412 Precondition Failed on uploading files with unicode RTL character in the name

[dragonchaser]

When uploading a file containing a unicode RTL character in the name, both webclient and desktop client return 412 (Condition Failed).

Versions:

• Infinite Scale 3.0.0-rc.3+dev Community
• ownCloud Web UI 7.0.0-rc.36

User Impact:

• It is impossible to upload files with names written in languages that are written from right to left (arab, hebrew).

Security:

• Enabling this also might be a security risk, malicious actors could craft special "mirrored filenames" that would translate a malicious .exe into a .jpg and try to lure users into downloding & executing them on their local machines. This is issue thats need to be addressed in the client and the web ui (IMHO)

Example:

jpg.suriv_a_eb_dluoc_siht.exe <=> exe.this_could_be_a_virus.jpg

Further Read:

• https://www.fileformat.info/info/unicode/char/202e/index.htm
• https://stackoverflow.com/questions/3115204/unicode-mirror-character

[butonic]

Yes, this is definitely a Bug. The 412 can only be used when a Conditional header was sent, see http://www.webdav.org/specs/rfc4918.html#rfc.section.12.1

12.1 412 Precondition Failed

Any request can contain a conditional header defined in HTTP (If-Match, If-Modified-Since, etc.) or the "If" or "Overwrite" conditional headers defined in this specification. If the server evaluates a conditional header, and if that condition fails to hold, then this error code must be returned. On the other hand, if the client did not include a conditional header in the request, then the server must not use this status code.

While https://www.rfc-editor.org/rfc/rfc3986 generally allows using any UTF character using percent encoding I think we have to decide if we want to allow that or not, as it has security implications.

cc @tbsbdr