Skip to content

Fix: missing early fail for basic auth without credentials#60029

Open
icarta-l wants to merge 1 commit into
nextcloud:masterfrom
icarta-l:fix/missing-early-fail-for-basic-auth-without-credentials
Open

Fix: missing early fail for basic auth without credentials#60029
icarta-l wants to merge 1 commit into
nextcloud:masterfrom
icarta-l:fix/missing-early-fail-for-basic-auth-without-credentials

Conversation

@icarta-l
Copy link
Copy Markdown

@icarta-l icarta-l commented May 2, 2026
edited
Loading

Fixes #59849

Make "validateUserPass" method of OCA\DAV\Connector\Sabre\Auth class return false if empty username and password have been passed to it

Summary

TODO

  • ...

Checklist

AI (if applicable)

  • The content of this PR was partly or fully generated using AI

@icarta-l icarta-l requested a review from a team as a code owner May 2, 2026 03:22
@icarta-l icarta-l requested review from CarlSchwan, icewind1991, leftybournes and salmart-dev and removed request for a team May 2, 2026 03:22
provokateurin
provokateurin requested changes May 11, 2026
View reviewed changes
Comment thread apps/dav/lib/Connector/Sabre/Auth.php Outdated
$this->session->close();
return true;
} else {
if (empty($username) && empty($password)) {
Copy link
Copy Markdown
Member

@provokateurin provokateurin May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (empty($username) && empty($password)) {
if ($username === '' && $password === '') {

Also this should probably be a ||?

Copy link
Copy Markdown
Author

@icarta-l icarta-l May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review and suggestion.

I have just forced push the branch to include your suggestions after rebasing it with the master branch.

I do agree with the || instead of &&. I used the && because it was a request from the author of the issue this pull request is trying to resolve but the || makes sense to me.

One question: why do you check for empty strings instead of using the empty() function?

Copy link
Copy Markdown
Member

@provokateurin provokateurin May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The empty does a lot of things and can cause unexpected results. Generally it is better to always be as explicit as possible about what you want to check, to avoid any ambiguities.

@icarta-l icarta-l force-pushed the fix/missing-early-fail-for-basic-auth-without-credentials branch from 35c25c9 to 96e8877 Compare May 11, 2026 15:55
@icarta-l icarta-l requested a review from provokateurin May 11, 2026 16:08
provokateurin
provokateurin reviewed May 12, 2026
View reviewed changes
Comment thread apps/dav/lib/Connector/Sabre/Auth.php Outdated
private Manager $twoFactorManager,
private IThrottler $throttler,
string $principalPrefix = 'principals/users/',
string $principalPrefix = 'principals/users/'
Copy link
Copy Markdown
Member

@provokateurin provokateurin May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the unrelated change.

Copy link
Copy Markdown
Author

@icarta-l icarta-l May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be removed now

@icarta-l icarta-l force-pushed the fix/missing-early-fail-for-basic-auth-without-credentials branch from 96e8877 to 6790acd Compare May 12, 2026 14:32
@icarta-l
Fix: missing early fail for basic auth without credentials
cedeeed 
Make "validateUserPass" method of OCA\DAV\Connector\Sabre\Auth
class return false after checking if user is logged in if
empty username or password have been passed to it

Fixes nextcloud#59849

Signed-off-by: Idan <cartaidan@gmail.com>
@icarta-l icarta-l force-pushed the fix/missing-early-fail-for-basic-auth-without-credentials branch from 6790acd to cedeeed Compare May 12, 2026 14:37
@icarta-l icarta-l requested a review from provokateurin May 12, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

@provokateurin provokateurin Awaiting requested review from provokateurin

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DAV Basic Auth: empty username/password reaches getByEmail and scans oc_preferences (heavy on NC 31/32)

2 participants

@icarta-l @provokateurin