diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md index e0c4122fe1..bbae000324 100644 --- a/changelog/unreleased/bump-reva.md +++ b/changelog/unreleased/bump-reva.md @@ -2,6 +2,7 @@ Enhancement: Bump Reva bumps reva version +https://github.com/owncloud/ocis/pull/9330 https://github.com/owncloud/ocis/pull/9318 https://github.com/owncloud/ocis/pull/9269 https://github.com/owncloud/ocis/pull/9236 diff --git a/go.mod b/go.mod index e77add72de..67ee1e5150 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.10.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 + github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e github.com/egirna/icap-client v0.1.1 diff --git a/go.sum b/go.sum index 3714d2e38e..74e27f59db 100644 --- a/go.sum +++ b/go.sum @@ -1027,6 +1027,8 @@ github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2F github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 h1:DAmvibMtV7HxsQoG3jfwm78XftA/js0ECuv1pelSON8= github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= +github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace h1:zK+0QyrqRBwdRthUbXTyDhxZIMZlNJPzGr0+bmyU++0= +github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace/go.mod h1:lKqw0VuP1NcZbhj0e6tGoAGq3tgWO/pLafVJyDK0yVI= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go index 191d9cc043..ae5670502b 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/get.go @@ -131,7 +131,19 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ } defer httpRes.Body.Close() - copyHeader(w.Header(), httpRes.Header) + // copy only the headers relevant for the content served by the datagateway + // more headers are already present from the GET request + copyHeader(w.Header(), httpRes.Header, net.HeaderContentType) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentLength) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentRange) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCFileID) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCETag) + copyHeader(w.Header(), httpRes.Header, net.HeaderOCChecksum) + copyHeader(w.Header(), httpRes.Header, net.HeaderETag) + copyHeader(w.Header(), httpRes.Header, net.HeaderLastModified) + copyHeader(w.Header(), httpRes.Header, net.HeaderAcceptRanges) + copyHeader(w.Header(), httpRes.Header, net.HeaderContentDisposistion) + w.WriteHeader(httpRes.StatusCode) if httpRes.StatusCode != http.StatusOK && httpRes.StatusCode != http.StatusPartialContent { @@ -156,11 +168,9 @@ func (s *svc) handleGet(ctx context.Context, w http.ResponseWriter, r *http.Requ // TODO we need to send the If-Match etag in the GET to the datagateway to prevent race conditions between stating and reading the file } -func copyHeader(dst, src http.Header) { - for key, values := range src { - for i := range values { - dst.Add(key, values[i]) - } +func copyHeader(dist, src http.Header, header string) { + if src.Get(header) != "" { + dist.Set(header, src.Get(header)) } } diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go index d3cab17bec..ae4056e96e 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go @@ -165,8 +165,6 @@ func (s *svc) Handler() http.Handler { ctx := r.Context() log := appctx.GetLogger(ctx) - addAccessHeaders(w, r) - // TODO(jfd): do we need this? // fake litmus testing for empty namespace: see https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/litmus_test_server.go#L58-L89 if r.Header.Get(net.HeaderLitmus) == "props: 3 (propfind_invalid2)" { @@ -284,28 +282,6 @@ func (s *svc) ApplyLayout(ctx context.Context, ns string, useLoggedInUserNS bool return templates.WithUser(u, ns), requestPath, nil } -func addAccessHeaders(w http.ResponseWriter, r *http.Request) { - headers := w.Header() - // all resources served via the DAV endpoint should have the strictest possible as default - headers.Set("Content-Security-Policy", "default-src 'none';") - // disable sniffing the content type for IE - headers.Set("X-Content-Type-Options", "nosniff") - // https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx - headers.Set("X-Download-Options", "noopen") - // Disallow iFraming from other domains - headers.Set("X-Frame-Options", "SAMEORIGIN") - // https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html - headers.Set("X-Permitted-Cross-Domain-Policies", "none") - // https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag - headers.Set("X-Robots-Tag", "none") - // enforce browser based XSS filters - headers.Set("X-XSS-Protection", "1; mode=block") - - if r.TLS != nil { - headers.Set("Strict-Transport-Security", "max-age=63072000") - } -} - func authContextForUser(client gateway.GatewayAPIClient, userID *userpb.UserId, machineAuthAPIKey string) (context.Context, error) { if machineAuthAPIKey == "" { return nil, errtypes.NotSupported("machine auth not configured") diff --git a/vendor/modules.txt b/vendor/modules.txt index 719b4531ff..3f679cedba 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -366,7 +366,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.2-0.20240604132648-408bb6433068 +# github.com/cs3org/reva/v2 v2.19.2-0.20240606075653-a7a1d2d2dace ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime