Merge pull request #55991 from nextcloud/backport/55971/stable29

apps/dav/lib/Connector/Sabre/BlockLegacyClientPlugin.php

@@ -65,11 +65,22 @@ class BlockLegacyClientPlugin extends ServerPlugin {
 			return;
 		}
 
-		$minimumSupportedDesktopVersion = $this->config->getSystemValue('minimum.supported.desktop.version', '2.3.0');
+		$minimumSupportedDesktopVersion = $this->config->getSystemValueString('minimum.supported.desktop.version', '2.3.0');
+		$maximumSupportedDesktopVersion = $this->config->getSystemValueString('maximum.supported.desktop.version', '99.99.99');
+
+		// Check if the client is a desktop client
 		preg_match(IRequest::USER_AGENT_CLIENT_DESKTOP, $userAgent, $versionMatches);
-		if (isset($versionMatches[1]) &&
-			version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {
-			throw new \Sabre\DAV\Exception\Forbidden('Unsupported client version.');
+
+		// If the client is a desktop client and the version is too old, block it
+		if (isset($versionMatches[1]) && version_compare($versionMatches[1], $minimumSupportedDesktopVersion) === -1) {
+			$minimumSupportedDesktopVersion = htmlspecialchars($minimumSupportedDesktopVersion);
+			throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Upgrade to version $minimumSupportedDesktopVersion or later.");
+		}
+
+		// If the client is a desktop client and the version is too new, block it
+		if (isset($versionMatches[1]) && version_compare($versionMatches[1], $maximumSupportedDesktopVersion) === 1) {
+			$maximumSupportedDesktopVersion = htmlspecialchars($maximumSupportedDesktopVersion);
+			throw new \Sabre\DAV\Exception\Forbidden("This version of the client is unsupported. Downgrade to version $maximumSupportedDesktopVersion or earlier.");
 		}
 	}
 }

apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php

@@ -34,6 +34,12 @@ use PHPUnit\Framework\MockObject\MockObject;
 use Sabre\HTTP\RequestInterface;
 use Test\TestCase;
 
+class ERROR_TYPE {
+	public const MIN_ERROR = 'MIN_ERROR';
+	public const MAX_ERROR = 'MAX_ERROR';
+	public const NONE = 'NONE';
+}
+
 /**
  * Class BlockLegacyClientPluginTest
  *
@@ -52,19 +58,38 @@ class BlockLegacyClientPluginTest extends TestCase {
 		$this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin($this->config);
 	}
 
-	public function oldDesktopClientProvider(): array {
+	public static function oldDesktopClientProvider(): array {
 		return [
-			['Mozilla/5.0 (Windows) mirall/1.5.0'],
-			['Mozilla/5.0 (Bogus Text) mirall/1.6.9'],
+			['Mozilla/5.0 (Windows) mirall/1.5.0', ERROR_TYPE::MIN_ERROR],
+			['Mozilla/5.0 (Bogus Text) mirall/1.6.9', ERROR_TYPE::MIN_ERROR],
+			['Mozilla/5.0 (Windows) mirall/2.5.0', ERROR_TYPE::MAX_ERROR],
+			['Mozilla/5.0 (Bogus Text) mirall/2.0.1', ERROR_TYPE::MAX_ERROR],
+			['Mozilla/5.0 (Windows) mirall/2.0.0', ERROR_TYPE::NONE],
+			['Mozilla/5.0 (Bogus Text) mirall/2.0.0', ERROR_TYPE::NONE],
 		];
 	}
 
 	/**
 	 * @dataProvider oldDesktopClientProvider
 	 */
-	public function testBeforeHandlerException(string $userAgent): void {
-		$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
-		$this->expectExceptionMessage('Unsupported client version.');
+	public function testBeforeHandlerException(string $userAgent, string $errorType): void {
+		$this->config
+			->expects($this->exactly(2))
+			->method('getSystemValueString')
+			->willReturnCallback(function (string $key) {
+				if ($key === 'minimum.supported.desktop.version') {
+					return '1.7.0';
+				}
+				return '2.0.0';
+			});
+
+		if ($errorType !== ERROR_TYPE::NONE) {
+			$errorString = $errorType === ERROR_TYPE::MIN_ERROR
+			? 'This version of the client is unsupported. Upgrade to version 1.7.0 or later.'
+			: 'This version of the client is unsupported. Downgrade to version 2.0.0 or earlier.';
+			$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
+			$this->expectExceptionMessage($errorString);
+		}
 
 		/** @var RequestInterface|MockObject $request */
 		$request = $this->createMock('\Sabre\HTTP\RequestInterface');
@@ -74,20 +99,50 @@ class BlockLegacyClientPluginTest extends TestCase {
 			->with('User-Agent')
 			->willReturn($userAgent);
 
+		$this->blockLegacyClientVersionPlugin->beforeHandler($request);
+	}
+
+	/**
+	 * Ensure that there is no room for XSS attack through configured URL / version
+	 * @dataProvider oldDesktopClientProvider
+	 */
+	public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent, string $errorType): void {
+		$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
+
 		$this->config
+			->expects($this->exactly(2))
+			->method('getSystemValueString')
+			->willReturnCallback(function (string $key) {
+				if ($key === 'minimum.supported.desktop.version') {
+					return '1.7.0 <script>alert("unsafe")</script>';
+				}
+				return '2.0.0 <script>alert("unsafe")</script>';
+			});
+
+		$errorString = $errorType === ERROR_TYPE::MIN_ERROR
+			? 'This version of the client is unsupported. Upgrade to version 1.7.0 &lt;script&gt;alert(&quot;unsafe&quot;)&lt;/script&gt; or later.'
+			: 'This version of the client is unsupported. Downgrade to version 2.0.0 &lt;script&gt;alert(&quot;unsafe&quot;)&lt;/script&gt; or earlier.';
+		$this->expectExceptionMessage($errorString);
+
+		/** @var RequestInterface|MockObject $request */
+		$request = $this->createMock('\Sabre\HTTP\RequestInterface');
+		$request
 			->expects($this->once())
-			->method('getSystemValue')
-			->with('minimum.supported.desktop.version', '2.3.0')
-			->willReturn('1.7.0');
+			->method('getHeader')
+			->with('User-Agent')
+			->willReturn($userAgent);
 
 		$this->blockLegacyClientVersionPlugin->beforeHandler($request);
 	}
 
-	public function newAndAlternateDesktopClientProvider(): array {
+	public static function newAndAlternateDesktopClientProvider(): array {
 		return [
 			['Mozilla/5.0 (Windows) mirall/1.7.0'],
 			['Mozilla/5.0 (Bogus Text) mirall/1.9.3'],
 			['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/1.1.0'],
+			['Mozilla/5.0 (Windows) mirall/4.7.0'],
+			['Mozilla/5.0 (Bogus Text) mirall/3.9.3'],
+			['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/45.0.0'],
 		];
 	}
 
@@ -104,10 +159,14 @@ class BlockLegacyClientPluginTest extends TestCase {
 			->willReturn($userAgent);
 
 		$this->config
-			->expects($this->once())
-			->method('getSystemValue')
-			->with('minimum.supported.desktop.version', '2.3.0')
-			->willReturn('1.7.0');
+			->expects($this->exactly(2))
+			->method('getSystemValueString')
+			->willReturnCallback(function (string $key) {
+				if ($key === 'minimum.supported.desktop.version') {
+					return '1.7.0';
+				}
+				return '10.0.0';
+			});
 
 		$this->blockLegacyClientVersionPlugin->beforeHandler($request);
 	}
@@ -120,6 +179,7 @@ class BlockLegacyClientPluginTest extends TestCase {
 			->method('getHeader')
 			->with('User-Agent')
 			->willReturn(null);
+
 		$this->blockLegacyClientVersionPlugin->beforeHandler($request);
 	}
 }

config/config.sample.php

@@ -2065,6 +2065,15 @@ $CONFIG = [
  */
 'minimum.supported.desktop.version' => '2.3.0',
 
+/**
+ * The maximum Nextcloud desktop client version that will be allowed to sync with
+ * this server instance. All connections made from later clients will be denied
+ * by the server.
+ *
+ * Defaults to 99.99.99
+ */
+'maximum.supported.desktop.version' => '99.99.99',
+
 /**
  * Option to allow local storage to contain symlinks.
  * WARNING: Not recommended. This would make it possible for Nextcloud to access