Comments (4)
Had a quick look. I think the behaviour could because the webdav handler only restricts file access to root path (C:\WWW in this case). So to get what you want i think you could do:
handle /files/* {
basicauth bcrypt webdav {
libla JDJhJDEwJEVCNmdaNEg2Ti5iejRMYkF3MFZhZ3VtV3E1SzBWZEZ5Q3VWc0tzOEJwZE9TaFlZdEVkZDhX
}
webdav {
root C:\WWW\files
prefix /files
}
}
Not sure how feasible it is to make the webdav handler aware of the path matching and restrict? i guess this is more or less is the same issue why the prefix directive exists.
Maybe there should at least be some security documentation describing it as a risky misconfiguration?
from caddy-webdav.
Thanks for opening an issue! We'll look into this.
It's not immediately clear to me what is going on, so I'll need your help to understand it better.
Ideally, we need to be able to reproduce the bug in the most minimal way possible. This allows us to write regression tests to verify the fix is working. If we can't reproduce it, then you'll have to test our changes for us until it's fixed -- and then we can't add test cases, either.
I've attached a template below that will help make this easier and faster! This will require some effort on your part -- please understand that we will be dedicating time to fix the bug you are reporting if you can just help us understand it and reproduce it easily.
This template will ask for some information you've already provided; that's OK, just fill it out the best you can. ๐ I've also included some helpful tips below the template. Feel free to let me know if you have any questions!
Thank you again for your report, we look forward to resolving it!
Template
## 1. Environment
### 1a. Operating system and version
```
paste here
```
### 1b. Caddy version (run `caddy version` or paste commit SHA)
```
paste here
```
### 1c. Go version (if building Caddy from source; run `go version`)
```
paste here
```
## 2. Description
### 2a. What happens (briefly explain what is wrong)
### 2b. Why it's a bug (if it's not obvious)
### 2c. Log output
```
paste terminal output or logs here
```
### 2d. Workaround(s)
### 2e. Relevant links
## 3. Tutorial (minimal steps to reproduce the bug)
Instructions -- please heed otherwise we cannot help you (help us help you!)
-
Environment: Please fill out your OS and Caddy versions, even if you don't think they are relevant. (They are always relevant.) If you built Caddy from source, provide the commit SHA and specify your exact Go version.
-
Description: Describe at a high level what the bug is. What happens? Why is it a bug? Not all bugs are obvious, so convince readers that it's actually a bug.
- 2c) Log output: Paste terminal output and/or complete logs in a code block. DO NOT REDACT INFORMATION except for credentials.
- 2d) Workaround: What are you doing to work around the problem in the meantime? This can help others who encounter the same problem, until we implement a fix.
- 2e) Relevant links: Please link to any related issues, pull requests, docs, and/or discussion. This can add crucial context to your report.
-
Tutorial: What are the minimum required specific steps someone needs to take in order to experience the same bug? Your goal here is to make sure that anyone else can have the same experience with the bug as you do. You are writing a tutorial, so make sure to carry it out yourself before posting it. Please:
- Start with an empty config. Add only the lines/parameters that are absolutely required to reproduce the bug.
- Do not run Caddy inside containers.
- Run Caddy manually in your terminal; do not use systemd or other init systems.
- If making HTTP requests, avoid web browsers. Use a simpler HTTP client instead, like
curl
. - Do not redact any information from your config (except credentials). Domain names are public knowledge and often necessary for quick resolution of an issue!
- Note that ignoring this advice may result in delays, or even in your issue being closed. ๐ Only actionable issues are kept open, and if there is not enough information or clarity to reproduce the bug, then the report is not actionable.
Example of a tutorial:
Create a config file:{ ... }
Open terminal and run Caddy:
$ caddy ...
Make an HTTP request:
$ curl ...
Notice that the result is ___ but it should be ___.
from caddy-webdav.
1. Environment
1a. Operating system and version
Windows Server 2008 R2 Enterprise
1b. Caddy version (run caddy version
or paste commit SHA)
v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
2. Description
2a. What happens (briefly explain what is wrong)
I want to provide a webdav service on the /files/ path, so I added the following configuration.
handle /files/* {
basicauth bcrypt webdav {
libla JDJhJDEwJEVCNmdaNEg2Ti5iejRMYkF3MFZhZ3VtV3E1SzBWZEZ5Q3VWc0tzOEJwZE9TaFlZdEVkZDhX
}
webdav {
root C:\WWW
}
}
By visiting /files/xxx in this way, I can get the file contents of C:\WWW\files\xxx.
But if I create a new 123.txt under C:\WWW, I can pass /files/..%2F123.txt get the contents of 123.txt. This is not the behavior I want. I hope webdav can only read/write the contents in the C:\WWW\files\ directory.
2b. Why it's a bug (if it's not obvious)
2c. Log output
paste terminal output or logs here
2d. Workaround(s)
2e. Relevant links
3. Tutorial (minimal steps to reproduce the bug)
from caddy-webdav.
Thanks, probably just need some sanitizing either here or in the upstream package. Anyone free to take this?
from caddy-webdav.
Related Issues (20)
- Is it possible to have directory listing with WebDAV enabled in the same path? HOT 3
- Permission/Path issues with webdav-module using systemd service
- Can you add the modify option like cdday-v1-webdav? It can achieve read-only access HOT 1
- can not use xcaddy build caddy v2.4.3 with webdav HOT 3
- Every time you use webdav to sync photos, an error will be reported๏ผ HOT 3
- Excuse me, how to set different permissions under multiple users? HOT 8
- HEAD requests should work also on folders HOT 1
- Can not upload large file HOT 2
- The webdav service filter some files for unknown reason HOT 3
- Issue with webdav RANGE requests HOT 3
- FR: hide option HOT 1
- CF HOT 3
- Webdav with Jetbrains Rider, Caddy and ASP NET Core Umbraco CMS HOT 7
- TLS and Webdav client HOT 1
- LOCK/UNLOCK and other Webdav method support HOT 5
- root directive appears to ignore {http.auth.user.id}
- How to have WebDAV server run under a subdirectory of a subdomain? HOT 3
- Not compatible with MacOS Finder HOT 3
- Can not build with the new Go version HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from caddy-webdav.