collectives icon indicating copy to clipboard operation
collectives copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

With server-side encryption, pages might become unaccessable to members

Open mejo- opened this issue 1 year ago • 5 comments

Describe the bug On an instance with server-side encryption enabled and several users editing in a collective over the last weeks, several pages became unaccessable to some users. The calls to webdav and text API to fetch the page content resulted in server errors:

"Exception": "OC\Encryption\Exceptions\DecryptionFailedException",
"Message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
JSON Trace 
{
  "Exception": "OC\\Encryption\\Exceptions\\DecryptionFailedException",
  "Message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
  "Code": 0,
  "Trace": [
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/lib/private/Files/Stream/Encryption.php",
      "line": 519,
      "function": "decrypt",
      "class": "OCA\\Encryption\\Crypto\\Encryption",
      "type": "->",
      "args": [
        "*** sensitive parameters replaced ***"
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/lib/private/Files/Stream/Encryption.php",
      "line": 317,
      "function": "readCache",
      "class": "OC\\Files\\Stream\\Encryption",
      "type": "->",
      "args": []
    },
    {
      "function": "stream_read",
      "class": "OC\\Files\\Stream\\Encryption",
      "type": "->",
      "args": [
        626
      ]
    },
    {
      "file": "/var/www/cloud.exampl.org/nextcloud-25.0.7/3rdparty/icewind/streams/src/Wrapper.php",
      "line": 55,
      "function": "fread",
      "args": [
        null,
        8192
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/3rdparty/icewind/streams/src/CallbackWrapper.php",
      "line": 96,
      "function": "stream_read",
      "class": "Icewind\\Streams\\Wrapper",
      "type": "->",
      "args": [
        8192
      ]
    },
    {
      "function": "stream_read",
      "class": "Icewind\\Streams\\CallbackWrapper",
      "type": "->",
      "args": [
        8192
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/3rdparty/sabre/http/lib/Sapi.php",
      "line": 110,
      "function": "stream_copy_to_stream",
      "args": [
        null,
        null,
        626
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/3rdparty/sabre/dav/lib/DAV/Server.php",
      "line": 490,
      "function": "sendResponse",
      "class": "Sabre\\HTTP\\Sapi",
      "type": "0:0:0:0:0:0:0:0",
      "args": [
        [
          "Sabre\\HTTP\\Response"
        ]
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/3rdparty/sabre/dav/lib/DAV/Server.php",
      "line": 253,
      "function": "invokeMethod",
      "class": "Sabre\\DAV\\Server",
      "type": "->",
      "args": [
        [
          "Sabre\\HTTP\\Request"
        ],
        [
          "Sabre\\HTTP\\Response"
        ]
      ]
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/3rdparty/sabre/dav/lib/DAV/Server.php",
      "line": 321,
      "function": "start",
      "class": "Sabre\\DAV\\Server",
      "type": "->",
      "args": []
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/apps/dav/lib/Server.php",
      "line": 360,
      "function": "exec",
      "class": "Sabre\\DAV\\Server",
      "type": "->",
      "args": []
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/apps/dav/appinfo/v2/remote.php",
      "line": 35,
      "function": "exec",
      "class": "OCA\\DAV\\Server",
      "type": "->",
      "args": []
    },
    {
      "file": "/var/www/cloud.example.org/nextcloud-25.0.7/remote.php",
      "line": 172,
      "args": [
        "/var/www/cloud.example.org/nextcloud-25.0.7/apps/dav/appinfo/v2/remote.php"
      ],
      "function": "require_once"
    }
  ],
  "File": "/var/www/cloud.example.org/nextcloud-25.0.7/apps/encryption/lib/Crypto/Encryption.php",
  "Line": 382,
  "Hint": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
  "message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
  "exception": {},
  "CustomMessage": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you."
}
Server details

Collectives app version: 2.5.0 Operating system: Debian Bullseye Nextcloud version: 25.0.7

mejo- avatar May 27 '23 16:05 mejo-

also with NC 26.0.2 with error: OC\ServerNotAvailableException: Legacy cipher is no longer supported! /var/www/html/apps/encryption/lib/Crypto/Encryption.php - line 239: OCA\Encryption\Crypto\Crypt->getLegacyCipher()

4tler avatar Jun 13 '23 20:06 4tler

We run into a similar error. Collective Pages I created I can see, but my colleagues whome I share the content with only see a blank page.

https://help.nextcloud.com/t/problem-with-displaying-shared-content-in-collectives/171116

edit: we're running NC 27

Hope there is some fix for this soon, as sharing the knowledge is the core of the Collectives Idea.

markusrock avatar Oct 02 '23 05:10 markusrock

After digging a bit deeper. Numerous problems could be solved, in which I made manually again a release on the respective collective folder in the files.

However, the collective folder in the files is sometimes empty and sometimes I can not open all folders at all. So it was not possible for me to create a corresponding file share.

So I guess the problem here is somewhere in the file creation&sharing area of Collective.

`[webdav] Fehler: OC\Encryption\Exceptions\DecryptionFailedException: Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you. at <>

  1. /var/www/vhosts/REDACTED/lib/private/Files/Stream/Encryption.php line 517 OCA\Encryption\Crypto\Encryption->decrypt("*** sensitive parameters replaced ***")
  2. /var/www/vhosts/REDACTED/lib/private/Files/Stream/Encryption.php line 316 OC\Files\Stream\Encryption->readCache()
  3. <> OC\Files\Stream\Encryption->stream_read()
  4. /var/www/vhosts/REDACTED/apps/files_external/3rdparty/icewind/streams/src/Wrapper.php line 55 fread()
  5. /var/www/vhosts/REDACTED/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php line 96 Icewind\Streams\Wrapper->stream_read()
  6. <> Icewind\Streams\CallbackWrapper->stream_read()
  7. /var/www/vhosts/REDACTED/3rdparty/sabre/http/lib/Sapi.php line 110 stream_copy_to_stream()
  8. /var/www/vhosts/REDACTED/3rdparty/sabre/dav/lib/DAV/Server.php line 490 Sabre\HTTP\Sapi::sendResponse()
  9. /var/www/vhosts/REDACTED/3rdparty/sabre/dav/lib/DAV/Server.php line 253 Sabre\DAV\Server->invokeMethod()
  10. /var/www/vhosts/REDACTED/3rdparty/sabre/dav/lib/DAV/Server.php line 321 Sabre\DAV\Server->start()
  11. /var/www/vhosts/REDACTED/apps/dav/lib/Server.php line 365 Sabre\DAV\Server->exec()
  12. /var/www/vhosts/REDACTED/apps/dav/appinfo/v2/remote.php line 35 OCA\DAV\Server->exec()
  13. /var/www/vhosts/REDACTED/remote.php line 172 require_once("/var/www/vhosts ... p")

GET /remote.php/dav/files/markus1/Kollektive/7_Service/Windows%20Troubleshooting/Windows%20Tablet%20Keyboard.md from 87.123.63.184 by markus1 at 2023-10-05T08:52:18+00:00`

markusrock avatar Oct 05 '23 08:10 markusrock

Tested again now with a new colleague. He had the same issues on some of our Collective pages, even though he has access through a defined group.

markusrock avatar Oct 11 '23 10:10 markusrock

Completly deactivating the server side encryption "solves" the issue. So the issue definitely is somewhere with the encryption and the collectives app.

markusrock avatar Nov 06 '23 07:11 markusrock