[XXE] XXE refuses to lock file on a DAV server

Mon, 22 Feb 2010 19:15:52 +0100 

Fabi?n Mandelbaum wrote:
> 
> I have a DAV server serving some files that I'd like to edit with XXE.
> 
> XXE is insisting in telling me that it cannot lock the file and it's
> giving me the following reason in the message part of the error
> dialog:
> 
> invalid element {DAV:}owner
> 
> The following is a fragment of the XML generated by the DAV server in
> the response:
> 
> <prop xmlns="DAV:">
>       <lockdiscovery>
>               <activelock>
>                       <lockscope>
>                               <exclusive />
>                       </lockscope>
>                       <owner>fabman at 10.0.2.15</owner>
> 
> I can see nothing wrong withat that owner element, can you?
> 

There is nothing wrong with the owner element, aside that it is
unexpected at this position.

The problem comes from the fact that the contents of the above
activelock element does not conform to the spec
(http://www.webdav.org/specs/rfc4918.html#ELEMENT_activelock)

<!ELEMENT activelock (lockscope, locktype, depth, owner?, timeout?,
          locktoken?, lockroot)>

You can see by yourself that your DAV server has omitted the locktype
and depth elements before the owner element.



> I've compared the above fragment with the one generated by XDR for a
> similar request:
> 
> <d:prop xmlns:d="DAV:">
>       <d:lockdiscovery>
>               <d:activelock>
>                       <d:lockscope>
>                               <d:exclusive />
>                       </d:lockscope>
>                       <d:locktype>
>                               <d:write />
>                       </d:locktype>
>                       <d:depth>infinity</d:depth>
>                       <d:owner>fabman at 10.0.2.15</d:owner>
> 
> And appart the fact that my DAV server is not returning namespaced
> elements (which it should be fine because it's declaring the DAV
> namespace correctly on the root element), 

That's OK.



> and a few other elements
> that appear at a different place in the response (locktype), 

That's incorrect.



> I can see
> no difference in the values of the owner element, however, XXE works
> fine with XDR, while it's failing with my DAV server.

There is nothing we can fix on our side. Please report a bug to the
implementors of your DAV server.



---
PS: Older spec http://www.webdav.org/specs/rfc2518.html#ELEMENT_activelock
also says the locktype and depth elements are required before the owner
element.

<!ELEMENT activelock (lockscope, locktype, depth, owner?, timeout?,
   locktoken?) >

Reply via email to