Michael Nutt

Fixed in https://github.com/mnutt/davros/commit/6ac11a4ba89dd997b9fcb7c47728e337404edce4, to be released in 0.31.2.

FWIW I don't know that owncloud/nextcloud clients typically use Range requests; from what I remember they [upload hundreds of smaller files and then send a command to finalize and concatenate...

I was able to reproduce on sandstorm, but I don't think it's a sandstorm problem. I think I see the _likely_ cause of this in reading the above nextcloud docs,...

Once sandstorm allows a few extra request headers through I’ll be able to checksum the final result and ensure that at least no data is ever corrupted. But it wouldn’t...

You're right, I think it was a mistake that it rendered at all. My general pattern for rendering previews of untrusted content is to xhr-fetch the contents and add them...

Unfortunately I think this may end up out of scope; it may just be too hard to preview a page safely while allowing local images but disallowing remote image loads....

I see the issue; _generally_ we automatically uri-encode things but creating a new directory puts the new directory name in the path of a MKCOL. Should be a straightforward fix.

This sounds like a neat feature. Perhaps integrated in with Sandstorm's capabilities.

We use unauthenticated resources here: https://github.com/mnutt/davros/blob/84f22eba6b44c6663839e164989110166f5b696a/app/lib/owncloud.js#L11-L19 and could probably add one for /remote.php/webdav. Is the intention to send back a `401 Unauthorized` with `Dav: 1, 2, 3, extended-mkcol`? And do...

Sadly, in testing it with the extra options added to the offer template, I now get a "401 unauthorized" from Transmit. My guess at this point, based on reading that...