Seafdav broken in 7.1.4 with anonymous requests

andi-blafasl · June 22, 2020, 11:13am

I upgraded my test server to 7.1.4 and the webdav function is broken when the application is trying to do anonymous request before sending the request with authentication. The App with the Problem is Keepass2Android.
WinSCP on the other hand is always sending the authentication when accessing the server and it is working without problems. But Keepass2Android is working with Seafile 7.0.5 without any problems, too. Maybe it is a bug with the new wsgidav module in 7.1.4?

Here are the log entries from a request to the 7.1.4 server:

#apache access.log
xx.xx.xx.xx - - [22/Jun/2020:13:00:46 +0200] "GET /seafdav/KeePass/db.kdbx HTTP/1.1" 401 3849 "-" "okhttp/4.2.2"
xx.xx.xx.xx - - [22/Jun/2020:13:00:46 +0200] "GET /seafdav/KeePass/db.kdbx HTTP/1.1" 200 3251826 "-" "okhttp/4.2.2"
xx.xx.xx.xx - - [22/Jun/2020:13:00:48 +0200] "PUT /seafdav/KeePass/db.kdbx HTTP/1.1" 502 3894 "-" "okhttp/4.2.2"

#apache error.log
[Mon Jun 22 13:00:48.480863 2020] [proxy:error] [pid 17833:tid 140092193695488] (104)Connection reset by peer: [client xx.xx.xx.xx:38214] AH01084: pass request body failed to 127.0.0.1:8080 (127.0.0.1)
[Mon Jun 22 13:00:48.481025 2020] [proxy_http:error] [pid 17833:tid 140092193695488] [client xx.xx.xx.xx:38214] AH01097: pass request body failed to 127.0.0.1:8080 (127.0.0.1) from xx.xx.xx.xx ()

#seafile seafdav.log
2020-06-22 13:00:46.124 - <140688345700160> wsgidav.wsgidav_app         INFO    :  127.0.0.1 - (anonymous) - [2020-06-22 11:00:46] "GET /KeePass/db.kdbx" elap=0.000sec -> 401 Not Authorized
2020-06-22 13:00:46.200 - <140688345700160> wsgidav.wsgidav_app         INFO    :  127.0.0.1 - andi@blafasl.de - [2020-06-22 11:00:46] "GET /KeePass/db.kdbx" depth=0, elap=0.039sec -> 200 OK
2020-06-22 13:00:48.478 - <140688345700160> wsgidav.wsgidav_app         INFO    :  127.0.0.1 - (anonymous) - [2020-06-22 11:00:48] "PUT /KeePass/db.kdbx" length=3233358, elap=0.001sec -> 401 Not Authorized

And this is how it looks like on a 7.0.5 server:

#apache access.log
xx.xx.xx.xx - - [22/Jun/2020:12:56:53 +0200] "GET /seafdav/test/test.kdbx HTTP/1.1" 401 3808 "-" "okhttp/4.2.2"
xx.xx.xx.xx - - [22/Jun/2020:12:56:53 +0200] "GET /seafdav/test/test.kdbx HTTP/1.1" 200 2764 "-" "okhttp/4.2.2"
xx.xx.xx.xx - - [22/Jun/2020:12:56:54 +0200] "PUT /seafdav/test/test.kdbx HTTP/1.1" 401 3831 "-" "okhttp/4.2.2"
xx.xx.xx.xx - - [22/Jun/2020:12:56:54 +0200] "PUT /seafdav/test/test.kdbx HTTP/1.1" 204 242 "-" "okhttp/4.2.2"

#apache error.log
nothing

#seafile seafdav.log
nothing

I have already applied the fix for the renaming (MOVE) issue in 7.1.4 as discussed here: Seafdav - MOVE command causing 502

Is there a change to fix the problem on the Seafile side? If you need any further testing or logs, I can provide everything

andi-blafasl · June 25, 2020, 1:13pm

I did some further testing with some tcpdump capture between the apache reverse proxy and the seafile server.
As far as I can see, the old Seafile Server 7.0.5 behaves as expected with PUT requests without Authentication and continues the TCP stream with the client.
The new Server 7.1.4 terminates the TCP stream with RST flag set after it denied the unathorized PUT request with a 401 message.

Does anyone have an idea how to further check the behavior of the new seafile webdav system? Is there something like a debug log switch?

Jonathan · June 28, 2020, 3:38am

This could a behavioral change or bug introduced by upstream WsgiDAV. Could you ask on their github issues?

andi-blafasl · June 29, 2020, 7:30am

I checked the Github Repo from WsgiDAV and there is a newer Version (3.0.3) available. Maybe you could first upgrade to this?

github.com

mar10/wsgidav/blob/master/CHANGELOG.md

# Changelog

## 3.0.4 / Unreleased

- #181 Fix error for UTF8 (surrogate) filename
- #186 Add sample Redis lock manager `LockStorageRedis` (Steffen Deusch)

## 3.0.3 / 2020-04-02

- #172 Fix missing import of collections_abc (regression in 3.0.2:
  this requires six 1.13+; dependencies have been updated)
- #177 Fix allow_anonymous_access()


## 3.0.2 / 2019-12-26

- Fixes for Python 3.8
- Deprecated support for Python 3.4 (reached end of live on 2019-03-18),
  i.e. stopped testing.
- #167 Docker image reduction from 244MB to 66.4MB

This file has been truncated. show original

andi-blafasl · July 14, 2020, 11:03am

@daniel.pan Any plans or schedule for updaten wsgidav in CE server?

daniel.pan · July 15, 2020, 2:53am

We will upgrade the included wsgidav in a later 7.1 version.

andi-blafasl · October 9, 2020, 9:18am

Just for Information: This Problem still exist in Version 7.1.5 Community!

Jonathan · October 14, 2020, 10:10am

We have upgraded the WSGIDAV version. If the issue still persist, you can submit an issue on their github repository. Maybe the author has a better understanding than us.

casselt · November 2, 2020, 11:06am

I found the solution:

I set

“win_accept_anonymous_options”: True

in seahub/thirdpart/wsgidav/default_conf.py and restarted.

casselt · November 2, 2020, 12:52pm

Unfortunately still unreliable to unusable with a Win10 client.