Merge pull request #4461 from micbar/fix-cors

Fix cors
cs3org · Jan 22, 2024 · e8fc07f · e8fc07f
2 parents d79f163 + aa8328e
commit e8fc07f
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 10 deletions.
diff --git a/changelog/unreleased/fix-cors-handling.md b/changelog/unreleased/fix-cors-handling.md
@@ -0,0 +1,6 @@
+Bugfix: CORS handling for WebDAV requests fixed
+
+We now correctly handle CORS headers for WebDAV requests.
+
+https://github.com/cs3org/reva/pull/4461
+https://github.com/owncloud/ocis/issues/8231
diff --git a/go.mod b/go.mod
@@ -67,7 +67,7 @@ require (
 	github.com/prometheus/alertmanager v0.24.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/rogpeppe/go-internal v1.10.0
-	github.com/rs/cors v1.9.0
+	github.com/rs/cors v1.10.1
 	github.com/rs/zerolog v1.29.1
 	github.com/sethvargo/go-password v0.2.0
 	github.com/shamaton/msgpack/v2 v2.1.1

diff --git a/go.sum b/go.sum
@@ -1158,8 +1158,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/rs/cors v1.8.2/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
-github.com/rs/cors v1.9.0 h1:l9HGsTsHJcvW14Nk7J9KFz8bzeAWXn3CG6bgt7LsrAE=
-github.com/rs/cors v1.9.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/rs/cors v1.10.1 h1:L0uuZVXIKlI1SShY2nhFfo44TYvDPQ1w4oFkUJNfhyo=
+github.com/rs/cors v1.10.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.4.0 h1:qd7wPTDkN6KQx2VmMBLrpHkiyQwgFXRnkOLacUiaSNY=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.1 h1:cO+d60CHkknCbvzEWxP0S9K6KqyTjrCNUy1LdQLCGPc=

diff --git a/internal/http/services/owncloud/ocdav/ocdav.go b/internal/http/services/owncloud/ocdav/ocdav.go
@@ -286,8 +286,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool
 
 func addAccessHeaders(w http.ResponseWriter, r *http.Request) {
 	headers := w.Header()
-	// the webdav api is accessible from anywhere
-	headers.Set("Access-Control-Allow-Origin", "*")
 	// all resources served via the DAV endpoint should have the strictest possible as default
 	headers.Set("Content-Security-Policy", "default-src 'none';")
 	// disable sniffing the content type for IE

diff --git a/internal/http/services/owncloud/ocdav/propfind/propfind.go b/internal/http/services/owncloud/ocdav/propfind/propfind.go
@@ -486,12 +486,16 @@ func (p *Handler) propfindResponse(ctx context.Context, w http.ResponseWriter, r
 	w.Header().Set(net.HeaderDav, "1, 3, extended-mkcol")
 	w.Header().Set(net.HeaderContentType, "application/xml; charset=utf-8")
 	if sendTusHeaders {
-		w.Header().Add(net.HeaderAccessControlExposeHeaders, strings.Join([]string{net.HeaderTusResumable, net.HeaderTusVersion, net.HeaderTusExtension}, ", "))
+		w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusResumable)
+		w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusVersion)
+		w.Header().Add(net.HeaderAccessControlExposeHeaders, net.HeaderTusExtension)
+		w.Header().Set(net.HeaderAccessControlExposeHeaders, strings.Join(w.Header().Values(net.HeaderAccessControlExposeHeaders), ", "))
 		w.Header().Set(net.HeaderTusResumable, "1.0.0")
 		w.Header().Set(net.HeaderTusVersion, "1.0.0")
-		w.Header().Set(net.HeaderTusExtension, "creation,creation-with-upload,checksum,expiration")
+		w.Header().Set(net.HeaderTusExtension, "creation, creation-with-upload, checksum, expiration")
 	}
-	w.Header().Set(net.HeaderVary, net.HeaderPrefer)
+	w.Header().Add(net.HeaderVary, net.HeaderPrefer)
+	w.Header().Set(net.HeaderVary, strings.Join(w.Header().Values(net.HeaderVary), ", "))
 	if returnMinimal {
 		w.Header().Set(net.HeaderPreferenceApplied, "return=minimal")
 	}

diff --git a/pkg/rhttp/datatx/utils/download/download.go b/pkg/rhttp/datatx/utils/download/download.go
@@ -159,6 +159,8 @@ func GetOrHeadFile(w http.ResponseWriter, r *http.Request, fs storage.FS, spaceI
 		w.Header().Set("Accept-Ranges", "bytes")
 	}
 
+	w.Header().Set(net.HeaderContentType, strings.Join([]string{md.MimeType, "charset=UTF-8"}, "; "))
+
 	if len(ranges) > 0 {
 		sublog.Debug().Int64("start", ranges[0].Start).Int64("length", ranges[0].Length).Msg("range request")
 		if s == nil {
@@ -200,7 +202,7 @@ func GetOrHeadFile(w http.ResponseWriter, r *http.Request, fs storage.FS, spaceI
 			defer pr.Close() // cause writing goroutine to fail and exit if CopyN doesn't finish.
 			go func() {
 				for _, ra := range ranges {
-					part, err := mw.CreatePart(ra.MimeHeader(md.MimeType, int64(md.Size)))
+					part, err := mw.CreatePart(ra.MimeHeader(md.MimeType+"; charset=UTF-8", int64(md.Size)))
 					if err != nil {
 						_ = pw.CloseWithError(err) // CloseWithError always returns nil
 						return
@@ -224,7 +226,6 @@ func GetOrHeadFile(w http.ResponseWriter, r *http.Request, fs storage.FS, spaceI
 		w.Header().Set(net.HeaderContentLength, strconv.FormatInt(sendSize, 10))
 	}
 
-	w.Header().Set(net.HeaderContentType, md.MimeType)
 	w.Header().Set(net.HeaderContentDisposistion, net.ContentDispositionAttachment(path.Base(md.Path)))
 	w.Header().Set(net.HeaderETag, md.Etag)
 	w.Header().Set(net.HeaderOCFileID, storagespace.FormatResourceID(*md.Id))