CSRF check not passed message when dragging folders into Nextcloud 13 Web interface

[cvandesande]

Steps to reproduce

1. Use KDE Plasma desktop 5.13.5 (Arch Linux - haven't tested with other desktops yet)
2. Use Firefox 62.0 or Chromium 69.0.3497.81
3. Drag and drop folder of with 3-4 files (can be empty files) into non-root folder (hover until subfolder highlights, then release mouse)
4. See error "CSRF check not passed" in the centre top of the browser window
5. Open uploaded folders in Nextcloud, find no contents

Expected behaviour

No error messages in window, and contents in uploaded folders

Actual behaviour

CSRF check not passed error displayed, no contents in uploaded folders.

Server configuration

Operating system: Custom Docker image based off Alpine 3.8

Web server: Nginx 1.14.0

Database: MariaDB 10.2.17

PHP version: 7.2.9

Nextcloud version: 13.0.6

Updated from an older Nextcloud/ownCloud or fresh install: Updated from previous Nextcloud (Docker container rebuilt, occ upgrade run)

Where did you install Nextcloud from: Downloaded tarball from https://download.nextcloud.com/server/releases/

Signing status:

Signing status

``` No errors have been found. ```

List of activated apps:

App list

/var/www/html # su www-data -s /bin/sh -c 'php /nextcloud/occ app:list' Enabled: - activity: 2.6.1 - admin_audit: 1.3.0 - bruteforcesettings: 1.1.0 - calendar: 1.6.1 - comments: 1.3.0 - contacts: 2.1.5 - dav: 1.4.7 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - firstrunwizard: 2.2.1 - gallery: 18.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - mail: 0.8.3 - nextcloud_announcements: 1.2.0 - notes: 2.4.1 - notifications: 2.1.2 - oauth2: 1.1.1 - password_policy: 1.3.0 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - spreed: 3.2.5 - survey_client: 1.1.0 - systemtags: 1.3.0 - theming: 1.4.5 - twofactor_backupcodes: 1.2.3 - twofactor_totp: 1.4.1 - twofactor_u2f: 1.5.5 - updatenotification: 1.3.0 - workflowengine: 1.3.0 Disabled: - encryption - files_external - files_pdfviewer - user_external - user_ldap

Nextcloud configuration:

Config report

' { "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "owncloud.opendmz.com", "nextcloud.opendmz.com" ], "apps_paths": [ { "path": "\/nextcloud\/apps", "url": "\/apps", "writable": false }, { "path": "\/nextcloud\/apps2", "url": "\/apps2", "writable": true } ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "13.0.6.1", "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "forwarded_for_headers": [ "HTTP_X_FORWARDED", "HTTP_FORWARDED_FOR" ], "overwriteprotocol": "https", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "forcessl": false, "mail_smtpmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "loglevel": 0, "theme": "", "maintenance": false, "secret": "***REMOVED SENSITIVE VALUE***", "filesystem_check_changes": 1, "filelocking.enabled": "false", "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "timeout": 0, "dbindex": 0 }, "trashbin_retention_obligation": "auto", "overwrite.cli.url": "https:\/\/owncloud.opendmz.com", "mail_smtpauthtype": "LOGIN", "mail_smtpsecure": "ssl" } }

Are you using external storage, if yes which one: local network NFS share

Are you using encryption: no

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Firefox or Chromium

Operating system: Arch Linux

Logs

Web server error log

Web server error log

Many entries like the below, 401 error. ``` nginx_1 | - - [11/Sep/2018:20:28:56 +0000] "PUT /remote.php/dav/uploads/cvandesande/web-file-upload-d77b458e407ebec3f22ca35e73263548-1536697693852/0 HTTP/1.1" 401 233 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36" "" ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here Debug | webdav | Sabre\DAV\Exception\NotAuthenticated: CSRF check not passed./nextcloud/apps/dav/lib/Connector/Sabre/Auth.php - line 155: OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 201: OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 150: Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))[internal function] Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 466: Sabre\Event\EventEmitter->emit('beforeMethod', Array)/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/apps/dav/appinfo/v1/webdav.php - line 80: Sabre\DAV\Server->exec()/nextcloud/remote.php - line 164: require_once('/nextcloud/apps...'){main} -- | -- | -- ```

Browser log

Browser log

``` send @ core.js?v=5c5ae5ee-5:4 ajax @ core.js?v=5c5ae5ee-5:4 send @ merged-index.js?v=5c5ae5ee-5:2713 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 x @ core.js?v=5c5ae5ee-5:4 (anonymous) @ core.js?v=5c5ae5ee-5:4 load (async) send @ core.js?v=5c5ae5ee-5:4 ajax @ core.js?v=5c5ae5ee-5:4 send @ merged-index.js?v=5c5ae5ee-5:2713 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 x @ core.js?v=5c5ae5ee-5:4 (anonymous) @ core.js?v=5c5ae5ee-5:4 load (async) send @ core.js?v=5c5ae5ee-5:4 ajax @ core.js?v=5c5ae5ee-5:4 send @ merged-index.js?v=5c5ae5ee-5:2713 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 add @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 each @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 a.Deferred @ core.js?v=5c5ae5ee-5:7 then @ core.js?v=5c5ae5ee-5:2 _onSend @ merged-index.js?v=5c5ae5ee-5:2757 (anonymous) @ core.js?v=5c5ae5ee-5:13 data.submit @ merged-index.js?v=5c5ae5ee-5:2481 (anonymous) @ merged-index.js?v=5c5ae5ee-5:571 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ merged-index.js?v=5c5ae5ee-5:837 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ client.js?v=5c5ae5ee-5:704 Promise.then (async) _simpleCall @ client.js?v=5c5ae5ee-5:701 createDirectory @ client.js?v=5c5ae5ee-5:722 (anonymous) @ merged-index.js?v=5c5ae5ee-5:833 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ merged-index.js?v=5c5ae5ee-5:837 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ client.js?v=5c5ae5ee-5:707 Promise.then (async) _simpleCall @ client.js?v=5c5ae5ee-5:701 createDirectory @ client.js?v=5c5ae5ee-5:722 (anonymous) @ merged-index.js?v=5c5ae5ee-5:833 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 add @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 each @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 a.Deferred @ core.js?v=5c5ae5ee-5:7 then @ core.js?v=5c5ae5ee-5:2 ensureFolderExists @ merged-index.js?v=5c5ae5ee-5:832 ensureFolderExists @ merged-index.js?v=5c5ae5ee-5:829 submit @ merged-index.js?v=5c5ae5ee-5:524 (anonymous) @ merged-index.js?v=5c5ae5ee-5:860 _.each._.forEach @ core.js?v=5c5ae5ee-5:166 submitUploads @ merged-index.js?v=5c5ae5ee-5:858 onNoConflicts @ merged-index.js?v=5c5ae5ee-5:1257 checkExistingFiles @ merged-index.js?v=5c5ae5ee-5:1061 add @ merged-index.js?v=5c5ae5ee-5:1275 _trigger @ core.js?v=5c5ae5ee-5:13 (anonymous) @ merged-index.js?v=5c5ae5ee-5:2844 each @ core.js?v=5c5ae5ee-5:2 _onAdd @ merged-index.js?v=5c5ae5ee-5:2837 (anonymous) @ core.js?v=5c5ae5ee-5:13 (anonymous) @ merged-index.js?v=5c5ae5ee-5:3082 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ merged-index.js?v=5c5ae5ee-5:2905 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 (anonymous) @ core.js?v=5c5ae5ee-5:2 j @ core.js?v=5c5ae5ee-5:2 fireWith @ core.js?v=5c5ae5ee-5:2 e.(anonymous function) @ core.js?v=5c5ae5ee-5:2 (anonymous) @ merged-index.js?v=5c5ae5ee-5:2928 core.js?v=5c5ae5ee-5:4 PUT https://owncloud.opendmz.com/remote.php/webdav/Documents/New%20Folder1/Text%20File%20(3) 401 (Unauthorized) ```

[nextcloud-bot]

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/2938 ("CSRF check failed" error message), https://github.com/nextcloud/server/issues/8467 (NextCloud 13 folder/file display bug), https://github.com/nextcloud/server/issues/8370 (strange mistake with drag end drop web file interfaces), https://github.com/nextcloud/server/issues/10895 (LDAP Users missed files folder in home folder; but show on web interface (nextcloud 13.0.4)), and https://github.com/nextcloud/server/issues/8310 (Disable web app by own cloud interface (NO NEXTCLOUD THEME)).

[DarkRider1768]

Also experiencing this problem. Effectively a fresh install (I added a handful of official apps and camerarawpreviews).

Can confirm that dragging a folder from the desktop onto a group shared folder will trigger the error but navigating into the group shared folder and dragging the folder to white space will upload just fine.

This is happening with the files stored locally on the NextCloud system.

Server configuration Operating system: FreeBSD 11.2 (iocage jail on FreeNAS box) Web server: Apache 2.4.34 Database: MySQL 5.6.41 PHP version: 7.1.21 Nextcloud version: 14.0.0 Updated from an older Nextcloud/ownCloud or fresh install: New Where did you install Nextcloud from: Ports Collection

Enabled PKG List

- admin_audit: 1.4.0 - bruteforcesettings: 1.1.0 - camerarawpreviews: 0.5.6 - cloud_federation_api: true - comments: 1.4.0 - contacts: 2.1.6 - dav: true - federatedfilesharing: true - files: true - files_pdfviewer: 1.3.2 - files_sharing: 1.6.2 - files_trashbin: 1.4.1 - files_videoplayer: 1.3.0 - gallery: 18.1.0 - groupfolders: 1.3.3 - logreader: 2.0.0 - lookup_server_connector: true - oauth2: true - password_policy: 1.4.0 - provisioning_api: true - serverinfo: 1.4.0 - twofactor_backupcodes: true - user_saml: 1.6.2 - workflowengine: true

Disabled PKG List

- accessibility - activity - encryption - federation - files_accesscontrol - files_external - files_texteditor - files_versions - firstrunwizard - nextcloud_announcements - notifications - sharebymail - support - survey_client - systemtags - theming - updatenotification - user_external - user_ldap

[anojht]

I am also having this issue, the problem arises when you drag and drop a folder onto an existing folder. This is a pretty bad bug and needs to be fixed as it prevents the upload from succeeding.

[HoseBarreras]

Thanks for your help

[MBfromOK]

I am also having this problem. -

Specifically: Drag & Drop mp3 files onto an existing (group shared) album folder in files app.

Interestingly, about half of the files succeeded the half not copied: "CSRF check not passed"

Guest OS: Win 10 Pro Guest Browser: Google Chrome: 71.0.3578.98 Server OS: Debian 9.5 Web Server: Apache 2.4.25 Database: MySQL 10.1.26 PHP: 7.1.22 NextCloud Server: 14.0.1 - Update pending Updated from an older NextCloud/ownCloud or fresh install: New Where did you install NextCloud from: zip download, nextcloud website

[sizeur]

Hi there, also have this problem with a fresh snap install :(

[gsrigo]

Experiencing the same issue when dragging a folder to the browser.

[ChristophWurst]

I can confirm that this is an issue on FF with the latest server master. A little debugging tells me the DAV requests to create the folder and upload the files do not all have a request token set. MKCOL and PROPFIND do, PUT does not. This might be an issue with the davclient lib.

[MorrisJobke]

I can confirm that this is an issue on FF with the latest server master. A little debugging tells me the DAV requests to create the folder and upload the files do not all have a request token set. MKCOL and PROPFIND do, PUT does not. This might be an issue with the davclient lib.

cc @skjnldsv @danxuliu

[ChristophWurst]

@danxuliu is already debugging it.

[tralph3]

This is still an issue on the latest Nextcloud release (25.0.3). I dragged and dropped about 3GB of folders (with LOTS of tiny files) onto an empty folder on the files app. My browser is Firefox.

I DID NOT drop a folder into a folder, I dropped three folders into an opened empty folder.

I am behind a reverse proxy, in case that matters.

[ttronas]

Same issue with my Nextcloud. Also using 25.0.3, also behind a reverse proxy, also trying to upload a folder into a folder.

[kendoodoo]

same issue when navigating into the folder

[luvwinnie]

same issues when drag files to folder.

[jkour]

same issues when drag files to folder.

Yes, same here

[ChristophWurst]

Commenting on this resolved ticket is a bit pointless. If the bug returned it means there is a regression. Please file a ticket.

[norsemangrey]

Is there a new open issue for this. I am experiencing the same thing. Kind of scary as I often delete content that has been copied to Nextcloud this way and it is not always easy to identify files that has not been copied over in a larger folder structure.

[Ryo0412]

I believe it is due to the cookie. So, you should clear the cookie history as well as log out and re-log in NC and your web application.

"CSRF check not passed" message will disappear and commands MKCOL and the like will work well.