[BUG] public_wopi_url is set incorrectly.

[BreakVoid]

Describe the bug I run nextcloud 27.1.2 on TrueNAS. The issue is that public_wopi_url was automatically set incorrectly. With the incorrect URL, the documents cannot be opened.

However, after I corrected it manually, the issue still occurred. The browser did not send the request with the corrected URL at all. I don't know how to fix it.

To Reproduce Steps to reproduce the behavior: Check the command in the picture

php occ config:app:get richdocuments public_wopi_url # check the current value of public_wopi_url
php occ config:app:set richdocuments public_wopi_url --value https://office.zandk.love:443 # set to the correct one.
php occ richdocuments:activate-config # maybe it is the command to reload the config?
php occ config:app:get richdocuments public_wopi_url # check the current value of public_wopi_url again, then you would find the value restored by the reloading action.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Client details:

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]
• Device: [e.g. iPhone6, desktop]

Server details

Operating system:

Web server:

Database:

PHP version:

Nextcloud version:

Version of the richdocuments app

Version of Collabora Online

Logs

#### Nextcloud log (data/nextcloud.log) ``` Insert your Nextcloud log here ``` #### Browser log ``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

[seth586]

Can reproduce problem.

Nextcloud 27.1.3
"Nextcloud Office" richdocuments 8.2.2

monitoring access logs on my reverse proxy for collabora, I see the following when I set the correct "URL (and Port) of Collabora Online-server" in nextcloud office settings "https://office.mydomain.com"

192.168.84.73 - - [12/Nov/2023:16:37:38 +0000] "GET /hosting/discovery HTTP/1.1" 200 31787 "-" "Nextcloud Server Crawler"
192.168.84.73 - - [12/Nov/2023:16:37:38 +0000] "GET /hosting/capabilities HTTP/1.1" 200 320 "-" "Nextcloud Server Crawler"

However there are no access logs when trying to edit documents. Browser console shows access errors due to the 'public_wopi_url' being miscoded:

The source list for the Content Security Policy directive 'img-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The source list for the Content Security Policy directive 'frame-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The Content-Security-Policy directive 'frame-ancestors' does not support the source expression 'https://office\.mydomain\.com'

The source list for the Content Security Policy directive 'form-action' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.
/ocs/v2.php/apps/text/workspace?path=%2F:1 

Failed to load resource: the server responded with a status of 404 ()

The source list for the Content Security Policy directive 'img-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The source list for the Content Security Policy directive 'frame-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The Content-Security-Policy directive 'frame-ancestors' does not support the source expression 'https://office\.mydomain\.com'

The source list for the Content Security Policy directive 'form-action' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The source list for the Content Security Policy directive 'img-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The source list for the Content Security Policy directive 'frame-src' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

The Content-Security-Policy directive 'frame-ancestors' does not support the source expression 'https://office\.mydomain\.com'

The source list for the Content Security Policy directive 'form-action' contains an invalid source: 'https://office\.mydomain\.com'. It will be ignored.

Refused to send form data to 'https://office/.mydomain/.com/browser/5093121/cool.html?WOPISrc=https%3A%2F%2Fcloud.mydomain.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4695_ockoxgfxl24y&title=%2FNew%20spreadsheet.ods&lang=en&closebutton=1&revisionhistory=1' because it violates the following Content Security Policy directive: "form-action 'self'".

richdocuments-viewer.js?v=a584c3c4-0:2  Refused to frame 'https://office/' because it violates the following Content Security Policy directive: "frame-src 'self' nc:".

Unfortunately activate-config changes the URL back to the miscoded URL:

php occ config:app:get richdocuments public_wopi_url 
+ https://office\.mydomain\.com
php occ config:app:set richdocuments public_wopi_url --value https://office.mydomain.com:443
+ Config value public_wopi_url for app richdocuments set to https://office.mydomain.com:443
php occ config:app:get richdocuments public_wopi_url 
+ https://office.mydomain.com:443
php occ richdocuments:activate-config
+ Activated any config changes
php occ config:app:get richdocuments public_wopi_url
+ https://office\.mydomain\.com
php occ config:list richdocuments
+{
+    "apps": {
+        "richdocuments": {
+            "enabled": "yes",
+            "installed_version": "8.2.2",
+            "public_wopi_url": "https:\/\/office\\.mydomain\\.com",
+            "types": "prevent_group_restriction",
+            "wopi_allowlist": "",
+            "wopi_url": "https:\/\/office.mydomain.com"
+        }
+    }
+}

nginx reverse proxy following official documentation at https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#reverse-proxy-with-nginx-webserver

results of curl -v https://office.mydomain.com:443/hosting/discovery: https://pastebin.com/WtSWna7c

collalora/code is running in a docker container

docker-compose.yml:

version: '3.3'
networks:
  net:
   driver: bridge

services:
  collabora:
    image: collabora/code
    ports:
      - 9980:9980
    container_name: collabora-code
    cap_add:
      - MKNOD
    environment:
      dictionaries: en_US
      domain: cloud.mydomain.com
      server_name: office.mydomain.com
      username: "admin"
      password: "password"
      extra_params: --o:ssl.enable=false --o:ssl.termination=true
    restart: always

shell command docker top collabora-code:

UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
systemd+            3655                3632                0                   Nov13               ?                   00:00:10            /usr/bin/coolwsd --version --use-env-vars --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --o:logging.color=false --o:stop_on_config_change=true --o:ssl.enable=false --o:ssl.termination=true
systemd+            3741                3655                0                   Nov13               ?                   00:00:03            /usr/bin/coolforkit --systemplate=/opt/cool/systemplate --lotemplate=/opt/collaboraoffice --childroot=/opt/cool/child-roots/1-78d1c3d2/ --clientport=9980 --masterport=coolwsd-bt1xMO8z --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --ui=default
systemd+            3743                3741                0                   Nov13               ?                   00:00:01            /usr/bin/coolforkit --systemplate=/opt/cool/systemplate --lotemplate=/opt/collaboraoffice --childroot=/opt/cool/child-roots/1-78d1c3d2/ --clientport=9980 --masterport=coolwsd-bt1xMO8z --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --ui=default

shell command inside docker container printenv:

extra_params=--o:ssl.enable=false --o:ssl.termination=true
HOSTNAME=c6b4c6f66b04
PWD=/
domain=cloud\.mydomain\.com
HOME=/opt/cool
TERM=xterm
username=admin
SHLVL=1
LC_CTYPE=C.UTF-8
password=password
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
server_name=office\.mydomain\.com
_=/usr/bin/printenv

coolwsd is running with the --use-env-vars flag. Isn't docker compose supposed to set the environment variables? Why is it adding the backslashes to server_name?

[juliushaertl]

Thanks for the detailed steps. While I can reproduce the behaviour that activate-config switches the behaviour it would actually take the value from the /hosting/capabilities endpoint of the Collabora server configured in wopi_url.

occ config:list richdocuments
+ ...
+            "wopi_url": "http:\/\/collabora.local",
+            "public_wopi_url": "https:\/\/collabora.local"
+ ...
occ config:app:set richdocuments public_wopi_url --value https://office.mydomain.com:443
+ Config value public_wopi_url for app richdocuments set to + 
occ richdocuments:activate-config
+ Activated any config changes
occ config:list richdocuments
+ ...
+             "public_wopi_url": "https:\/\/collabora.local",
+             "wopi_url": "http:\/\/collabora.local",
+ ...

While I agree that it should not change the value if manually set, I would assume in your setup when the URL is the same it should also work without ever setting public_wopi_url manually.

Could you maybe share some details about your setup (coolwsd config and involved reverse proxy/webservers) as well as the output of the following curl:

curl -v https://office.mydomain.com:443/hosting/discovery

[UltraBlackLinux]

Hey there, the public_wopi_url is also set incorrectly for me, but it did save. I see the correct values in the config, but when I try to open a presentation, it still uses the old public_wopi_url I'm using the collabora extension and /hosting/capabilities is a 404 for me (?)

(Sometimes it doesn't even get there and instead shows a 500 internal server error for the token request. When I tried to have a look at the logs, it immediately went away. Now taht I stopped that, it's returned. quantum stuff from physics class all over again)

[juliushaertl]

I'm using the collabora extension and /hosting/capabilities is a 404 for me (?)

This probably means you are lacking to pass it through in your web server / reverse proxy config.

[UltraBlackLinux]

I have no idea what you mean. I'm using the official unofficial nextcloud docker image, which has almost everything set up

[645340633]

Have you solved it? I met the same problem

[juliushaertl]

I have no idea what you mean. I'm using the official unofficial nextcloud docker image, which has almost everything set up

Can you provide more details (which image, how do you start it, are you running the richdocumentscode app or a separate container for Collabora CODE).

[UltraBlackLinux]

Nextcloud image: https://hub.docker.com/_/nextcloud/ richdocuments and collabora both as nextcloud apps, but I had previously tried the standalone collabora container, with the same result.

not really anything special as to how I'm running it, just docker compose up, which sets username and password for redis and the database

[seth586]

FIXED! 2 problems:

1. coolwsd is running with the --use-env-vars flag, and echo $server_name inside the docker container reveals the problem, its printing the domain with the backslashes. At some point in history docker compose YAML used to require escaping special characters just like you would when setting environment variables. But that must have changed. My old yaml had the . escaped with \. This would explain why there are many examples of this problem elsewhere.

2. Editing the yaml and restarting the container did not result in docker compose reading the new YAML, until the following commands are run in the project directory:

docker stop collabora-code
docker-compose down
docker-compose up -d

A lot of old collabora self hosting guides floating around the internet suggested setting YAML environment variable server_name as office\.mydomain\.com

As a fix I suggest adding an example docker-compose YAML to the official documentation.

[juliushaertl]

Interesting, maybe that is something that could be catched in the docker container of Collabora to strip such escapings

[juliushaertl]

Wondering if this is just recently happening with https://github.com/CollaboraOnline/online/commit/2e86ea467ed4c56c75e36265b6885cd3993d8a44

[juliushaertl]

@timar Given the problems described in https://github.com/nextcloud/richdocuments/issues/3262#issuecomment-1809275392 would it make sense to sanitize the server_name passed in to not contain backslash escaping?

[JoeHaenf]

I can confirm that https://github.com/nextcloud/richdocuments/issues/3262#issuecomment-1809275392 works for me, too. Omitting the server_name variable and using only the newer aliasgroup variable does the trick. After rebooting the Collabora server with this new config, I had to reconfigure the Richdocuments app once again, of course.

[juliushaertl]

We could probably have a workaround for that case in richdocuments as well as in str_replace('\.', '.', $domain)

[juliushaertl]

Added a workaround to avoid failures in case of such escaped urls to #3315