[Bug]: Nextcloud 27.0.1 unicode fqdn in CSP header

Sprinterfreak commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

After upgrading 26 to 27.0.1, Nextcloud sets unpunicoded unicode domain in CSP header.
This prevents browsers from loading all assets.

Example CSP header generated by nextcloud

Content-Security-Policy default-src 'none';base-uri 'none';manifest-src 'self';script-src 'nonce-eVJrNk93WHBSdjNDUkNvUXI3azcxdzdSZ2ZqeXpPbEFPd0JqQnNLWUtEST06a0g1M1NqeURBWitNQmdGMjRNNVluVVdROUxmQW42NE5kellKTXFudVlIZz0=';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://cloud.tÃ¤st.de;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self' nc: https://cloud.tÃ¤st.de;frame-ancestors 'self' https://cloud.tÃ¤st.de;form-action 'self' https://cloud.tÃ¤st.de.de

Affected Routes:
/apps/files
/apps/photos
/apps/contacts
/apps/calendar /apps/phonetrack /settings

Not affected routes:
/remote.php
/ocs
/js
/apps/keeweb

Steps to reproduce

Updating nextcloud from 26 to 27.0.1
nginx/php8.2-fpm

Expected behavior

If the instance has a unicode domain, the fqdn must be punicoded in the Content-Security-Policy header.

Installation method

Community VM appliance

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "cloud.xn--tst-qla.de"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "cloud.xn--tst-qla.de",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "https:\/\/cloud.xn--tst-qla.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "0"
        },
        "filelocking.enabled": "true",
        "enable_previews": "true",
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\TIFF"
        ],
        "preview_max_scale_factor": "1",
        "preview_max_memory": "256",
        "auth.bruteforce.protection.enabled": "true",
        "trashbin_retention_obligation": "auto,7",
        "skeletondirectory": "",
        "defaultapp": "file",
        "activity_expire_days": "14",
        "integrity.check.disabled": "false",
        "updater.release.channel": "stable",
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "default_phone_region": "de",
        "check_for_working_wellknown_setup": false,
        "allow_local_remote_servers": true
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - calendar: 4.4.3
  - checksum: 1.2.2
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.3.2
  - contactsinteraction: 1.8.0
  - dav: 1.27.0
  - drawio: 2.1.2
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - groupfolders: 15.0.1
  - keeweb: 0.6.13
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - phonetrack: 0.7.6
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocuments: 8.1.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - bruteforcesettings: 2.7.0
  - collectives: 2.6.1 (installed 2.6.1)
  - dashboard: 7.7.0 (installed 7.1.0)
  - encryption: 2.15.0
  - files_external: 1.19.0
  - files_markdown: 2.4.1 (installed 2.4.1)
  - firstrunwizard: 2.16.0 (installed 2.10.0)
  - ransomware_protection: 1.14.0 (installed 1.14.0)
  - survey_client: 1.15.0 (installed 1.9.0)
  - suspicious_login: 5.0.0
  - twofactor_totp: 9.0.0
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

No related logs

Additional info

No response

kesselb commented 1 year ago

It looks like the richdocuments app adds the collabora server to the csp header.

@juliushaertl @nickvergessen What do you think? Send every domain through idsn_to_ascii in buildPolicy or let the apps richdocuments (collabora, etc.) and talk (stun, turn, signaling) escape it?

@Sprinterfreak You can patch the richdocuments app like below to make it work. Don't forget to change into the richdocuments directory before applying the patch.

Index: lib/Listener/CSPListener.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/lib/Listener/CSPListener.php b/lib/Listener/CSPListener.php
--- a/lib/Listener/CSPListener.php  (revision 1b609dac1bf216c4913188ab3861f37fabb49147)
+++ b/lib/Listener/CSPListener.php  (date 1690223340061)
@@ -66,6 +66,7 @@
        );

        $urls = array_filter($urls);
+       $urls = array_map(fn($url) => idn_to_ascii($url), $urls);

        $policy = new EmptyContentSecurityPolicy();
        $policy->addAllowedFrameDomain("'self'");

Sprinterfreak commented 1 year ago

@kesselb You are a legend! :) This patch resolves the issue for me!

juliushaertl commented 1 year ago

I think it would be nice to have the server handle this. Let me reopen the issue as no patch was merged yet.

Sprinterfreak commented 1 year ago

Still affects richdocuments 8.1.1

Sprinterfreak commented 10 months ago

Still affects richdocuments 8.2.3 on Server 27.1.4 although the CSPListener.php has been dropped which also invalidates the fix above

nextcloud / server