Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad 301 redirect without fastmailsharing #5035

Open
dilyanpalauzov opened this issue Sep 13, 2024 · 3 comments
Open

Bad 301 redirect without fastmailsharing #5035

dilyanpalauzov opened this issue Sep 13, 2024 · 3 comments

Comments

@dilyanpalauzov
Copy link
Contributor

http_dav.c:calcarddav_parse_path() does:

/* Check for FastMail legacy sharing URLs and redirect */
if (httpd_userid && !config_getswitch(IMAPOPT_FASTMAILSHARING) &&
    tgt->flags != TGT_DAV_SHARED &&
    !mboxname_userownsmailbox(httpd_userid, mboxname)) {
    buf_reset(&redirect_buf);
    buf_printf(&redirect_buf, "%s/%s/%s/%s%c%s",
             tgt->namespace->prefix, USER_COLLECTION_PREFIX,
             httpd_userid, tgt->userid, SHARED_COLLECTION_DELIM,
             tgt->collection);
    *resultstr = buf_cstring(&redirect_buf);
    ret = HTTP_MOVED;
    goto done;
}

When a is an administrator, calling

curl -v -HDepth:0 -XPROPFIND -H"content-type:application/xml" -ua:a http://127.0.0.3/dav/calendars/user/test/Default/

sets above *resultstr= "/dav/calendars/user/a/test.Default/ and does

HTTP/1.1 301 Moved Permanently
Location: /dav/calendars/user/a/test.Default/

likewise

$ curl -v -HDepth:0 -XPROPFIND -H"content-type:application/xml" -ua:a http://127.0.0.3/dav/calendars/user/test/

sets *resultstr = "/dav/calendars/user/a/test.(null)" and the result is:

HTTP/1.1 301 Moved Permanently
Location: /dav/calendars/user/a/test.(null)

The URLs ase invalid: /dav/calendars/user/a does not exist.
@dilyanpalauzov
Copy link
Contributor Author

This is actually very similar to #3205 , but it prevents implementing #3403 - when the administrator does PROPPATCH it wants to changes the properties, as if they were modified by the owner (not masked for the authenticated user). But cannot, because the administrator is redirected to invalid URL.

@dilyanpalauzov dilyanpalauzov mentioned this issue Sep 13, 2024
Open
@ksmurchison
Copy link
Contributor

So, Cyrus allows HTTP proxy authentication for admins by using the Cyrus-specific Authorize-As header in the request. However, its currently only allowed when talking to backend servers in a murder. I think proxy auth (like we have for IMAP) is a better way to go rather than just assuming that an admin wants to operate as the owner of a resource. This would also work for both DAV and JMAP without changing any other code.

@brong @rsto Any thoughts on allowing proxy auth (admins only) to standalone servers?

@dilyanpalauzov
Copy link
Contributor Author

I do not understand why the snippet above is necessary — there should be no redirect and that’s it. When does this redirect make sense?

dilyanpalauzov added a commit to dilyanpalauzov/cyrus-imapd that referenced this issue Sep 24, 2024
@dilyanpalauzov
remove IMAPOPT_FASTMAILSHARING
61b0c1d 
See also cyrusimap#3205 (closed)
and cyrusimap#5035
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dilyanpalauzov @ksmurchison