMT</d:getlastmodified><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response><d:response><d:href>/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51/folder/</d:href><d:propstat><d:prop><oc:id>1284d238-aa92-42ce-bdc4-0b0000009157$4c510ada-c86b-4815-8820-42cdf82c3d51!27456602-8058-4f32-946f-0a5c16e8b987</oc:id><oc:fileid>1284d238-aa92-42ce-bdc4-0b0000009157$4c510a* Connection #0 to host host.docker.internal left intact
da-c86b-4815-8820-42cdf82c3d51!27456602-8058-4f32-946f-0a5c16e8b987</oc:fileid><oc:spaceid>4c510ada-c86b-4815-8820-42cdf82c3d51</oc:spaceid><oc:name>folder</oc:name><d:getetag>&#34;06afb140ed2f2488c320691250127845&#34;</d:getetag><oc:permissions>RDNVCK</oc:permissions><d:resourcetype><d:collection/></d:resourcetype><oc:size>0</oc:size><d:getlastmodified>Thu, 25 Aug 2022 11:24:06 GMT</d:getlastmodified><oc:favorite>0</oc:favorite></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>%
  1. Upon trying to create folder with & from webui it gives following error message

folderwithand

Expected behaviour

The folder should be displayed

Actual behaviour

As explained in the steps

Both ocis and web are latest master
@SwikritiT SwikritiT mentioned this issue Aug 26, 2022
Merged
10 tasks
@kulmann
Copy link
Member

kulmann commented Aug 29, 2022

Creating a folder with & in the name works with ownCloud 10 as a backend. So this has to be an oCIS backend issue... moving to ocis repo.

@kulmann kulmann transferred this issue from owncloud/web Aug 29, 2022
@SwikritiT SwikritiT mentioned this issue Sep 20, 2022
Closed
@SwikritiT SwikritiT self-assigned this Sep 20, 2022
@SwikritiT SwikritiT mentioned this issue Sep 20, 2022
Merged
11 tasks
@micbar micbar added this to the 2.0.0 General Availability milestone Sep 20, 2022
@micbar micbar added the Priority:p2-high Escalation, on top of current planning, release blocker label Sep 20, 2022
@SwikritiT
Copy link
Contributor Author

Api test added in this PR : owncloud/core#40376
Id bump is being done here: #4613

@SwikritiT SwikritiT removed their assignment Sep 20, 2022
@phil-davis
Copy link
Contributor

phil-davis commented Sep 20, 2022
edited
Loading

The test scenarios added in core PR owncloud/core#40376 are passing on both oC10 and oCIS. So the API is working OK for those particular cases that have an & in the file or folder name.

$ curl -v -u harry:harry -X MKCOL 'http://172.17.0.1:8080/remote.php/webdav/new&folder'
*   Trying 172.17.0.1:8080...
* TCP_NODELAY set
* Connected to 172.17.0.1 (172.17.0.1) port 8080 (#0)
* Server auth using Basic with user 'harry'
> MKCOL /remote.php/webdav/new&folder HTTP/1.1
> Host: 172.17.0.1:8080
> Authorization: Basic aGFycnk6aGFycnk=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Host: 172.17.0.1:8080
< Date: Tue, 20 Sep 2022 08:06:20 GMT
< Connection: close

I guess curl does whatever it does with the & - IMO it sends it as-is, without trying to escape it.

curl -v -u harry:harry -X MKCOL 'http://172.17.0.1:8080/remote.php/dav/files/Harry/new&folder2'
*   Trying 172.17.0.1:8080...
* TCP_NODELAY set
* Connected to 172.17.0.1 (172.17.0.1) port 8080 (#0)
* Server auth using Basic with user 'harry'
> MKCOL /remote.php/dav/files/Harry/new&folder2 HTTP/1.1
> Host: 172.17.0.1:8080
> Authorization: Basic aGFycnk6aGFycnk=
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Host: 172.17.0.1:8080
< Date: Tue, 20 Sep 2022 08:11:41 GMT
< Connection: close

It works on oC10 and oCIS with both ways of doing the webDAV MKCOL request.

I suppose that web is using a request to the personal space, which is different to the examples above?

@rhafer rhafer self-assigned this Sep 21, 2022
@rhafer
Copy link
Contributor

rhafer commented Sep 21, 2022

The test scenarios added in core PR owncloud/core#40376 are passing on both oC10 and oCIS. So the API is working OK for those particular cases that have an & in the file or folder name.

AFAIU the test suite only request the d:getetag and d:resourcetype properties with PROPFIND request that checks for the presence of the new folder.
The bug is however caused by the <oc:name> property that was introduced with cs3org/reva#3158. It needs proper escaping. Working on a fix ...

rhafer added a commit to rhafer/reva that referenced this issue Sep 21, 2022
@rhafer
ocdav: Properly escape oc:name in propfind response
1469f0b 
The oc:name property in the ocdav propfind response might contain
XML special characters. We now apply the proper escaping on that
propert.

owncloud/ocis#4474
@rhafer rhafer mentioned this issue Sep 21, 2022
Merged
rhafer added a commit to rhafer/reva that referenced this issue Sep 21, 2022
@rhafer
ocdav: Properly escape oc:name in propfind response
8acc7bb 
The oc:name property in the ocdav propfind response might contain
XML special characters. We now apply the proper escaping on that
property.

owncloud/ocis#4474
C0rby pushed a commit to cs3org/reva that referenced this issue Sep 21, 2022
@rhafer
ocdav: Properly escape oc:name in propfind response (#3255)
a098879 
The oc:name property in the ocdav propfind response might contain
XML special characters. We now apply the proper escaping on that
property.

owncloud/ocis#4474
rhafer added a commit to rhafer/ocis that referenced this issue Sep 21, 2022
@rhafer
Bump reva to get fix for owncloud#4474
2e9ca9d 
Fixes: owncloud#4474
@rhafer rhafer mentioned this issue Sep 21, 2022
Merged
rhafer added a commit to rhafer/ocis that referenced this issue Sep 21, 2022
@rhafer
Bump reva to get fix for owncloud#4474
4c50c2b 
Fixes: owncloud#4474
rhafer added a commit to rhafer/ocis that referenced this issue Sep 21, 2022
@rhafer
Bump reva to get fix for owncloud#4474
f8126b1 
Fixes: owncloud#4474
phil-davis added a commit that referenced this issue Sep 22, 2022
@phil-davis
Merge pull request #4629 from rhafer/issue/4474
131988a 
[full-ci] Bump reva to get fix for #4474
ownclouders pushed a commit that referenced this issue Sep 22, 2022
@phil-davis
commit 131988a
ce5b5aa 
Merge: fe0210d f8126b1
Author: Phil Davis <[email protected]>
Date:   Thu Sep 22 09:50:09 2022 +0545

    Merge pull request #4629 from rhafer/issue/4474

    [full-ci] Bump reva to get fix for #4474
@SwikritiT SwikritiT mentioned this issue Oct 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhafer rhafer

Labels
Priority:p2-high Escalation, on top of current planning, release blocker Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
2.0.0 General Availability
Development

Successfully merging a pull request may close this issue.

[full-ci] Bump reva to get fix for #4474 rhafer/ocis
5 participants
@rhafer @phil-davis @kulmann @micbar @SwikritiT