[Bug 1851325] [NEW] libneon27 has problems with MS IIS 7.5 WebDAV

edice 1851325 at bugs.launchpad.net
Tue Nov 5 04:01:58 UTC 2019 

Public bug reported:

libneon doesn't work with Microsoft's IIS 7.5 WebDAV implementation, because there is an extra translate:f header added.
This is not just for MS's implementation, other WebDAV servers apparently added it too.
https://docs.oracle.com/cd/E19146-01/821-1828/gczya/index.html
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wdvse/501879f9-3875-4d7a-ab88-3cecab440034

The docs say that IF the client doesn't send the header, the server should send back a URI to the resource, like a redirect, at least I think so.
But, MS's implementation doesn't.  Instead it just returns a "server error 500".

This happens to me ONLY with files that have no extension.
Example: using the WebDAV cadaver client, I can get "readme.txt",but I can't get a file called "config" (eg the config file in a .git folder).

I used Burp Suite to inspect the HTTPS comms with the server and
discovered the translate header.I tested with curl and sure enough it
worked with the header.

curl -H "translate: f" --insecure --proxy 127.0.0.1:8080 --user "user:pass" https://the.host.name/folder/project.git/config
WORKED
Without the -H "translate: f", the curl call did not work.

The translate header seems to be added to just about every call to the
WebDAV server, except HEAD.

Attached is a patch that fixes up libneon, and that fixes cadaver and other such clients.
I had to make an additional patch for davfs2 as it builds the requests without using neon's basic API.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libneon27-gnutls 0.30.0-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-148.174~14.04.1-generic 4.4.177
Uname: Linux 4.4.0-148-generic x86_64
NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
ApportVersion: 2.14.1-0ubuntu3.29
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Nov  5 11:55:14 2019
InstallationDate: Installed on 2015-12-15 (1420 days ago)
InstallationMedia: Linux Mint 17.3 "Rosa" - Release amd64 20151128
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_AU.utf8
 SHELL=/bin/bash
SourcePackage: neon27
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: neon27 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug rosa third-party-packages

** Patch added: "Patch to add translate f headers."
   https://bugs.launchpad.net/bugs/1851325/+attachment/5302889/+files/neon_translate_f.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to neon27 in Ubuntu.
https://bugs.launchpad.net/bugs/1851325

Title:
  libneon27 has problems with MS IIS 7.5 WebDAV

Status in neon27 package in Ubuntu:
  New

Bug description:
  libneon doesn't work with Microsoft's IIS 7.5 WebDAV implementation, because there is an extra translate:f header added.
  This is not just for MS's implementation, other WebDAV servers apparently added it too.
  https://docs.oracle.com/cd/E19146-01/821-1828/gczya/index.html
  https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wdvse/501879f9-3875-4d7a-ab88-3cecab440034

  The docs say that IF the client doesn't send the header, the server should send back a URI to the resource, like a redirect, at least I think so.
  But, MS's implementation doesn't.  Instead it just returns a "server error 500".

  This happens to me ONLY with files that have no extension.
  Example: using the WebDAV cadaver client, I can get "readme.txt",but I can't get a file called "config" (eg the config file in a .git folder).

  I used Burp Suite to inspect the HTTPS comms with the server and
  discovered the translate header.I tested with curl and sure enough it
  worked with the header.

  curl -H "translate: f" --insecure --proxy 127.0.0.1:8080 --user "user:pass" https://the.host.name/folder/project.git/config
  WORKED
  Without the -H "translate: f", the curl call did not work.

  The translate header seems to be added to just about every call to the
  WebDAV server, except HEAD.

  Attached is a patch that fixes up libneon, and that fixes cadaver and other such clients.
  I had to make an additional patch for davfs2 as it builds the requests without using neon's basic API.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: libneon27-gnutls 0.30.0-1ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-148.174~14.04.1-generic 4.4.177
  Uname: Linux 4.4.0-148-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.14.1-0ubuntu3.29
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Tue Nov  5 11:55:14 2019
  InstallationDate: Installed on 2015-12-15 (1420 days ago)
  InstallationMedia: Linux Mint 17.3 "Rosa" - Release amd64 20151128
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_AU.utf8
   SHELL=/bin/bash
  SourcePackage: neon27
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neon27/+bug/1851325/+subscriptions

More information about the foundations-bugs mailing list