This solves the issue, while generating a public link ssl check conne…#38107
This solves the issue, while generating a public link ssl check conne…#38107AlexAndBear merged 2 commits intomasterfrom
Conversation
|
|
|
@phil-davis do we have integration tests for public share link "Add to your owncloud" button? Mainly on the receiving side that mounts the public link share. This is sending side, and in the box one need to provide receiving side: |
|
https://github.com/owncloud/core/blob/master/tests/acceptance/features/webUISharingPublic2/shareByPublicLink.feature has scenarios that check the presence of the "add to your owncloud button". Steps like: But the scenarios do not go any further. I will get someone to look at adding scenarios that go further an actually click the button! |
|
I'm a bit unsure about this solution... there is a
This way we make sure we're checking whatever we're going to use to access to the data without touching other endpoints. Assuming it works properly (the I think it's worthy to have a look because I still unsure about the reasons if having two checks instead of one. |
|
BTW, make sure you link this PR to the issue in the top post (there is a "related issue" section in the template) so we can quickly access to the issue this PR fixes.
Please, double-check this. You look suspicious otherwise. |
|
From my point of view, you're expected to hit the target share in https://github.com/owncloud/core/pull/38107/files#diff-938f35dab4a346380cb32819e416003b9b6e19f1b8c6d4661ea6b9ccb15b89cdR98 , which should also be the same endpoint that will be used later on. I think we can check the SSL certificate (if any) there. I expect the call to throw an "InvalidCertificateException" or "TooManyRedirectsException", both exceptions coming from the guzzle library, if there are problems with the SSL certificate, so we can catch those exceptions. |
AlexAndBear
force-pushed
the
issues/4241
branch
from
df4e59d to
bebda8b
Compare
|
Summing up the steps to reproduce the problem, it's something like:
At step 3, there is a verification of the SSL certificate of the serverA. Such certificate could be invalid (expired, self-signed, not recognized), or we could end up in a redirection loop. @pmaier1 is it fine to show a generic "Storage is not available" in that scenario instead of the current "Invalid or untrusted SSL certificate" (which isn't really accurate)?. We could clean some code and step 3 should be slightly faster because it's one request less to do. |
jvillafanez
left a comment
jvillafanez
left a comment
There was a problem hiding this comment.
Just a little thing, although I'd wait for Patrick to confirm we want to keep showing the "Invalid SSL certificate" error
apps/files_sharing/ajax/external.php
Outdated
| try { | ||
| \OC::$server->getHTTPClientService()->newClient()->get($remote, [ | ||
| // try to connect to the status page instead of the main uri, as authentication software like SAML could end up in a redirection loop | ||
| \OC::$server->getHTTPClientService()->newClient()->get(\sprintf('%s/status.php', $remote), [ |
There was a problem hiding this comment.
String interpolation is preferred unless you proof the sprintf function provides advantages.
$v = "{$remote}/status.php";
instead of
$v = \sprintf('%s/status.php', $remote);
first option is shorter and easier to read.
Well, a regular user can't do anything about it and in most cases will not understand SSL errors anyway. Best case you add some advice like "Please try again later or ask an administrator for help". |
…cts to the domain instead of the share url, which could cause some issues for example redirect loops
AlexAndBear
force-pushed
the
issues/4241
branch
from
bebda8b to
23478aa
Compare
|
@jvillafanez |
apps/files_sharing/ajax/external.php
Outdated
| 'Invalid remote storage: ' . \get_class($e) . ': ' . $e->getMessage(), | ||
| \OCP\Util::DEBUG | ||
| ); | ||
| \OCP\JSON::error(['data' => ['message' => $l->t('Invalid or untrusted SSL certificate')]]); |
There was a problem hiding this comment.
Throw with "SSL precheck failed" message or similar, it catches many exception types in this block, not only invalid SSL certificate
changelog/unreleased/38107
Outdated
| When adding a public link to your owncloud, a SSL certificate check is performed. | ||
| Prior to this fix, the check was performed on the server's base URL, not on the | ||
| actual share URL. This could cause some problems, for example never ending redirect | ||
| loops. So now the SSL check is performed on the share URL itself. |
Yes, that's the idea. We need to verify it works though. In addition, it might be a good idea to rise the log messages to the error level so the admin knows what's happening |
|
@jvillafanez user errors (e.g. wrong url) are not server errors and should be at most debug. |
|
Following the expected flow, the user will need to enter the "serverB" url inside the "serverA" share link, but the remote url we'll ping is the one for "serverA". Basically, a user error shouldn't be possible. Taking this into account, if something breaks the admin will want to know. Even if it's a wrong url, the admin will want to know because a wrong url shouldn't be possible. |
|
i think we are overengineering this simple issue, but at least would give good learning to new members :) |
Yeah I think so, too :D So I just removed the SSL pre-check and tested with an invalid SSL certificate. As @jvillafanez suggested the code still throws an error, thus we should be good to go with removing the SSL pre-check. It will throw a generic "Storage is not available" error. |
… takes care of it
|
Kudos, SonarCloud Quality Gate passed!
|
|
Note: #38109 (comment) |
|
Is log displayed with proper message why „storage is unavailable”? |
7 participants
Description
SSL check when adding a public link to your ownCloud
When adding a public link to your owncloud, a SSL certificate check is performed.
Prior to this fix, the check was performed on the server's base URL, not on the
actual share URL. This could cause some problems, for example never ending redirect
loops. So now the SSL check is performed on the share URL itself.
Related Issue
Types of changes
Checklist: