check public link already authenticated before checking password of link

karakayasemi · karakayasemi · commit fd049476af5e · 2020-10-17T06:14:46.000-07:00
diff --git a/apps/dav/lib/Connector/PublicAuth.php b/apps/dav/lib/Connector/PublicAuth.php
@@ -95,11 +95,11 @@ protected function validateUserPass($username, $password) {
 		// check if the share is password protected
 		if ($share->getPassword() !== null) {
 			if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
-				if ($this->shareManager->checkPassword($share, $password)) {
-					return true;
-				} elseif ($this->session->exists('public_link_authenticated')
+				if ($this->session->exists('public_link_authenticated')
 					&& $this->session->get('public_link_authenticated') === (string)$share->getId()) {
 					return true;
+				} elseif ($this->shareManager->checkPassword($share, $password)) {
+					return true;
 				} else {
 					if (\in_array('XMLHttpRequest', \explode(',', $this->request->getHeader('X-Requested-With')))) {
 						// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
diff --git a/changelog/unreleased/38016 b/changelog/unreleased/38016
@@ -0,0 +1,8 @@
+Bugfix: Do not emit wrong "share.failedpasswordcheck" events for already authenticated links
+
+ShareManager was checking password of already authenticated public links.
+This situation has been led to wrong "share.failedpasswordcheck" events emitting in already authenticated links.
+This problem has been resolved by first checking link already authenticated.
+
+https://github.com/owncloud/brute_force_protection/issues/138
+https://github.com/owncloud/core/pull/38016
