fix: disallow pre-signed url access if the signing key is not initialized

changelog/unreleased/40962

@@ -0,0 +1,5 @@
+Bugfix: Disallow pre-signed URL access when the signing key is not initialized
+
+Disallow pre-signed URL access when the signing key is not initialized.
+
+https://github.com/owncloud/core/pull/40962

lib/private/Security/SignedUrl/Verifier.php

@@ -138,6 +138,11 @@ protected function computeHash(string $algo, string $url, $signingKey) {
 	private function verifySignature(array $params, $urlCredential, $algo, $urlSignature): bool {
 		$trustedList = $this->config->getSystemValue('trusted_domains', []);
 		$signingKey = $this->config->getUserValue($urlCredential, 'core', 'signing-key');
+		// in case the signing key is not initialized, no signature can ever be verified
+		if ($signingKey === '') {
+			\OC::$server->getLogger()->error("No signing key available for the user $urlCredential. Access via pre-signed URL denied.", ['app' => 'signed-url']);
+			return false;
+		}
 		$qp = \preg_replace('/%5B\d+%5D/', '%5B%5D', \http_build_query($params));
 
 		foreach ($trustedList as $trustedDomain) {

tests/lib/Security/SignedUrl/VerifierTest.php

@@ -27,6 +27,21 @@
 use Test\TestCase;
 
 class VerifierTest extends TestCase {
+	public function testNoSigningKey(): void {
+		$url = 'http://cloud.example.net/?OC-Credential=alice&OC-Date=2019-05-14T11%3A01%3A58.135Z&OC-Expires=1200&OC-Verb=GET&OC-Signature=f9e53a1ee23caef10f72ec392c1b537317491b687bfdd224c782be197d9ca2b6';
+		$r = new Request('GET', $url);
+		$r->setAbsoluteUrl($url);
+		$config = $this->createMock(IConfig::class);
+		# signing key for the user was never initialized
+		$config->method('getUserValue')->willReturn('');
+		$now = new \DateTime('2019-05-14T11:01:58.135Z', null);
+		$v = new Verifier($r, $config, $now);
+
+		self::assertTrue($v->isSignedRequest());
+		self::assertEquals('alice', $v->getUrlCredential());
+		self::assertFalse($v->signedRequestIsValid());
+	}
+
 	/**
 	 * @dataProvider provider
 	 * @param bool $isSignedUrl