mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-17 09:02:15 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

WebDAV: adjust 401-mask for GETs (#136)

Browse source 
some clients, including KDE Dolphin (kioworker/6.10) keeps
sending requests without the basic-auth header, expecting
the server to respond with a 401 before it does

most clients only do this for the initial request, which is
usually a PROPFIND, which makes this nice and simple -- but
turns out we need to consider this for GET as well...

this is tricky because a graphical webbrowser must never
receive a 401 lest it becomes near-impossible to deauth,
and that's exactly what Dolphin pretends to be in its UA

man ( ´_ゝ`)

note: `KIO/` hits konqueror so don't
This commit is contained in:
ed 2025-02-11 23:32:44 +00:00
parent 62ee7f6980
commit 9d76902710
3 changed files with 8 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
copyparty/__main__.py
View file

@ -1183,6 +1183,7 @@ def add_webdav(ap):
ap2.add_argument("--dav-mac", action="store_true", help="disable apple-garbage filter -- allow macos to create junk files (._* and .DS_Store, .Spotlight-*, .fseventsd, .Trashes, .AppleDouble, __MACOS)") ap2.add_argument("--dav-mac", action="store_true", help="disable apple-garbage filter -- allow macos to create junk files (._* and .DS_Store, .Spotlight-*, .fseventsd, .Trashes, .AppleDouble, __MACOS)")
ap2.add_argument("--dav-rt", action="store_true", help="show symlink-destination's lastmodified instead of the link itself; always enabled for recursive listings (volflag=davrt)") ap2.add_argument("--dav-rt", action="store_true", help="show symlink-destination's lastmodified instead of the link itself; always enabled for recursive listings (volflag=davrt)")
ap2.add_argument("--dav-auth", action="store_true", help="force auth for all folders (required by davfs2 when only some folders are world-readable) (volflag=davauth)") ap2.add_argument("--dav-auth", action="store_true", help="force auth for all folders (required by davfs2 when only some folders are world-readable) (volflag=davauth)")
ap2.add_argument("--dav-ua1", metavar="PTN", type=u, default=r" kioworker/", help="regex of tricky user-agents which expect 401 from GET requests; disable with [\033[32mno\033[0m] or blank")
def add_tftp(ap): def add_tftp(ap):

9
copyparty/httpcli.py
View file

@ -1794,7 +1794,7 @@ class HttpCli(object):
def handle_cpmv(self) -> bool: def handle_cpmv(self) -> bool:
dst = self.headers["destination"] dst = self.headers["destination"]
# dolphin (KIO/6.10) "webdav://127.0.0.1:3923/a/b.txt" # dolphin (kioworker/6.10) "webdav://127.0.0.1:3923/a/b.txt"
dst = re.sub("^[a-zA-Z]+://[^/]+", "", dst).lstrip() dst = re.sub("^[a-zA-Z]+://[^/]+", "", dst).lstrip()
if self.is_vproxied and dst.startswith(self.args.SRS): if self.is_vproxied and dst.startswith(self.args.SRS):
@ -4836,9 +4836,12 @@ class HttpCli(object):
# that the client is not a graphical browser # that the client is not a graphical browser
if ( if (
rc == 403 rc == 403
and not self.pw and self.uname == "*"
and not self.ua.startswith("Mozilla/")
and "sec-fetch-site" not in self.headers and "sec-fetch-site" not in self.headers
and (
not self.ua.startswith("Mozilla/")
or (self.args.dav_ua1 and self.args.dav_ua1.search(self.ua))
)
): ):
rc = 401 rc = 401
self.out_headers["WWW-Authenticate"] = 'Basic realm="a"' self.out_headers["WWW-Authenticate"] = 'Basic realm="a"'

2
copyparty/svchub.py
View file

@ -769,7 +769,7 @@ class SvcHub(object):
vs = os.path.expandvars(os.path.expanduser(vs)) vs = os.path.expandvars(os.path.expanduser(vs))
setattr(al, k, vs) setattr(al, k, vs)
for k in "sus_urls nonsus_urls".split(" "): for k in "dav_ua1 sus_urls nonsus_urls".split(" "):
vs = getattr(al, k) vs = getattr(al, k)
if not vs or vs == "no": if not vs or vs == "no":
setattr(al, k, None) setattr(al, k, None)