[Bug]: CSRF check not passed when dragging file to folder

pjft commented 2 years ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] Nextcloud Server is running on 64bit capable CPU, PHP and OS.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I drag a file to a folder in the web UI and navigate to other folders. I get the message "CSRF check not passed" after a few navigation attempts.

Running Nextcloud 24.0.6 , have external storage mounted, but it seems to happen regardless of the destination storage. Upgraded from Nextcloud 22.

Steps to reproduce

I can reproduce this with a 95% repeatability rate. Unsure if the ones that don't fail are luck or something I did different.

Drag a file to inside a folder in the UI. Can be in the root folder, as long as you drag it inside a folder. Make the file "big" so that it gives you time to navigate a few times.
Navigate to other folders or sub-folders. Or simply click the "home" house icon a few times to refresh the UI.
Normally at the third click/navigation it will fail with the message "CSRF check not passed."

Expected behavior

I expect the file to be uploaded, instead of it failing.

This doesn't happen if I drag the file to the same folder from inside the folder.

Installation method

Community Manual installation with Archive

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "*** REDACTED FOR PRIVACY***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "24.0.6.1",
        "overwrite.cli.url": "***REDACTED***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "default_phone_region": "pt",
        "defaultapp": "files",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "mail_smtpmode": "sendmail",
        "mail_smtpauthtype": "LOGIN",
        "mail_sendmailmode": "pipe",
        "mail_smtpsecure": "ssl",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "theme": "",
        "loglevel": 2,
        "updater.release.channel": "stable"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - bruteforcesettings: 2.4.0
  - calendar: 3.5.0
  - circles: 24.0.1
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.2.2
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.1
  - oauth2: 1.12.0
  - onlyoffice: 7.5.4
  - password_policy: 1.14.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_nextcloud_notification: 3.4.0
  - twofactor_totp: 6.4.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflow_script: 1.9.0
  - workflowengine: 2.6.0
Disabled:
  - admin_audit
  - encryption
  - extract: 1.3.5
  - files_accesscontrol: 1.11.1
  - music: 1.6.0
  - printer: 0.0.3
  - recommendations: 0.6.0
  - twofactor_gateway: 0.19.0
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No relevant server-side logs found while reproducing the error.

Additional info

This is the Chrome log when it happens. There are two lines - a 401 on the PUT method, and then the exception:

(anonymous) @ xhr.js:220
t.exports @ xhr.js:16
t.exports @ dispatchRequest.js:56
l.request @ Axios.js:109
r.forEach.l.<computed> @ Axios.js:131
(anonymous) @ bind.js:9
getFileInfo @ RichWorkspace.vue:136
path @ RichWorkspace.vue:96
Ht @ vue.runtime.esm.js:1863
wn.run @ vue.runtime.esm.js:4584
yn @ vue.runtime.esm.js:4326
(anonymous) @ vue.runtime.esm.js:1989
te @ vue.runtime.esm.js:1915
Promise.then (async)
Zt @ vue.runtime.esm.js:1942
ie @ vue.runtime.esm.js:1999
(anonymous) @ vue.runtime.esm.js:4418
wn.update @ vue.runtime.esm.js:4560
ht.notify @ vue.runtime.esm.js:730
set @ vue.runtime.esm.js:1055
En.An.set @ vue.runtime.esm.js:4644
(anonymous) @ files.js:177
dispatch @ jquery.js:5430
m.handle @ jquery.js:5234
trigger @ jquery.js:8719
(anonymous) @ jquery.js:8797
each @ jquery.js:385
each @ jquery.js:207
trigger @ jquery.js:8796
_setCurrentDir @ merged-index.js?v=41d34282-0:6198
changeDirectory @ merged-index.js?v=41d34282-0:6128
actionHandler @ merged-index.js?v=41d34282-0:3617
action @ merged-index.js?v=41d34282-0:3025
_onClickFile @ merged-index.js?v=41d34282-0:4986
be @ _executeBound.js:8
(anonymous) @ bind.js:10
(anonymous) @ restArguments.js:16
dispatch @ jquery.js:5430
m.handle @ jquery.js:5234
jquery.js:10109          PUT https://SERVERNAME/remote.php/dav/uploads/USER/web-file-upload-5356a43cf57ff57c13be950e25e90324-1665397520884/20971520 401 (Unauthorized)

send @ jquery.js:10109
ajax @ jquery.js:9690
(anonymous) @ jquery-migrate.min.js:2
e.<computed> @ jquery-migrate.min.js:2
upload @ merged-index.js?v=41d34282-0:9947
(anonymous) @ merged-index.js?v=41d34282-0:9971
l @ jquery.js:3500
fireWith @ jquery.js:3630
_ @ jquery.js:9796
(anonymous) @ jquery.js:10057
load (async)
send @ jquery.js:10076
ajax @ jquery.js:9690
(anonymous) @ jquery-migrate.min.js:2
e.<computed> @ jquery-migrate.min.js:2
upload @ merged-index.js?v=41d34282-0:9947
(anonymous) @ merged-index.js?v=41d34282-0:9971
l @ jquery.js:3500
fireWith @ jquery.js:3630
_ @ jquery.js:9796
(anonymous) @ jquery.js:10057
load (async)
send @ jquery.js:10076
ajax @ jquery.js:9690
(anonymous) @ jquery-migrate.min.js:2
e.<computed> @ jquery-migrate.min.js:2
upload @ merged-index.js?v=41d34282-0:9947
_chunkedUpload @ merged-index.js?v=41d34282-0:9995
(anonymous) @ jquery-ui.js:143
send @ merged-index.js?v=41d34282-0:10084
_onSend @ merged-index.js?v=41d34282-0:10146
(anonymous) @ jquery-ui.js:143
data.submit @ merged-index.js?v=41d34282-0:9852
(anonymous) @ merged-index.js?v=41d34282-0:1777
Promise.then (async)
submit @ merged-index.js?v=41d34282-0:1775
(anonymous) @ merged-index.js?v=41d34282-0:2103
Promise.then (async)
(anonymous) @ merged-index.js?v=41d34282-0:2102
He @ map.js:13
submitUploads @ merged-index.js?v=41d34282-0:2101
onNoConflicts @ merged-index.js?v=41d34282-0:2561
checkExistingFiles @ merged-index.js?v=41d34282-0:2336
add @ merged-index.js?v=41d34282-0:2579
_trigger @ jquery-ui.js:717
(anonymous) @ merged-index.js?v=41d34282-0:10220
each @ jquery.js:385
_onAdd @ merged-index.js?v=41d34282-0:10213
(anonymous) @ jquery-ui.js:143
(anonymous) @ merged-index.js?v=41d34282-0:10463
l @ jquery.js:3500
fireWith @ jquery.js:3630
c @ jquery.js:3825
u @ jquery.js:3834
setTimeout (async)
(anonymous) @ jquery.js:3872
l @ jquery.js:3500
add @ jquery.js:3559
(anonymous) @ jquery.js:3892
(anonymous) @ jquery-migrate.min.js:2
e.<computed> @ jquery-migrate.min.js:2
then @ jquery.js:3877
_handleFileTreeEntries @ merged-index.js?v=41d34282-0:10330
(anonymous) @ jquery-ui.js:143
_getDroppedFiles @ merged-index.js?v=41d34282-0:10343
(anonymous) @ jquery-ui.js:143
_onDrop @ merged-index.js?v=41d34282-0:10456
(anonymous) @ jquery-ui.js:143
s @ jquery-ui.js:626
dispatch @ jquery.js:5430
m.handle @ jquery.js:5234
merged-index.js?v=41d34282-0:2631 O.Event {type: 'fileuploadfail', timeStamp: 1665397525133, jQuery360009816888623415232: true, target: input#file_upload_start.hiddenuploadfield, isTrigger: 3, …} {classes: {…}, disabled: false, create: null, dropZone: e.<computed>(1), replaceFileInput: true, …} {jqXHR: {…}, textStatus: 'error', errorThrown: 'Unauthorized', message: 'CSRF check not passed.', exception: 'Sabre\\DAV\\Exception\\NotAuthenticated'}

pjft commented 2 years ago

Hi all. Gently pinging this. Is there any further information I can share here?

Regards.

norsemangrey commented 1 year ago

Having the same issue.

szaimen commented 1 year ago

Hi, please update to 25.0.7 or better 26.0.2 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 26-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

pjft commented 1 year ago

Thank you. I'll gladly do so, but I don't yet see 25.0.7 on my list. I'm waiting for the search "Load more" fix that was merged after 25.0.6, so as soon as it's available I'll report back. It still happens on my 25.0.3, but I'll update as soon as I get 25.0.7. Thank you.

pjft commented 1 year ago

@szaimen Can confirm that it still happens on 25.0.7.

Let me know what else I can help with here. Regards.

nextcloud / server