search

nextcloud / polls

🗳️ Polls app for Nextcloud
https://apps.nextcloud.com/apps/polls
GNU Affero General Public License v3.0
256 stars 73 forks source link

CSRF check failed after random number of requests (causes 404 - poll not found) #1472

Closed BenKluwe closed 3 years ago

BenKluwe commented 3 years ago

What is going wrong?

Describe the bug A Nextcloud server instance responds with 412 (precodition failed) CSRF check failed after a random number of requests. When the CSRF token is renewed the server responds again but the page stays on 404 - poll not found.

To Reproduce Steps to reproduce the behavior:

  1. Go to the Polls app
  2. Click on a poll
  3. Wait

Expected behavior The poll page continually polls a Nextcloud server instance for updates without errors.

Actual behavior The poll becomes unavailable (404 - poll not found) after some time (or immediately) and stays that way even when the CSRF token is renewed.

Screenshots image

after some time:

image

Information about your polls installation

Polls version? (see apps page) 1.7.5

Fresh installation or update from a prior version (from which one)? update from previous version (I don't know which version was previous)

How did you install this version?(Appstore or describe installation) Appstore

Information about your Instance of Nextcloud

Nextcloud version: (see Nextcloud admin page) 20.0.8 reported (20.0.8.1 in config)

List of activated apps:

Enabled:
  - accessibility: 1.6.0
  - activity: 2.13.4
  - admin_audit: 1.10.0
  - analytics: 3.3.3
  - appointments: 1.8.10
  - apporder: 0.12.0
  - calendar: 2.1.3
  - checksum: 1.1.1
  - circles: 0.20.7
  - cloud_federation_api: 1.3.0
  - comments: 1.10.0
  - contacts: 3.4.3
  - contactsinteraction: 1.1.0
  - dashboard: 7.0.0
  - dav: 1.16.2
  - deck: 1.2.5
  - duplicatefinder: 0.0.6
  - event_update_notification: 1.2.0
  - external: 3.7.2
  - federatedfilesharing: 1.10.2
  - federation: 1.10.1
  - files: 1.15.0
  - files_accesscontrol: 1.10.2
  - files_external: 1.11.1
  - files_mindmap: 0.0.24
  - files_pdfviewer: 2.0.1
  - files_rightclick: 0.17.0
  - files_sharing: 1.12.2
  - files_trashbin: 1.10.1
  - files_versions: 1.13.0
  - files_videoplayer: 1.9.0
  - firstrunwizard: 2.9.0
  - flow_notifications: 1.0.3
  - groupfolders: 8.2.0
  - groupquota: 0.1.5
  - impersonate: 1.7.0
  - logreader: 2.5.0
  - lookup_server_connector: 1.8.0
  - mail: 1.9.1
  - nextcloud_announcements: 1.9.0
  - notifications: 2.8.0
  - oauth2: 1.8.0
  - password_policy: 1.10.1
  - photos: 1.2.3
  - polls: 1.7.5
  - privacy: 1.4.0
  - provisioning_api: 1.10.0
  - quota_warning: 1.9.1
  - ransomware_detection: 0.10.0
  - recommendations: 0.8.0
  - serverinfo: 1.10.0
  - settings: 1.2.0
  - sharebymail: 1.10.0
  - spreed: 10.0.6
  - support: 1.3.0
  - survey_client: 1.8.0
  - systemtags: 1.10.0
  - tasks: 0.13.6
  - text: 3.1.0
  - theming: 1.11.0
  - twofactor_backupcodes: 1.9.0
  - updatenotification: 1.10.0
  - user_status: 1.0.1
  - user_usage_report: 1.4.2
  - viewer: 1.4.0
  - w2g2: 3.0.3
  - weather_status: 1.0.0
  - workflowengine: 2.2.0

Nextcloud configuration:

<?php
$CONFIG = array (
  [...]
  'dbtype' => 'mysql',
  'version' => '20.0.8.1',
  'overwrite.cli.url' => 'https://www.thermetrix.com/nextcloud',
  'overwriteprotocol' => 'https',
  'forcessl' => true,
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'app_install_overwrite' => 
  array (
    0 => 'bookmarks_fulltextsearch',
  ),
);

Server configuration

Database: mariadb 5.7.32-log

PHP version: 7.3.27

Are you using an external user-backend, if yes which one: no

Client configuration

Device: Desktop (Debian 10)

Browser: Firefox 78.8.0esr (64 bit)

Logs

Nextcloud log (data/nextcloud.log)

taken from when log level was 0:

{"reqId":"YEcghaocZj0Q5bGjQ1s-7QAAAAE","level":0,"time":"2021-03-09T07:15:17+00:00","remoteAddr":"[...]","user":"Ben","app":"core",
"method":"GET","url":"/nextcloud/index.php/apps/polls/polls","message":
{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[
    {"file":"[..]/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":98,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->","args":[{"__class__":"OCA\\Polls\\Controller\\PollController"},"list"]},
    {"file":"[..]/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":98,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[{"__class__":"OCA\\Polls\\Controller\\PollController"},"list"]},
    {"file":"[..]/nextcloud/lib/private/AppFramework/App.php","line":152,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[{"__class__":"OCA\\Polls\\Controller\\PollController"},"list"]},
    {"file":"[..]/nextcloud/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Polls\\Controller\\PollController","list",{"__class__":"OC\\AppFramework\\DependencyInjection\\DIContainer"},{"_route":"polls.poll.list"}]},
    {"file":"[..]/nextcloud/lib/base.php","line":1008,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/polls/polls"]},
    {"file":"[..]/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}
],"File":"[..]/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":181,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0","version":"20.0.8.1"}

Browser log

see screenshots

Comment

Attempted fix by adding 'overwriteprotocol' => 'https', 'forcessl' => true, to config.php as suggested in https://github.com/nextcloud/ios/issues/768

I don't know whether or not this is caused by the polls app or the nextcloud server (hence I also don't know if this is the correct repository to post in) because I have observed it frequently in the polls app and sometimes in the files and spreed (talk) app. This issue has been observed on this server instance throughout upgrades from at least Nextcloud 18.

In either case, after the CSRF token is renewed the polls app should go back to the poll that was loaded previously.

dartcafe commented 3 years ago

When the CSRF token is renewed the server responds again but the page stays on 404 - poll not found.

I guess, you refer to this: grafik

If /apps/polls/vote/{pollId} is answered with 404, the page gets relocated to /apps/polls/not-found. You have to go back to the votes page.

dartcafe commented 3 years ago

Anyway, the behavior will change in 1.8. We will start a long poll and wait for updates. When the request fails, while a poll page is displayed, there will be 5 retries to reestablish the connection with a 30 second wait between each retry.

BenKluwe commented 3 years ago

Yes, that is the page that I meant. The new approach is definitely a better, I was thrown into the not-found link a few times due to single request timeouts to the server.

With regard to the CSRF token, I believe it is caused by the manipulation of the php.ini in the user directory, which may be specific to this instance. It runs on a 1and1 server so I don't have direct access to apache and php and when I added my own php.ini in the nextcloud directory values such as memory_limit=xyz or the opcache (tried both options separately and checked permissions on folder for opcache), the invalid CSRF token responses appeared again.

github-actions[bot] commented 5 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.