core
core copied to clipboard
HTTP status should be 415(Unsupported Media Type) for `MOVE, DELETE, COPY` request with body
Steps to reproduce
- Create user
uu1
- Create a file
test.txt
- Send
MOVE
request fortest.txt
with the body using curl
curl -ks -u uu1:uu1 -XMOVE -H "DESTINATION: http://localhost/core/remote.php/webdav/test2.txt" --data "doesnotmatter" http://localhost/core/remote.php/webdav/test.txt
curl -ks -u uu1:uu1 -XMOVE -H "DESTINATION: http://localhost/core/remote.php/dav/files/uu1/test2.txt" --data "doesnotmatter" http://localhost/core/remote.php/dav/files/uu1/test.txt
Expected behaviour
webDAV DELETE, COPY or MOVE requests should not send a body in the request. If a body is sent, then the server is supposed to return HTTP status 415 (Unsupported Media Type): https://datatracker.ietf.org/doc/html/rfc4918#section-8.4
In oCIS: HTTP/1.1 415 Unsupported Media Type
Actual behaviour
In oC10: HTTP/1.1 403 Forbidden https://drone.owncloud.com/owncloud/core/36451/51/13#:~:text=Scenario%3A%20send%20MOVE%20requests%20to%20webDav%20endpoints%20with,470
Server configuration
Operating system: Ubuntu 20.04 LTS
Note: oCIS correctly returns status 415
for this case.
Someone needs to decide if oC10 should be adjusted to also return status 415
or keep the existing behavior, which ignores the content in the body, and does the MOVE, DELETE or COPY.