webdav: check locks before write operations

krystiancha · krystiancha · commit 1c160c84386e · 2025-07-15T11:20:26.000+02:00
diff --git a/internal/internal.go b/internal/internal.go
@@ -115,6 +115,33 @@ func FormatLockToken(token string) string {
 	return fmt.Sprintf("<%v>", token)
 }
 
+func ParseSubmittedToken(h http.Header) (string, error) {
+	hif := h.Get("If")
+	if hif == "" {
+		return "", nil
+	}
+
+	conditions, err := ParseConditions(hif)
+	if err != nil {
+		return "", &HTTPError{http.StatusBadRequest, err}
+	}
+
+	if len(conditions) == 0 {
+		return "", nil
+	}
+	if len(conditions) > 1 {
+		return "", HTTPErrorf(http.StatusBadRequest, "webdav: multiple lists are not supported in the If header field")
+	}
+	if len(conditions[0]) == 0 {
+		return "", nil
+	}
+	if len(conditions[0]) > 1 {
+		return "", HTTPErrorf(http.StatusBadRequest, "webdav: multiple conditions are not supported in the If header field")
+	}
+
+	return conditions[0][0].Token, nil
+}
+
 // Condition is a condition to match lock tokens and entity tags.
 //
 // Only one of Token or ETag is set.
diff --git a/internal/server.go b/internal/server.go
@@ -355,13 +355,14 @@ func (h *Handler) handleLock(w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 
-		conditions, err := ParseConditions(r.Header.Get("If"))
+		var err error
+		refreshToken, err = ParseSubmittedToken(r.Header)
 		if err != nil {
-			return &HTTPError{http.StatusBadRequest, err}
-		} else if len(conditions) != 1 || len(conditions[0]) != 1 || conditions[0][0].Token == "" {
-			return HTTPErrorf(http.StatusBadRequest, "webdav: a single lock token must be specified in the If header field")
+			return err
+		}
+		if refreshToken == "" {
+			return HTTPErrorf(http.StatusBadRequest, "webdav: a lock token must be specified in the If header field")
 		}
-		refreshToken = conditions[0][0].Token
 	}
 
 	depth := DepthInfinity
diff --git a/server.go b/server.go
@@ -262,6 +262,16 @@ func (b *backend) PropPatch(r *http.Request, update *internal.PropertyUpdate) (*
 }
 
 func (b *backend) Put(w http.ResponseWriter, r *http.Request) error {
+	if lock := b.resourceLock(r.URL.Path); lock != nil {
+		token, err := internal.ParseSubmittedToken(r.Header)
+		if err != nil {
+			return err
+		}
+		if token != lock.Href {
+			return &internal.HTTPError{Code: http.StatusLocked}
+		}
+	}
+
 	ifNoneMatch := ConditionalMatch(r.Header.Get("If-None-Match"))
 	ifMatch := ConditionalMatch(r.Header.Get("If-Match"))
 
@@ -294,6 +304,16 @@ func (b *backend) Put(w http.ResponseWriter, r *http.Request) error {
 }
 
 func (b *backend) Delete(r *http.Request) error {
+	if lock := b.resourceLock(r.URL.Path); lock != nil {
+		token, err := internal.ParseSubmittedToken(r.Header)
+		if err != nil {
+			return err
+		}
+		if token != lock.Href {
+			return &internal.HTTPError{Code: http.StatusLocked}
+		}
+	}
+
 	ifNoneMatch := ConditionalMatch(r.Header.Get("If-None-Match"))
 	ifMatch := ConditionalMatch(r.Header.Get("If-Match"))
 
@@ -324,6 +344,16 @@ func (b *backend) Mkcol(r *http.Request) error {
 }
 
 func (b *backend) Copy(r *http.Request, dest *internal.Href, recursive, overwrite bool) (created bool, err error) {
+	if lock := b.resourceLock(dest.Path); lock != nil {
+		token, err := internal.ParseSubmittedToken(r.Header)
+		if err != nil {
+			return false, err
+		}
+		if token != lock.Href {
+			return false, &internal.HTTPError{Code: http.StatusLocked}
+		}
+	}
+
 	options := CopyOptions{
 		NoRecursive: !recursive,
 		NoOverwrite: !overwrite,
@@ -336,6 +366,37 @@ func (b *backend) Copy(r *http.Request, dest *internal.Href, recursive, overwrit
 }
 
 func (b *backend) Move(r *http.Request, dest *internal.Href, overwrite bool) (created bool, err error) {
+	// Check source and destination locks
+	var conditions [][]internal.Condition
+	hif := r.Header.Get("If")
+	if hif == "" {
+		conditions = nil
+	} else {
+		var err error
+		conditions, err = internal.ParseConditions(hif)
+		if err != nil {
+			return false, &internal.HTTPError{http.StatusBadRequest, err}
+		}
+	}
+	srcLock := b.resourceLock(r.URL.Path)
+	destLock := b.resourceLock(dest.Path)
+	for _, conds := range conditions {
+		if len(conds) == 0 {
+			continue
+		}
+		if len(conds) > 1 {
+			return false, internal.HTTPErrorf(http.StatusBadRequest, "webdav: multiple conditions are not supported in the If header field")
+		}
+		if (conds[0].Resource == "" || conds[0].Resource == r.URL.Path) && srcLock != nil && conds[0].Token == srcLock.Href {
+			srcLock = nil
+		} else if (conds[0].Resource == dest.Path) && destLock != nil && conds[0].Token == destLock.Href {
+			destLock = nil
+		}
+	}
+	if srcLock != nil || destLock != nil {
+		return false, &internal.HTTPError{Code: http.StatusLocked}
+	}
+
 	options := MoveOptions{
 		NoOverwrite: !overwrite,
 	}

Original file line number	Diff line number	Diff line change
`@@ -355,13 +355,14 @@ func (h Handler) handleLock(w http.ResponseWriter, r http.Request) error {`
`355`	`355`	`return err`
`356`	`356`	`}`
`357`	`357`
`358`		`- conditions, err := ParseConditions(r.Header.Get("If"))`
	`358`	`+ var err error`
	`359`	`+ refreshToken, err = ParseSubmittedToken(r.Header)`
`359`	`360`	`if err != nil {`
`360`		`- return &HTTPError{http.StatusBadRequest, err}`
`361`		`- } else if len(conditions) != 1 \|\| len(conditions[0]) != 1 \|\| conditions[0][0].Token == "" {`
`362`		`- return HTTPErrorf(http.StatusBadRequest, "webdav: a single lock token must be specified in the If header field")`
	`361`	`+ return err`
	`362`	`+ }`
	`363`	`+ if refreshToken == "" {`
	`364`	`+ return HTTPErrorf(http.StatusBadRequest, "webdav: a lock token must be specified in the If header field")`
`363`	`365`	`}`
`364`		`- refreshToken = conditions[0][0].Token`
`365`	`366`	`}`
`366`	`367`
`367`	`368`	`depth := DepthInfinity`