nextcloud_server/remote.php

<?php

/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
require_once __DIR__ . '/lib/versioncheck.php';

use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;
use OCP\App\IAppManager;
use OCP\IRequest;
use OCP\Template\ITemplateManager;
use Psr\Log\LoggerInterface;
use Sabre\DAV\Exception\ServiceUnavailable;
use Sabre\DAV\Server;

/**
 * Class RemoteException
 * Dummy exception class to be use locally to identify certain conditions
 * Will not be logged to avoid DoS
 */
class RemoteException extends \Exception {
}

function handleException(Exception|Error $e): void {
	try {
		$request = \OCP\Server::get(IRequest::class);
		// in case the request content type is text/xml - we assume it's a WebDAV request
		$isXmlContentType = strpos($request->getHeader('Content-Type'), 'text/xml');
		if ($isXmlContentType === 0) {
			// fire up a simple server to properly process the exception
			$server = new Server();
			if (!($e instanceof RemoteException)) {
				// we shall not log on RemoteException
				$server->addPlugin(new ExceptionLoggerPlugin('webdav', \OCP\Server::get(LoggerInterface::class)));
			}
			$server->on('beforeMethod:*', function () use ($e) {
				if ($e instanceof RemoteException) {
					switch ($e->getCode()) {
						case 503:
							throw new ServiceUnavailable($e->getMessage());
						case 404:
							throw new \Sabre\DAV\Exception\NotFound($e->getMessage());
					}
				}
				$class = get_class($e);
				$msg = $e->getMessage();
				throw new ServiceUnavailable("$class: $msg");
			});
			$server->exec();
		} else {
			$statusCode = 500;
			if ($e instanceof \OC\ServiceUnavailableException) {
				$statusCode = 503;
			}
			if ($e instanceof RemoteException) {
				// we shall not log on RemoteException
				\OCP\Server::get(ITemplateManager::class)->printErrorPage($e->getMessage(), '', $e->getCode());
			} else {
				\OCP\Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'remote','exception' => $e]);
				\OCP\Server::get(ITemplateManager::class)->printExceptionErrorPage($e, $statusCode);
			}
		}
	} catch (\Exception $e) {
		\OCP\Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500);
	}
}

/**
 * @param string $service
 * @return string
 */
function resolveService($service) {
	$services = [
		'webdav' => 'dav/appinfo/v1/webdav.php',
		'dav' => 'dav/appinfo/v2/remote.php',
		'caldav' => 'dav/appinfo/v1/caldav.php',
		'calendar' => 'dav/appinfo/v1/caldav.php',
		'carddav' => 'dav/appinfo/v1/carddav.php',
		'contacts' => 'dav/appinfo/v1/carddav.php',
		'files' => 'dav/appinfo/v1/webdav.php',
		'direct' => 'dav/appinfo/v2/direct.php',
	];
	if (isset($services[$service])) {
		return $services[$service];
	}

	return \OC::$server->getConfig()->getAppValue('core', 'remote_' . $service);
}

try {
	require_once __DIR__ . '/lib/base.php';

	// All resources served via the DAV endpoint should have the strictest possible
	// policy. Exempted from this is the SabreDAV browser plugin which overwrites
	// this policy with a softer one if debug mode is enabled.
	header("Content-Security-Policy: default-src 'none';");

	if (\OCP\Util::needUpgrade()) {
		// since the behavior of apps or remotes are unpredictable during
		// an upgrade, return a 503 directly
		throw new RemoteException('Service unavailable', 503);
	}

	$request = \OC::$server->getRequest();
	$pathInfo = $request->getPathInfo();
	if ($pathInfo === false || $pathInfo === '') {
		throw new RemoteException('Path not found', 404);
	}
	if (!$pos = strpos($pathInfo, '/', 1)) {
		$pos = strlen($pathInfo);
	}
	$service = substr($pathInfo, 1, $pos - 1);

	$file = resolveService($service);

	if (is_null($file)) {
		throw new RemoteException('Path not found', 404);
	}

	$file = ltrim($file, '/');

	$parts = explode('/', $file, 2);
	$app = $parts[0];

	// Load all required applications
	\OC::$REQUESTEDAPP = $app;
	$appManager = \OCP\Server::get(IAppManager::class);
	$appManager->loadApps(['authentication']);
	$appManager->loadApps(['extended_authentication']);
	$appManager->loadApps(['filesystem', 'logging']);

	switch ($app) {
		case 'core':
			$file = OC::$SERVERROOT . '/' . $file;
			break;
		default:
			if (!$appManager->isEnabledForUser($app)) {
				throw new RemoteException('App not installed: ' . $app);
			}
			$appManager->loadApp($app);
			$file = $appManager->getAppPath($app) . '/' . ($parts[1] ?? '');
			break;
	}
	$baseuri = OC::$WEBROOT . '/remote.php/' . $service . '/';
	require_once $file;
} catch (Exception $ex) {
	handleException($ex);
} catch (Error $e) {
	handleException($e);
}
push changes 2012-05-05 20:54:14 +00:00			`<?php`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-24 17:43:47 +00:00
Update license headers 2015-03-26 10:44:34 +00:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-24 17:43:47 +00:00			`* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Update license headers 2015-03-26 10:44:34 +00:00			`*/`
Nextcloud 13 is not compatible with newer than php 7.2 Just to avoid users from trying this with a to new (untested) php version * Moved the check logic to 1 place * All directly callable scripts just require this on top * exit hard (-1) so we know scripts won't continue * Return status 500 so no sync clients will try fancy stuff Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2017-10-13 19:30:29 +00:00			`require_once __DIR__ . '/lib/versioncheck.php';`

Consolidate webdav code - move all to one app 2015-08-30 17:13:01 +00:00			`use OCA\DAV\Connector\Sabre\ExceptionLoggerPlugin;`
chore: Migrate cleanAppId and getAppPath calls to IAppManager from OC_App Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-09-12 14:17:19 +00:00			`use OCP\App\IAppManager;`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`use OCP\IRequest;`
			`use OCP\Template\ITemplateManager;`
Add missing use for LoggerInterface Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2022-03-31 14:25:31 +00:00			`use Psr\Log\LoggerInterface;`
Adding request specific exception handling - now with WebDAV responses - refs #17192 2015-06-29 13:47:05 +00:00			`use Sabre\DAV\Exception\ServiceUnavailable;`
			`use Sabre\DAV\Server;`

Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`/**`
			`* Class RemoteException`
			`* Dummy exception class to be use locally to identify certain conditions`
Avoid logging normal exceptions in remote.php When the instance needs an upgrade, or a file is not found, no logging will occur to avoid filling up log files 2015-08-18 13:02:30 +00:00			`* Will not be logged to avoid DoS`
Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`*/`
fix(dav): drop unwanted RemoteException class Signed-off-by: skjnldsv <skjnldsv@protonmail.com> 2024-07-16 06:29:44 +00:00			`class RemoteException extends \Exception {`
Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`}`

chore: Migrate cleanAppId and getAppPath calls to IAppManager from OC_App Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-09-12 14:17:19 +00:00			`function handleException(Exception\|Error $e): void {`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`try {`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`$request = \OCP\Server::get(IRequest::class);`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`// in case the request content type is text/xml - we assume it's a WebDAV request`
			`$isXmlContentType = strpos($request->getHeader('Content-Type'), 'text/xml');`
			`if ($isXmlContentType === 0) {`
			`// fire up a simple server to properly process the exception`
			`$server = new Server();`
			`if (!($e instanceof RemoteException)) {`
			`// we shall not log on RemoteException`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`$server->addPlugin(new ExceptionLoggerPlugin('webdav', \OCP\Server::get(LoggerInterface::class)));`
Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`}`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`$server->on('beforeMethod:*', function () use ($e) {`
			`if ($e instanceof RemoteException) {`
			`switch ($e->getCode()) {`
			`case 503:`
			`throw new ServiceUnavailable($e->getMessage());`
			`case 404:`
			`throw new \Sabre\DAV\Exception\NotFound($e->getMessage());`
			`}`
			`}`
			`$class = get_class($e);`
			`$msg = $e->getMessage();`
			`throw new ServiceUnavailable("$class: $msg");`
			`});`
			`$server->exec();`
Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`} else {`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`$statusCode = 500;`
			`if ($e instanceof \OC\ServiceUnavailableException) {`
			`$statusCode = 503;`
			`}`
			`if ($e instanceof RemoteException) {`
			`// we shall not log on RemoteException`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`\OCP\Server::get(ITemplateManager::class)->printErrorPage($e->getMessage(), '', $e->getCode());`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`} else {`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`\OCP\Server::get(LoggerInterface::class)->error($e->getMessage(), ['app' => 'remote','exception' => $e]);`
			`\OCP\Server::get(ITemplateManager::class)->printExceptionErrorPage($e, $statusCode);`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`}`
Fixing content type detection and handle all local printErrorPage calls 2015-06-29 20:08:34 +00:00			`}`
return proper error code when reporting exception fails in remote.php Signed-off-by: Robin Appelman <robin@icewind.nl> 2022-10-05 10:39:00 +00:00			`} catch (\Exception $e) {`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`\OCP\Server::get(ITemplateManager::class)->printExceptionErrorPage($e, 500);`
Adding request specific exception handling - now with WebDAV responses - refs #17192 2015-06-29 13:47:05 +00:00			`}`
			`}`

All webdav endpoints within remote.php are now hardcoded - helps to prevent migration issues like #23610 - furthermore there is no need to dynamically lookup all the endpoints we already know 2016-04-05 07:59:43 +00:00			`/**`
fix: Replace all usage of OC_Template by the new API Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-27 10:59:44 +00:00			`* @param string $service`
All webdav endpoints within remote.php are now hardcoded - helps to prevent migration issues like #23610 - furthermore there is no need to dynamically lookup all the endpoints we already know 2016-04-05 07:59:43 +00:00			`* @return string`
			`*/`
			`function resolveService($service) {`
			`$services = [`
			`'webdav' => 'dav/appinfo/v1/webdav.php',`
			`'dav' => 'dav/appinfo/v2/remote.php',`
			`'caldav' => 'dav/appinfo/v1/caldav.php',`
			`'calendar' => 'dav/appinfo/v1/caldav.php',`
			`'carddav' => 'dav/appinfo/v1/carddav.php',`
			`'contacts' => 'dav/appinfo/v1/carddav.php',`
			`'files' => 'dav/appinfo/v1/webdav.php',`
First step of DAV endpoint Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-04-13 12:04:41 +00:00			`'direct' => 'dav/appinfo/v2/direct.php',`
All webdav endpoints within remote.php are now hardcoded - helps to prevent migration issues like #23610 - furthermore there is no need to dynamically lookup all the endpoints we already know 2016-04-05 07:59:43 +00:00			`];`
			`if (isset($services[$service])) {`
			`return $services[$service];`
			`}`

			`return \OC::$server->getConfig()->getAppValue('core', 'remote_' . $service);`
			`}`

clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`try {`
Allow to call the files even when you are in another instance atm Signed-off-by: Joas Schilling <coding@schilljs.com> 2016-10-06 10:13:02 +00:00			`require_once __DIR__ . '/lib/base.php';`
Prevent loading apps in remote when an upgrade is due 2014-06-25 16:17:17 +00:00
Employ a stricter Content Security Policy on remote.php Items sent by remote.php have not to be interpreted by browsers in any way. 2016-04-12 11:30:37 +00:00			`// All resources served via the DAV endpoint should have the strictest possible`
			`// policy. Exempted from this is the SabreDAV browser plugin which overwrites`
			`// this policy with a softer one if debug mode is enabled.`
			`header("Content-Security-Policy: default-src 'none';");`

Prevent loading apps in remote when an upgrade is due 2014-06-25 16:17:17 +00:00			`if (\OCP\Util::needUpgrade()) {`
			`// since the behavior of apps or remotes are unpredictable during`
			`// an upgrade, return a 503 directly`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 10:15:09 +00:00			`throw new RemoteException('Service unavailable', 503);`
Prevent loading apps in remote when an upgrade is due 2014-06-25 16:17:17 +00:00			`}`

Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969 2015-02-10 12:02:48 +00:00			`$request = \OC::$server->getRequest();`
			`$pathInfo = $request->getPathInfo();`
			`if ($pathInfo === false \|\| $pathInfo === '') {`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 10:15:09 +00:00			`throw new RemoteException('Path not found', 404);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`}`
Refactor OC_Request into TrustedDomainHelper and IRequest This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969 2015-02-10 12:02:48 +00:00			`if (!$pos = strpos($pathInfo, '/', 1)) {`
			`$pos = strlen($pathInfo);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`}`
Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-10-05 13:12:57 +00:00			`$service = substr($pathInfo, 1, $pos - 1);`
Try to fix the remote pbm. fix oc-1090 2012-06-24 08:06:42 +00:00
All webdav endpoints within remote.php are now hardcoded - helps to prevent migration issues like #23610 - furthermore there is no need to dynamically lookup all the endpoints we already know 2016-04-05 07:59:43 +00:00			`$file = resolveService($service);`
fix minified js and css 2012-07-13 22:10:17 +00:00
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`if (is_null($file)) {`
Do not use HTTP code OC_Response constants anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-06-26 10:15:09 +00:00			`throw new RemoteException('Path not found', 404);`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`}`

Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-10-05 13:12:57 +00:00			`$file = ltrim($file, '/');`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00
Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-10-05 13:12:57 +00:00			`$parts = explode('/', $file, 2);`
			`$app = $parts[0];`
Remove legacy routing code The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application. This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app. Testplan: [x] Installation works [x] Login with DB works [x] Logout works [x] Login with alternate backend works (tested with user_webdavauth) [x] Other apps are accessible [x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled) [x] Personal settings are accessible [x] Admin settings are accessible [x] Sharing files works [x] DAV works [x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications 2014-05-10 12:00:22 +00:00
			`// Load all required applications`
			`\OC::$REQUESTEDAPP = $app;`
chore: Migrate cleanAppId and getAppPath calls to IAppManager from OC_App Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-09-12 14:17:19 +00:00			`$appManager = \OCP\Server::get(IAppManager::class);`
			`$appManager->loadApps(['authentication']);`
			`$appManager->loadApps(['extended_authentication']);`
			`$appManager->loadApps(['filesystem', 'logging']);`
Remove legacy routing code The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application. This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app. Testplan: [x] Installation works [x] Login with DB works [x] Logout works [x] Login with alternate backend works (tested with user_webdavauth) [x] Other apps are accessible [x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled) [x] Personal settings are accessible [x] Admin settings are accessible [x] Sharing files works [x] DAV works [x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications 2014-05-10 12:00:22 +00:00
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`switch ($app) {`
			`case 'core':`
Format code to a single space around binary operators Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-10-05 13:12:57 +00:00			`$file = OC::$SERVERROOT . '/' . $file;`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`break;`
			`default:`
fix: Replace isInstalled calls with isEnabledForAnyone or isEnabledForUser Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2025-02-10 10:25:50 +00:00			`if (!$appManager->isEnabledForUser($app)) {`
Avoid logging normal exceptions in remote.php When the instance needs an upgrade, or a file is not found, no logging will occur to avoid filling up log files 2015-08-18 13:02:30 +00:00			`throw new RemoteException('App not installed: ' . $app);`
Add sabredav plugin to check if a user has access to an app 2014-09-04 13:23:55 +00:00			`}`
chore: Migrate cleanAppId and getAppPath calls to IAppManager from OC_App Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-09-12 14:17:19 +00:00			`$appManager->loadApp($app);`
			`$file = $appManager->getAppPath($app) . '/' . ($parts[1] ?? '');`
clean up usage of DatabaseSetupException and catch Exceptions in entrypoints 2013-06-10 11:45:19 +00:00			`break;`
			`}`
			`$baseuri = OC::$WEBROOT . '/remote.php/' . $service . '/';`
			`require_once $file;`
			`} catch (Exception $ex) {`
Adding request specific exception handling - now with WebDAV responses - refs #17192 2015-06-29 13:47:05 +00:00			`handleException($ex);`
Catch class Error on all root entrypoints 2016-04-20 16:01:47 +00:00			`} catch (Error $e) {`
Fix undefined variable $ex 2016-05-02 11:10:03 +00:00			`handleException($e);`
Add _many_ newlines at the end of files 2013-08-18 09:02:08 +00:00			`}`
No results found.