OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied

[Delvin127562]

Steps to reproduce

1. Make a filter to block everything except mentioned in mime-type.
2. You should use mime-type for x-rar-compressed. Mine filter looks like /^application\/(msexcel|msword|vnd.ms-excel|vnd.ms-powerpoint|vnd.openxmlformats-officedocument.wordprocessingml.document|vnd.openxmlformats-officedocument.spreadsheetml.sheet|vnd.openxmlformats-officedocument.presentationml.presentation|pdf|zip|x-zip-compressed|x-rar-compressed|x-7z-compressed)$|text\/(plain|csv)$|image\/(jpeg|heic|png)|httpd\/unix-directory/I In this mime-type filter mentioned xls, xlsx, doc,docx... and so on including "rar" archive
3. The problem will appear, when you try to upload rar archive file. You will see in browser - "Access Denied". In logs you will see fatal error

OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied

For full error text go to "Nextcloud log" section

Expected behaviour

rar files should not be blocked as they are allowed by mime-type filter

Actual behaviour

I'm getting the error in browser - "Access Denied".

Server configuration detail

Operating system: Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64

Webserver: Apache/2.4.41 (Ubuntu) (apache2handler)

Database: mysql 10.3.25

PHP version:

7.4.3 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 20.0.2 - 20.0.2.2

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array ( )

List of activated apps

``` Enabled: - accessibility: 1.6.0 - admin_audit: 1.10.0 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - dav: 1.16.1 - federatedfilesharing: 1.10.1 - federation: 1.10.1 - files: 1.15.0 - files_accesscontrol: 1.10.1 - files_automatedtagging: 1.10.1 - files_downloadactivity: 1.9.0 - files_external: 1.11.1 - files_retention: 1.9.0 - files_rightclick: 0.17.0 - files_sharing: 1.12.0 - files_trackdownloads: 1.9.0 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - impersonate: 1.7.0 - issuetemplate: 0.7.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - privacy: 1.4.0 - provisioning_api: 1.10.0 - sendent: 1.0.17 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - survey_client: 1.8.0 - systemtags: 1.10.0 - text: 3.1.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_saml: 3.3.1 - viewer: 1.4.0 - workflowengine: 2.2.0 Disabled: - activity - dashboard - deck - encryption - files_pdfviewer - files_videoplayer - firstrunwizard - photos - recommendations - richdocuments - richdocumentscode - theming - user_ldap - user_status - weather_status ```

Configuration (config/config.php)

``` { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "goa-nc.int.domain.com", "cloud.domain.com" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "20.0.2.2", "overwrite.cli.url": "https:\/\/cloud.domain.com", "htaccess.RewriteBase": "\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "app_install_overwrite": [ "files_retention" ], "log_type": "logfile", "logfile": "nextcloud.log", "loglevel": 2, "logdateformat": "F d, Y H:i:s", "log.condition": { "apps": [ "admin_audit" ] }, "log_rotate_size": 104857600, "trashbin_retention_obligation": "30, 35", "logtimezone": "Europe\/Moscow", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "twofactor_enforced": "false", "twofactor_enforced_groups": [], "twofactor_enforced_excluded_groups": [], "maintenance": false } ```

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Operating system:

Logs

Web server error log

``` Insert your web server log here ```

Nextcloud log

``` OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1104: OCA\DAV\Connector\Sabre\Directory->createFile() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 527: Sabre\DAV\Server->createFile() /var/www/html/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89: Sabre\DAV\CorePlugin->httpPut() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 474: Sabre\DAV\Server->emit() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 251: Sabre\DAV\Server->invokeMethod() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 319: Sabre\DAV\Server->start() /var/www/html/nextcloud/apps/dav/appinfo/v1/publicwebdav.php - line 113: Sabre\DAV\Server->exec() /var/www/html/nextcloud/public.php - line 81: require_once("/var/www/ht ... p") Caused by OCP\Files\ForbiddenException: Access denied /var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 59: OCA\FilesAccessControl\Operation->checkFileAccess() /var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 286: OCA\FilesAccessControl\StorageWrapper->checkFileAccess() /var/www/html/nextcloud/apps/dav/lib/Connector/Sabre/File.php - line 300: OCA\FilesAccessControl\StorageWrapper->unlink() /var/www/html/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php - line 155: OCA\DAV\Connector\Sabre\File->put() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1104: OCA\DAV\Connector\Sabre\Directory->createFile() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 527: Sabre\DAV\Server->createFile() /var/www/html/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89: Sabre\DAV\CorePlugin->httpPut() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 474: Sabre\DAV\Server->emit() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 251: Sabre\DAV\Server->invokeMethod() /var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 319: Sabre\DAV\Server->start() /var/www/html/nextcloud/apps/dav/appinfo/v1/publicwebdav.php - line 113: Sabre\DAV\Server->exec() /var/www/html/nextcloud/public.php - line 81: require_once("/var/www/ht ... p") ```

Browser log

Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ...

[Delvin127562]

Anyone?

[Delvin127562]

I understand, that this soft is free, but maybe you can point, where can I look for correcting this bug?

[Delvin127562]

Friend of mine helped me a little. He added some strokes in apps/workflowengine/lib/Check/AbstractStringCheck.php to debug the problem.

                file_put_contents('superdebug.log',"pattern: $pattern, subject: $subject \n", FILE_APPEND | LOCK_EX);
                $this->matches[$patternHash][$subjectHash] = preg_match($pattern, $subject);
                return $this->matches[$patternHash][$subjectHash];

As a result he got that if you try to upload zip file, system will recognise it as:

httpd/unix-directory application/zip

This can be logically true as a zip file is a folder in someway. But, when you try to upload rar file, you can see, that system recognise it as:

httpd/unix-directory application/x-rar-compressed application/octet-stream

And yes, if you add application/octet-stream to mime filter string, rar files will become allowed. Unfortunately, it can not be a solution, only a very bad workaround as application/octet-stream will allow to upload to cloud, for example, vb scripts, that is not unacceptable at all... My friend suppose. that the problem is in lib/private/Files/Type/Detection.php, but my knowledge is not allowing me to dig deeper and he has no time to help me further...

[Delvin127562]

As another workaround I made some custom mime types for file types like ps1,vbs,ico and so on and added them to /var/www/html/nextcloud/config/mimetypemapping.json Now I can add application/octet-stream to my filter and use rar files in cloud, but it is not a good way to resolve this problem. That's why I'm still waiting for some answers and that my problem will be resolved at last...

[nickvergessen]

It should end with application/x-rar-compressed But maybe the bug about .part files interfered which we fixed recently. So maybe you can retry it with the upcoming versions?

[Draecal]

I do also have this issue, mainly while trying to send a file through Talk.

Logs contains all .part files like this one: OCP\Files\ForbiddenException: Access denied to image/jpeg in Folder Talk/IMG-20230606-WA0002.jpg.ocTransferId1815827252.part