[Bug]: Upload in not registered mode > 401 Unauthorized /index.php/apps/files/ajax/getstoragestats.php

[EVOTk]

⚠️ This issue respects the following points: ⚠️

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

hello, i'm have lot of error 401 in log of my reverse proxy. Because of its errors, Fail2Ban ended up banning the person who transferred files if there were several to transfer.

Edit : Upgrade 24.0.1 => 24.0.2 Same error

In Web Browser :

HTTP/2 401 Unauthorized
server: nginx
date: Mon, 20 Jun 2022 20:27:30 GMT
content-type: application/json; charset=utf-8
content-length: 43
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: no-cache, no-store, must-revalidate
x-request-id: o0SILWm5keKzygCJG9A7
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
x-robots-tag: none
referrer-policy: no-referrer
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: none
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; includeSubDomains; preload
X-Firefox-Spdy: h2

GET /index.php/apps/files/ajax/getstoragestats.php HTTP/2
Host: cloud.evoluzione.fr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
requesttoken: pijPqxGnbNM6KkT94UqvK+Q5HIzj/1VoXdV2oGMc6CE=:w1qu4mCIDfhdQCGLiimcY5xTKqeIzjk6F5Q1lipwjm0=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: keep-alive
Cookie: oc_sessionPassphrase=rigcIXL3Gb59NVs8ivgQ2h8zQ3qnrnGOlEfHH4Gi%2F8c6hdwHCc5PVB46CPqwV5C4GXaICM5OCliWl4a%2FACHVXdn83C2NmTlLsMdxykN2EY3y621EJUawVw3fxtGFxZ6q; ocge4bpxpgxo=ph67p5gq677rhmkh23nsuamg0o; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
TE: trailers

In Nginx Log : MY_IP - - [20/Jun/2022:22:27:30 +0200] "GET /index.php/apps/files/ajax/getstoragestats.php HTTP/2.0" 401 43 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0"

Steps to reproduce

1. Create a read/write accessible folder for everyone
2. Upload a file as a simple visitor (without being connected to his account)
3. Look the Console in Web Browser or Reverse Proxy

Expected behavior

No error

Installation method

Other

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.evoluzione.fr"
        ],
        "dbtype": "mysql",
        "version": "24.0.1.1",
        "overwrite.cli.url": "https:\/\/cloud.evoluzione.fr",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "theme": "",
        "loglevel": 2,
        "app_install_overwrite": [
            "occweb",
            "cookbook",
            "onlyoffice",
            "richdocumentscode",
            "metadata"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "cloud.evoluzione.fr",
        "overwriteprotocol": "https",
        "default_phone_region": "FR",
        "allow_local_remote_servers": true,
        "defaultapp": "apporder"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - apporder: 0.15.0
  - bookmarks: 10.4.0
  - breezedark: 24.0.1
  - bruteforcesettings: 2.4.0
  - calendar: 3.3.2
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.1.1
  - contactsinteraction: 1.5.0
  - cookbook: 0.9.12
  - dashboard: 7.4.0
  - dav: 1.22.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_downloadactivity: 1.13.0
  - files_external: 1.16.1
  - files_markdown: 2.3.6
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - forms: 2.5.1
  - groupfolders: 12.0.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - mail: 1.13.4
  - metadata: 0.16.0
  - news: 18.1.0
  - nextcloud_announcements: 1.13.0
  - notes: 4.3.1
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - onlyoffice: 7.5.2
  - password_policy: 1.14.0
  - photos: 1.6.0
  - polls: 3.7.0-beta2
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - quota_warning: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - spreed: 14.0.2
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_totp: 6.4.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - welcome: 1.0.1
  - workflowengine: 2.6.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No log present on this day. This error is not reported here.

Additional info

I'm using image of linuxserver

[CarlSchwan]

Hello, could you try to change getstoragestats.php to getstoragestats in apps/files/appinfo/routes.php and then in firefox network tab right-click on the request and remove the .php from the URL?

[EVOTk]

Sorry, but I'm not an English speaker. I understood the 1st part: "could you try to change getstoragestats.php to getstoragestats in apps/files/appinfo/routes.php" but not the second.

Anyway, changing getstoragestats.php to getstoragestats in apps/files/appinfo/routes.php solved my problem with error in browser console when uploading file in guest.

[Nreall]

Had the same issue, and the fix from @CarlSchwan worked, this changes the response from a 401 into a 302. So fail2ban on the proxy side doesnt trigger anymore.

Thanks for the quick fix! Hopefully it will get fixed in any upcoming version.

[julien-nc]

@CarlSchwan Since c7931086cc557211073540cf13e2af4c5afaaad3 I get 404 responses for /apps/files/ajax/getstoragestats when loading the Files app in a dev environment using Apache, php8.0-fpm, no caching mechanism.

I don't quite get why it was working with .php in the route and it does not work anymore... Is this route treated differently than the others? Any idea why it would fail in some (basic) setups?

[CarlSchwan]

@eneiluj https://github.com/nextcloud/server/pull/33111 should fix it

[julien-nc]

@CarlSchwan It did, thanks.

[CarlSchwan]

Backport https://github.com/nextcloud/server/pull/33113

[Nreall]

I just noticed the bug still kind of exists with a shared folder. When logged in it works properly resulting in a 200 ok, but when uploading as a guest to a shared folder the getstoragestats returns a 401, with the following message:

{"message":"Current user is not logged in"}

Seems ok, but this causes fail2ban to trigger when bulk uploading as a guest.

[szaimen]

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

[fdk144]

unfortunately 25.0.3 did not fix the problem. Still getting credential popup window followed by 401 on GET index.php/apps/files/ajax/getstoragestats after uploading files on a shared link without password protection

[josh-connor]

I'm having this issue on 26.0.2 also. Public shared folder where a anonymous user is uploading a number of large files results in what I assume is a timeout of the temporary authorisation they get(?) When the 401 for getstoragestats is returned it's triggering my reverse proxy (swag) fail2ban through the nginx-unathorised filter and banning the user's IP

[joshtrichards]

This code no longer exists in still supported versions of Nextcloud Server. Are any of you still experiencing this? I couldn't reproduce it off-hand.

[nextcloud-command]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.