opencloud-eu
policy engine does not apply on all upload endpoints
Describe the bug
When trying to prevent e.g. exe uploads the polisy engine does not affect url without remote.php
Steps to reproduce
- create a single file share
- use a PUT request to update the file
since the we are not using tus and single file shares have no extension in the url AND the check expects the url to contain '/remote.php/dav/spaces' the upload will go through.
Expected behavior
exe files should be detected by the mimetype detection
Actual behavior
PUT requests to /remote.php/webdav/file still work when the policy engine should prevent them
Setup
enable the policy eingine and configure it to prevent exe uploads
Context
I was originally under the impression that the current code had a bug because it would only apply the policies to url without the remote.php part in the policies.go proxy middleware:
if resource.Name == "" && filepath.Ext(r.URL.Path) == "" && r.Method == http.MethodPut && strings.HasPrefix(r.URL.Path, "/remote.php/dav/spaces") {
The final check should be true for all possible upload endpoints, eg: (/remote.php)/(webdav|dav/(files|spaces)) and ... the public upload endpoint AFAICT.
