core
core copied to clipboard
owncloud
CSRF check failed when trying to share files from Desktop or iOS app
After updating the core from 10.5.0 to 10.6.0 the sharing feature in the macOS and iOS app does not work anymore.
When using the web interface, sharing works as expected.
Expected behaviour:
Right-click on a file in my ownCloud folder, -> copy public link -> paste the link in the browser -> file can be downloaded.
Actual behaviour
Right-click on a file in my ownCloud folder, -> copy public link -> the window with the sharing options opens, displaying “CSRF check failed” in red. All options for creating shares are greyed out.
The iOS app displays the same message when trying to create a public link to a file.
Steps to reproduce
As described above.
Server configuration
Operating system: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux Web server: Apache Database: MySQL 5.5 PHP version: 7.4 ownCloud version: 10.6.0
Storage backend (external storage): none
Client configuration
Client version: Desktop: 2.7.4 (build 2934) iOS: 11.4.5 build 182
Operating system: MacOS 10.14.6; MacOS 11.1; iOS 14.2
OS language: german
Installation path of client: /Applications/
Logs
Client logfile: Output of owncloud --logwindow or owncloud --logfile log.txt
01-11 10:14:57:710 [ warning gui.sharing.ocs ]: Reply to “GET” QUrl(“https://(urlDELETEDforPRIVACY)/ocs/v1.php/apps/files_sharing/api/v1/shares”) (QPair(“path”,"/Bildschirmfoto 2021-01-03 um 12.50.59.png"), QPair(“reshares”,“true”)) has unexpected status code: 996 “{“ocs”:{“meta”:{“status”:“failure”,“statuscode”:996,“message”:“CSRF check failed”,“totalitems”:”",“itemsperpage”:""},“data”:[]}}"
01-11 10:14:57:710 [ warning gui.socketapi.publiclink ]: Share fetch/create error 996 “CSRF check failed”
Web server error log:
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:57 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:57 +0100] “GET /index.php/apps/files/api/v1/thumbnail/150/150//Bildschirmfoto%202021-01-03%20um%2012.50.59.png HTTP/1.1” 200 16667 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “PROPFIND /remote.php/dav/files/octestuser/Bildschirmfoto%202021-01-03%20um%2012.50.59.png HTTP/1.1” 207 548 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
Server logfile: ownCloud log (data/owncloud.log):
Can’t find unusual messages.
Updated from an older ownCloud or fresh install: Update from 10.5
Where did you install ownCloud from: Initially Installed Owncloud 8 from the ZIP Archive provided at owncloud.com years ago and used the update function ever since.
Signing status (ownCloud 9.0 and above):
No errors have been found.
The content of config/config.php:
Can be provided on request
List of activated apps:
Only standard apps
Are you using external storage, if yes which one: local/smb/sftp/... NO
Are you using encryption: yes/no NO
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... NO
@martinackerl do you have the 'mod_rewrite' module enabled and if not could you enable it and check if your issue still occurs? :crossed_fingers:
@C0rby I think I have. This is in my .htaccess : I already tried it with the two last lines removed, but it makes no difference.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
RewriteRule ^core/signature\.json - [R=404,L]
RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
# inserted by me for ssl force
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://(urlDELETEDforPRIVACY)/$1 [R=301,L]
I think I have.
Could you check just to make sure? The issue I found is that Apache is stripping the Authorization header when passing the request to the PHP context.
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] this rewrite rule is passing it in again but it will only do it when mod_rewrite is enabled.
Locally this fixed the issue for me. If in your setup it IS enabled and the issue still occurs then I need to dig deeper...
Sorry, could you please hint me how I can check this for sure? It is installed on a managed Ionos-Hosting. Edit: php_info does not list Loaded Modules.
However, I am pretty sure it is activated because the two lines I added do make a difference. When I open my Owncloud via Webbrowser via http://(URLtomyCloud)/ it instantly forwards to https://(URLtomyCloud)/ When I remove those lines, I can access my OwnCloud also directly via http.
Could you try this?
<?php
print in_array('mod_rewrite', apache_get_modules()) ? "Enabled" : "Disabled";
?>
Its not allowed... 😕
Fatal error: Uncaught Error: Call to undefined function apache_get_modules() ………
--------------- On Debian based systems ---------------
$ apache2ctl -t -D DUMP_MODULES
OR
$ apache2ctl -M
--------------- On RHEL based systems ---------------
$ apachectl -t -D DUMP_MODULES
OR
$ httpd -M
$ apache2ctl -M
I think the problem here is that @martinackerl is on a managed hoster. I'm out of ideas. I think the next step would be to ask your hoster about the setup. Is the apache configured with php-module or cgi?
@micbar I have access to a bash shell via ssh, but the commands don't seem to work (I am not expericenced)
Linux infong68 4.4.236-icpu-055 #2 SMP Mon Sep 21 13:48:35 UTC 2020 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
(uiserver):u6??????2:~$ apache2ctl -M
-bash: apache2ctl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ httpd -M
-bash: httpd: Kommando nicht gefunden.
(uiserver):u6??????2:~$ apachectl -t -D DUMP_MODULES
-bash: apachectl: Kommando nicht gefunden.
(uiserver):u6??????2:~$
@C0rby this is what php_info states: (is this what you are looking for?)
| Server API | CGI/FastCGI |
|---|---|
| Virtual Directory Support | disabled |
| Configuration File (php.ini) Path | /etc/php7.4 |
| Loaded Configuration File | /etc/php7.4/php.ini |
There is no apache2 directory in /etc
(uiserver):u????????:/etc$ ls
adduser.conf debsums-ignore issue.net mysql php7.3 shadow-
alternatives default joe nanorc php7.4 shells
apparmor.d deluser.conf kernel nemesis php8.0 skel
apt dictionaries-common ldap netconfig profile ssh
authd.conf dpkg ld.so.cache networks profile.d ssl
bash.bashrc emacs ld.so.conf nsswitch.conf protocols subgid
bash_completion environment ld.so.conf.d oneclick python subuid
bash_completion.d fakechroot libaudit.conf opt python2.7 subversion
bindresvport.blacklist fonts libnl-3 os-release python3 sysctl.conf
ca-certificates fstab libpaper.d pam.conf python3.7 sysctl.d
ca-certificates.conf ftd localtime pam.d quotagrpadmins systemd
calendar gai.conf logcheck papersize quotatab terminfo
cbi ghostscript login.defs passwd rc0.d timezone
complete.tcsh gitconfig logrotate.conf passwd- rc1.d ucf.conf
cron.allow groff logrotate.d pear4.4.conf rc2.d ufw
cron.d group lynx pear5.2.conf rc3.d ui-sendmail-wrapper.conf
cron.daily group- magic pear5.4.conf rc4.d update-motd.d
cron.deny gshadow magic.mime pear5.5.conf rc5.d vim
cron.hourly gshadow- mailcap pear6.conf rc6.d warnquota.conf
cron.monthly gss mailcap.order pear7.1.conf rcS.d wgetrc
crontab host.conf mail.rc pear7.3.conf resolv.conf wordpress
cron.weekly hostname manpath.config pear7.4.conf rmt X11
csh hosts mc pear8.0.conf rpc xattr.conf
csh.cshrc hosts.allow mercurial perl rssh.conf zsh
csh.login hosts.deny mime.types php4.4 securetty
csh.logout ImageMagick-6 mke2fs.conf php5.2 security
debconf.conf init.d mkshrc php5.4 selinux
debian_chroot inputrc motd php5.5 services
debian_version issue mtab php7.1 shadow
Then unfortunately I'm out of ideas. Maybe try to contact the ionic support to figure out how your system is setup. If mod_rewrite is enabled and if not how to enable it. And once you have that and still can reproduce the issue feel free to ping me again.
I will do this. Thank you very much. What I find odd is that it worked fine for years, and suddenly after the update to 10.6.0 this problem emerged.
are you admin user? you can create a config report from the webUI.
excerpt from my test instance
"phpinfo": {
"apache2handler": {
"Apache Version": "Apache\/2.4.43 (Unix) OpenSSL\/1.1.1g PHP\/7.2.32",
"Apache API Version": "20120211",
"Server Administrator": "[email protected]",
"Hostname:Port": "cloud.local:0",
"User\/Group": "mbarz(501)\/20",
"Max Requests": "Per Child: 0 - Keep Alive: on - Max Per Connection: 100",
"Timeouts": "Connection: 60 - Keep-Alive: 5",
"Virtual Server": "Yes",
"Server Root": "\/usr\/local\/opt\/httpd",
"Loaded Modules": "core mod_so http_core prefork mod_authn_file mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_core mod_access_compat mod_auth_basic mod_socache_shmcb mod_filter mod_deflate mod_mime mod_log_config mod_env mod_headers mod_setenvif mod_version mod_ssl mod_unixd mod_status mod_autoindex mod_dir mod_alias mod_rewrite mod_php7",
"engine": "1",
"last_modified": "0",
"xbithack": "0"
},
"Loaded Modules"
@C0rby @martinackerl Pro tip smile
I also considered it but @martinackerl did try phpinfo before and this didn't show the loaded modules.
It's worth a try though... :see_no_evil:
There is a big difference
-
php on the cli is not using apache in between
-
generating the configreport via WebUI routes the request through apache.
@micbar thanks for the hint, but the config report also gives me no apache2handler section. 🤷♂️
Anyway, I talked with the support in the meantime and they told me that mod_rewrite is active and apache is configured with php-module.
@micbar I respectfully object 🧐. OwnClouds config report says:
{
"basic": {
"license key": "***REMOVED SENSITIVE VALUE***",
"date": "Thu, 14 Jan 2021 16:23:00 +0000",
"ownCloud version": "10.6.0.5",
"ownCloud version string": "10.6.0",
"ownCloud edition": "Community",
"server OS": "Linux",
"server OS version": "Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU\/Linux",
"server SAPI": "cgi-fcgi",
"webserver version": "Apache",
🤔
"server SAPI": "cgi-fcgi",
no mod_php
That means that your apache is not using mod_php
@martinackerl, okay so just to test I setup a system with fcgi and it worked there too. That means something in your setup is missing.
Maybe you still need to add AllowOverride All to your apache VirtualHost config.
But I would close this issue now since it is a config issue.
@C0rby Thank you for your efforts and your time. I absolutely understand if you don't want to spend any more of it on this issue, but I still think this is a bug in the 10.6 core that can not be ignored.
So I made 2 complete new installations (core 10.5 and core 10.6) via the zip file from owncloud.com on two different subdomains, kept every setting standard, even using SQLite.
On core 10.6 I still get this error when trying to share a file from the client software.
Share fetch/create error 996 “CSRF check failed”
On core 10.5 everything works as expected.
A standard installation on a standard hosting of a very big hoster should just work or at least give the user a clear hint what to do. There is no error 996 in the documentation.
Please open the issue again so that at least someone else can try to find a solution.
Our company had the same issue like @martinackerl with sharing on macOS after upgrading to core 10.6. We found out that the issue was caused by the changes of this commit: https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a
We put the "@NoCSRFRequired" parameter back to every function in this file "apps/files_sharing/lib/Controller/Share20OcsController.php" and sharing is working again on macOS without the CSRF check error.
@C0rby it would be nice if you could check why your changes cause this issue and how it could be solved.
@held-vitalij Thank you for the tip! Using apps/files_sharing/lib/Controller/Share20OcsController.php from Version 10.5 does the trick. It's at least a workaround! I still think this should be fixed.
https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a (#38019):
- if (!$this->request->passesCSRFCheck()) {
+ if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {
Could problem by cgi-fcgi config not pass header Authorization correctly?
https://doc.owncloud.com/server/10.6/admin_manual/installation/system_requirements.html#server say:
Apache 2.4 with prefork and mod_php
no support for like cgi-fcgi by ownCloud?
@held-vitalij @martinackerl The change you are referring to was necessary to close an attack vector. It was reported to us by an external and we mitigated it.
See advisory https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/
Our mobile and desktop clients always send an Authorization header. So with a proper server config, it will work.
Using the 10.5 version of the apps/files_sharing/lib/Controller/Share20OcsController.php is not recommended due to the known issue.
@ho4ho We officially support mod_php only because it is thread-safe. But many instances are using fcgi on their own risk.
My hosting support ensured me that mod_rewrite ist enabled and AllowOverride All is configured.
Still I get the CSRF error - on a brand new clean install.
Could you please take another look into the changes in 10.6 that trigger this error? Would be much appreciated.
Hello @martinackerl,
wie solved the problem by adding:
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to our site-file /etc/apache2/sites-available/owncloud-ssl.conf.
Maybe there is a problem in your .htaccess-file that the apache ignores some settings.