nextcloud/apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php

<?php

/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
namespace OCA\DAV\Connector\Sabre;

use OCA\Theming\ThemingDefaults;
use OCP\IConfig;
use OCP\IRequest;
use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin;
use Sabre\HTTP\RequestInterface;

/**
 * Class BlockLegacyClientPlugin is used to detect old legacy sync clients and
 * returns a 403 status to those clients
 *
 * @package OCA\DAV\Connector\Sabre
 */
class BlockLegacyClientPlugin extends ServerPlugin {
	protected ?Server $server = null;

	public function __construct(
		private IConfig $config,
		private ThemingDefaults $themingDefaults,
	) {
	}

	/**
	 * @return void
	 */
	public function initialize(Server $server) {
		$this->server = $server;
		$this->server->on('beforeMethod:*', [$this, 'beforeHandler'], 200);
	}

	/**
	 * Detects all unsupported clients and throws a \Sabre\DAV\Exception\Forbidden
	 * exception which will result in a 403 to them.
	 * @param RequestInterface $request
	 * @throws \Sabre\DAV\Exception\Forbidden If the client version is not supported
	 */
	public function beforeHandler(RequestInterface $request) {
		$userAgent = $request->getHeader('User-Agent');
		if ($userAgent === null) {
			return;
		}

		$minimumSupportedDesktopVersion = $this->config->getSystemValueString('minimum.supported.desktop.version', '3.1.0');
		$maximumSupportedDesktopVersion = $this->config->getSystemValueString('maximum.supported.desktop.version', '99.99.99');

		// Check if the client is a desktop client
		preg_match(IRequest::USER_AGENT_CLIENT_DESKTOP, $userAgent, $versionMatches);

		// If the client is a desktop client and the version is too old, block it
		if (isset($versionMatches[1]) && version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {
			$customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());
			$minimumSupportedDesktopVersion = htmlspecialchars($minimumSupportedDesktopVersion);

			throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Upgrade to <a href=\"$customClientDesktopLink\">version $minimumSupportedDesktopVersion or later</a>.");
		}

		// If the client is a desktop client and the version is too new, block it
		if (isset($versionMatches[1]) && version_compare($versionMatches[1], $maximumSupportedDesktopVersion) === 1) {
			$customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());
			$maximumSupportedDesktopVersion = htmlspecialchars($maximumSupportedDesktopVersion);

			throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Downgrade to <a href=\"$customClientDesktopLink\">version $maximumSupportedDesktopVersion or earlier</a>.");
		}
	}
}
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`<?php`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-27 11:39:07 -04:00
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-27 11:39:07 -04:00			`* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`*/`
Consolidate webdav code - move all to one app 2015-08-30 13:13:01 -04:00			`namespace OCA\DAV\Connector\Sabre;`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-09-06 08:39:32 -04:00			`use OCA\Theming\ThemingDefaults;`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`use OCP\IConfig;`
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-06-23 03:50:46 -04:00			`use OCP\IRequest;`
Cleanup dav - Remove unused class AppEnabledPlugin - Add more type hinting when possible Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2022-04-12 08:01:13 -04:00			`use Sabre\DAV\Server;`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`use Sabre\DAV\ServerPlugin;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use Sabre\HTTP\RequestInterface;`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00
			`/**`
			`* Class BlockLegacyClientPlugin is used to detect old legacy sync clients and`
Use 403 instead a 50x response 2015-04-20 06:53:40 -04:00			`* returns a 403 status to those clients`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`*`
Consolidate webdav code - move all to one app 2015-08-30 13:13:01 -04:00			`* @package OCA\DAV\Connector\Sabre`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`*/`
			`class BlockLegacyClientPlugin extends ServerPlugin {`
Fix more psalm issues Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2022-05-05 18:01:08 -04:00			`protected ?Server $server = null;`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-09-06 08:39:32 -04:00			`public function __construct(`
			`private IConfig $config,`
			`private ThemingDefaults $themingDefaults,`
			`) {`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`}`

			`/**`
			`* @return void`
			`*/`
Cleanup dav - Remove unused class AppEnabledPlugin - Add more type hinting when possible Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2022-04-12 08:01:13 -04:00			`public function initialize(Server $server) {`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`$this->server = $server;`
Sabre/DAV 4.0: beforeMethod is now beforeMethod:* Signed-off-by: Georg Ehrke <developer@georgehrke.com> 2020-03-09 11:32:04 -04:00			`$this->server->on('beforeMethod:*', [$this, 'beforeHandler'], 200);`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`}`

			`/**`
Use 403 instead a 50x response 2015-04-20 06:53:40 -04:00			`* Detects all unsupported clients and throws a \Sabre\DAV\Exception\Forbidden`
			`* exception which will result in a 403 to them.`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`* @param RequestInterface $request`
Use 403 instead a 50x response 2015-04-20 06:53:40 -04:00			`* @throws \Sabre\DAV\Exception\Forbidden If the client version is not supported`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`*/`
			`public function beforeHandler(RequestInterface $request) {`
			`$userAgent = $request->getHeader('User-Agent');`
Catch not existing User-Agent header In case of an not sent UA header consider the client as valid 2015-04-23 10:33:51 -04:00			`if ($userAgent === null) {`
			`return;`
			`}`

chore: Update minimum supported desktop version Signed-off-by: GitHub <noreply@github.com> 2025-08-10 20:34:04 -04:00			`$minimumSupportedDesktopVersion = $this->config->getSystemValueString('minimum.supported.desktop.version', '3.1.0');`
feat(config): add `maximum.supported.desktop.version` Signed-off-by: skjnldsv <skjnldsv@protonmail.com> 2024-11-27 04:06:14 -05:00			`$maximumSupportedDesktopVersion = $this->config->getSystemValueString('maximum.supported.desktop.version', '99.99.99');`

			`// Check if the client is a desktop client`
fix(dav): Use IRequest constant to match version The pattern matches since a 10 year old client version Signed-off-by: Joas Schilling <coding@schilljs.com> 2023-06-23 03:50:46 -04:00			`preg_match(IRequest::USER_AGENT_CLIENT_DESKTOP, $userAgent, $versionMatches);`
feat(config): add `maximum.supported.desktop.version` Signed-off-by: skjnldsv <skjnldsv@protonmail.com> 2024-11-27 04:06:14 -05:00
			`// If the client is a desktop client and the version is too old, block it`
			`if (isset($versionMatches[1]) && version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {`
fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2024-09-06 08:39:32 -04:00			`$customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());`
			`$minimumSupportedDesktopVersion = htmlspecialchars($minimumSupportedDesktopVersion);`

			`throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Upgrade to <a href=\"$customClientDesktopLink\">version $minimumSupportedDesktopVersion or later</a>.");`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`}`
feat(config): add `maximum.supported.desktop.version` Signed-off-by: skjnldsv <skjnldsv@protonmail.com> 2024-11-27 04:06:14 -05:00
			`// If the client is a desktop client and the version is too new, block it`
			`if (isset($versionMatches[1]) && version_compare($versionMatches[1], $maximumSupportedDesktopVersion) === 1) {`
			`$customClientDesktopLink = htmlspecialchars($this->themingDefaults->getSyncClientUrl());`
			`$maximumSupportedDesktopVersion = htmlspecialchars($maximumSupportedDesktopVersion);`

			`throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Downgrade to <a href=\"$customClientDesktopLink\">version $maximumSupportedDesktopVersion or earlier</a>.");`
			`}`
Block old legacy clients This Pull Request introduces a SabreDAV plugin that will block all older clients than 1.6.1 to connect and sync with the ownCloud instance. This has multiple reasons: 1. Old ownCloud client versions before 1.6.0 are not properly working with sticky cookies for load balancers and thus generating sessions en masse 2. Old ownCloud client versions tend to be horrible buggy In some cases we had in 80minutes about 10'000 sessions created by a single user. While this change set does not really "fix" the problem as 3rdparty legacy clients are affected as well, it is a good work-around and hopefully should force users to update their client 2015-04-16 16:39:44 -04:00			`}`
			`}`