server: forbid PUT method on a read-only shared folder
Hello!
The current implementation of the PUT
method in libphodav
doesn't check whether the read-only flag of the shared folder is indeed set to false. This allows one to create and copy files inside the shared folder, even if it is set to read-only.
Steps to reproduce this bug:
- Open guest VM (Linux or Windows) in
remote-viewer
- Share a folder in read-only mode and mount it in the guest
- In the guest, open a new text file in a text editor
- Save the file as
whatever.txt
inside the shared folder
Observed behavior:
- The file
whatever.txt
is created in the shared folder, in the host filesystem
Expected behavior:
- An error should occur when trying to save the file
The proposed patch modifies the phodav_method_put()
function so that it checks that the readonly
flag is unset before proceeding with the PUT
method. Otherwise, it fails with the Forbidden status (just as the other methods, such as MKCOL
or COPY
, for instance).
This patch also introduces a handler_get_readonly()
function in order to access the readonly
flag in the handler
opaque structure from phodav_method_put()
. Finally, it also adds debug messages for the PUT
method similar to those used for the other methods (displaying both the PUT
request and the returned status), even if those messages are not part of the bug fix per se.
Thanks!
SnipFoo.