mirror of
https://github.com/9001/copyparty.git
synced 2025-11-05 06:02:48 -07:00
2ce8233921
* return 403 instead of 404 in the following sitations:
* viewing an RSS feed without necessary auth
* accessing a file with the wrong filekey
* accessing a file/folder without necessary auth
(would previously 404 for intentional ambiguity)
* only allow PROPFIND if user has either read or write;
previously a blank response was returned if user has
get-access, but this could confuse webdav clients into
skipping authentication (for example AuthPass)
* return 401 basic-challenge instead of 403 if the client
appears to be non-graphical, because many webdav clients
do not provide the credentials until they're challenged.
There is a heavy bias towards assuming the client is a
browser, because browsers must NEVER EVER get a 401
(tricky state that is near-impossible to deal with)
* return 401 basic-challenge instead of 403 if a PUT
is attempted without any credentials included; this
should be safe, as graphical browsers never do that
this fixes the interoperability issues mentioned in
https://github.com/authpass/authpass/issues/379
where AuthPass would GET files without providing the
password because it expected a 401 instead of a 403;
AuthPass is behaving correctly, this is not a bug
|
||
|---|---|---|
| .. | ||
| bos | ||
| res | ||
| stolen | ||
| web | ||
| __init__.py | ||
| __main__.py | ||
| __version__.py | ||
| authsrv.py | ||
| broker_mp.py | ||
| broker_mpw.py | ||
| broker_thr.py | ||
| broker_util.py | ||
| cert.py | ||
| cfg.py | ||
| dxml.py | ||
| fsutil.py | ||
| ftpd.py | ||
| httpcli.py | ||
| httpconn.py | ||
| httpsrv.py | ||
| ico.py | ||
| mdns.py | ||
| metrics.py | ||
| mtag.py | ||
| multicast.py | ||
| pwhash.py | ||
| smbd.py | ||
| ssdp.py | ||
| star.py | ||
| sutil.py | ||
| svchub.py | ||
| szip.py | ||
| tcpsrv.py | ||
| tftpd.py | ||
| th_cli.py | ||
| th_srv.py | ||
| u2idx.py | ||
| up2k.py | ||
| util.py | ||