server icon indicating copy to clipboard operation
server copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

[Bug]: Sharing Links for files or folders generate encryption keys without headers (probably legacy ones)?

Open func0der opened this issue 2 years ago • 2 comments
trafficstars

⚠️ This issue respects the following points: ⚠️

  • [X] This is a bug, not a question or a configuration/webserver/proxy issue.
  • [X] This issue is not already reported on Github (I've searched it).
  • [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • [X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

Error log output:

"Legacy cipher is no longer supported!"
"Undefined variable: event at /var/www/owncloud/app/lib/private/legacy/OC_Files.php#236"

I am not sure why this happens at all. Migration of encryption keys has long been done and legacy support is disabled. encryption.key_storage_migrated does not exist in my config.

I have debugged the decryption process and after fetching, decrypting and base64 decoding the file content of the public shared private key, it is just a bunch of gibberish, which does not contain any header delimiters (https://github.com/nextcloud/server/blob/0447b53bda9fe95ea0cbed765aa332584605d652/apps/encryption/lib/Crypto/Crypt.php#L67-L68). This leads to it being treated as a legacy key, which then fails, because my config says "legacy keys are not supported". This is probably due to the way the key is being written, but I can not debug this in a live instance.

Steps to reproduce

  1. Using 24.0.10 (freshly updated, problem was there before) create a file (tested with 100MB and 300MB files)
  2. share it (public link with password)
  3. open share link in private window where you are not logged in
  4. type in the password
  5. try to download the file.
  6. See "Cannot download file" in the browser window

Expected behavior

I can download the file

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 22.2.3 to 22.2.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

  • [X] Default user-backend (database)
  • [ ] LDAP/ Active Directory
  • [ ] SSO - SAML
  • [ ] Other

Configuration report

{
	"system": {
		"instanceid": "***REMOVED SENSITIVE VALUE***",
		"passwordsalt": "***REMOVED SENSITIVE VALUE***",
		"datadirectory": "***REMOVED SENSITIVE VALUE***",
		"dbtype": "mysql",
		"version": "24.0.10.1",
		"dbname": "***REMOVED SENSITIVE VALUE***",
		"dbhost": "***REMOVED SENSITIVE VALUE***",
		"dbtableprefix": "oc_",
		"dbuser": "***REMOVED SENSITIVE VALUE***",
		"dbpassword": "***REMOVED SENSITIVE VALUE***",
		"installed": true,
		"forcessl": true,
		"loglevel": 2,
		"theme": "",
		"maintenance": false,
		"trusted_domains": [
			"***REMOVED SENSITIVE VALUE***"
		],
		"secret": "***REMOVED SENSITIVE VALUE***",
		"singleuser": false,
		"trashbin_retention_obligation": "auto",
		"overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
		"mysql.utf8mb4": true,
		"memcache.distributed": "\\OC\\Memcache\\Redis",
		"memcache.locking": "\\OC\\Memcache\\Redis",
		"memcache.local": "\\OC\\Memcache\\Redis",
		"redis": {
			"host": "***REMOVED SENSITIVE VALUE***",
			"port": 0
		},
		"app_install_overwrite": [
			"spreed"
		],
		"encryption.legacy_format_support": false,
		"updater.release.channel": "stable",
		"default_phone_region": "DE",
		"mail_smtpmode": "sendmail",
		"mail_sendmailmode": "smtp",
		"mail_from_address": "***REMOVED SENSITIVE VALUE***",
		"mail_domain": "***REMOVED SENSITIVE VALUE***",
		"data-fingerprint": "***REMOVED SENSITIVE VALUE***",
		"updater.secret": "***REMOVED SENSITIVE VALUE***"
	}
}

List of activated Apps

Enabled:
- accessibility: 1.10.0
- activity: 2.16.0
- bruteforcesettings: 2.4.0
- calendar: 3.5.5
- circles: 24.0.1
- cloud_federation_api: 1.7.0
- comments: 1.14.0
- contacts: 4.2.5
- contactsinteraction: 1.5.0
- dashboard: 7.4.0
- dav: 1.22.0
- encryption: 2.12.0
- federatedfilesharing: 1.14.0
- federation: 1.14.0
- files: 1.19.0
- files_pdfviewer: 2.5.0
- files_rightclick: 1.3.0
- files_sharing: 1.16.2
- files_trashbin: 1.14.0
- files_versions: 1.17.0
- files_videoplayer: 1.13.0
- firstrunwizard: 2.13.0
- logreader: 2.9.0
- lookup_server_connector: 1.12.0
- nextcloud_announcements: 1.13.0
- notifications: 2.12.1
- oauth2: 1.12.0
- password_policy: 1.14.0
- photos: 1.6.0
- privacy: 1.8.0
- provisioning_api: 1.14.0
- recommendations: 1.3.0
- serverinfo: 1.14.0
- settings: 1.6.0
- sharebymail: 1.14.0
- spreed: 14.0.9
- support: 1.7.0
- survey_client: 1.12.0
- systemtags: 1.14.0
- tasks: 0.14.5
- text: 3.5.1
- theming: 1.15.0
- twofactor_backupcodes: 1.13.0
- updatenotification: 1.14.0
- user_status: 1.4.0
- viewer: 1.8.0
- workflowengine: 2.6.0

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

func0der avatar Mar 18 '23 23:03 func0der

Hi, please update to 25.0.7 or better 26.0.2 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 26-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

szaimen avatar May 22 '23 10:05 szaimen

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

nextcloud-command avatar Jun 22 '23 00:06 nextcloud-command

still an issue in newest 25.0.10 release.

I can not VIEW any file as a guest. I can only upload files, which are then correctly uploaded and encrypted.

Log message (excerpt):

...."version":"25.0.10.1","exception":{"Exception":"OC\\ServerNotAvailableException","Message":"Legacy cipher is no longer supported!...

func0der avatar Aug 30 '23 14:08 func0der

This bug is still evident using 27.0.2. Please re-open.

It happens when 'encryption.legacy_format_support' is set to false. Setting it to true causes the shared links to work successfully.

==> Why is Nextcloud creating shared files using the legacy cipher?!?

Pazu avatar Sep 07 '23 08:09 Pazu

I did not have any chance to copy my config to a test instance to reproduce this problem, but it is probably connected to user encryption keys without any master/recovery key being set. That is also most likely the case when you came from a very old version (<13) of Nextcloud or even Owncloud. Does not explain why it uses legacy format though, but it might be important for reproducing the problem.

Are you using that setup too, @Pazu ?

func0der avatar Sep 18 '23 11:09 func0der

My instance was, indeed, originally an OwnCloud instance, probably a very early one. I've upgraded it along the way and now am on the current version of Nextcloud.

I think I have a master recovery key set. At least, I have one in my records as for my original OwnCloud configuration.

I have legacy encryption enabled at the moment to avoid the "invalid key" message for my admin user, even though scan-legacy-format shows no files at all using the legacy format.

Pazu avatar Sep 19 '23 08:09 Pazu

Why was this issue closed? Please re-open. It only went stale because nobody from Nextcloud looked at it at all.

Pazu avatar Mar 31 '24 09:03 Pazu