filestash icon indicating copy to clipboard operation
filestash copied to clipboard

Published 20 hours ago • verified publisher icon mickael-kerjean

Webdav Redirect 302 support

Open bfd69 opened this issue 2 years ago • 5 comments

Hello is the Redirect 302 supported by filestash in webdav access ? my use case is that my webdav server redirects "/" to "/username", it works with browsers and some Webdav clients, but not all clients seem to support Redirects 302. for information if i fill in the path in filestash it works, i had the same problem with another webdav client (crossftp) when accessing my webdav, and came to conclusion that 302 in not supported by crossftp but here the message was clear. ([R1] HttpException.getReasonCode(): 302)

while Filestash says just "invalid user"

bfd69 avatar Jun 22 '22 13:06 bfd69

The reason Filestash doesn't do redirect is to avoid somebody from relying on automatic redirect to do HTTP -> HTTPS redirection as by the time you've hit the HTTP endpoint you've already opened yourself to trouble and everything after that is potentially compromised. But your use case is legit and I didn't realise some people would have redirection from / to /username setup.

Are you open to make a pull request for this?

mickael-kerjean avatar Jun 29 '22 13:06 mickael-kerjean

ok, i understand and its a very good point that your concerned about security, really. in the mean time i found a simple solution while trying to read the webdav plugin source code as my use-case was mentioned. So in short what i found was that it is possible to use a variable %{username} in the url, i tested it and it worked great, all i had to do is to force my url like this in webdav parameters : https://mywonderfulwebdav.com/%{username}

But ! if i try to add in Path field something like /test/public with no username in username field then i stumbled on a strange behavior where instead of finding my self in /test i find myself in /test with a supplementary folder /test inside it, maybe that's because my webdav uses redirects as it detects a supplementary / so i tried instead of adding "/test/public" in Path field to add "test/public" and everything was fine. my request would be for the webdav plugin to check and remove additional slashes when username is empty (or something more clean).

thanks a lot for hearing me, i hope it was clear and you didn't get bored, also feel free to contact me if it wasn't clear enough. best regards

bfd69 avatar Jul 01 '22 15:07 bfd69

Can you send me a testing account to see that behaviour? Various webav servers behaves in slightly different way, if I can replicate what you're seeing we can be closer to a fix

mickael-kerjean avatar Jul 11 '22 13:07 mickael-kerjean

hello here are the informations for connecting and testing purposes, acces is readonly : https://privatebin.campusservices.fr/?169c08bfb111fbad#5EDXkaKZbgnggP2WSYnYBBMsMCvj19GuU8dGDsFjuHGt

you dont have to fill in username for public folders (the behavior is the same for non public folders), so : connexion : just fill the folder (path) field with no user and no password, you will notice that you have 3 folders, the third being "public" and that one shouldnt be seen ! if you click on it you'll get a "ooops" because thats an artifact that shouldnt be seen.

if you want to observe the correct behavior just ommit the first slash in path field ! , you will see only 2 folders and not the public, and that is correct.

you can setup a docker on your own with my webdav server as backend, juste replace in the url i gave you "filestash" by "dav" and thats it.

best regards

bfd69 avatar Jul 12 '22 07:07 bfd69

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 21 '22 02:09 stale[bot]