Red Hat Bugzilla – Bug 967908
WebDAV is accessible cross-domain
Last modified: 2013-07-01 00:15:49 EDT
Description of problem:
The WebDAV interface returns a:
Steps to Reproduce:
1. From a bash shell with netcat installed as nc, access the WebDAV interface with the following one-liner:
echo -e "PROPFIND /pressgang-ccms/webdav/ HTTP/1.1\r\nHost: skynet.usersys.redhat.com:8080\r\nDepth: 1\r\nContent-Type: application/xml\r\n\r\n<?xml version="1.0" encoding="utf-8"?>\n<propfind xmlns="DAV:"><prop>\n<getcontentlength xmlns="DAV:"/>\n<getlastmodified xmlns="DAV:"/>\n<executable xmlns="http://apache.org/dav/props/"/>\n<resourcetype xmlns="DAV:"/>\n<checked-in xmlns="DAV:"/>\n<checked-out xmlns="DAV:"/>\n</prop></propfind>\r\n\r\n" | nc skynet.usersys.redhat.com 8080
Receive the "directory" listing (as expected) with a:
Receive the "directory" listing with headers that would appropriately block cross-site access.
Fixed in 1.0-SNAPSHOT build 20130529-1332.
I've fixed the MessageBodyWriterInterceptor to only work on normal REST endpoints. That way the Access-Control-Allow-Origin header will not be present anymore for all webdav requests, as it shouldn't have ever been there anyways.
Example output (from skynet-dev):
HTTP/1.1 207 Multi-Status
Date: Wed, 29 May 2013 07:23:32 GMT
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response><D:response><D:href>http://skynet-dev.usersys.redhat.com:8080/pressgang-ccms/webdav/TOPICS</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>
Looks good on my end when hitting skynet-dev. I would have verified sooner, but didn't expect you to take care of it this fast! Thanks for the speedy work.