search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.31k stars 4.06k forks source link

[Bug]: Paths are built incorrectly - Illegal paths are checked for existence #44784

Closed xolyu closed 6 months ago

xolyu commented 6 months ago

⚠️ This issue respects the following points: ⚠️

Bug description

I have just updated from Nextcloud 27.x to Nextcloud 28.0.4. Since then Nextcloud tries to check invalid paths with is_file. This causes tons of errors in the log because the check is blocked by PHP due to the open_basedir restriction.

Nextcloud is installed in the directory /var/www/nextcloud.

The ResourceLocator.php file tries to check paths such as /var/www/nextcloudapps//core/l10n/en.js with is_file. The middle part apps/ should not be at this point, then everything would be correct.

Such errors are logged each time the website is called.

Example error message:

is_file(): open_basedir restriction in effect. File(/var/www/nextcloudapps//core/js/merged-template-prepend.js) is not within the allowed path(s): (/var/www/nextcloud:/var/nextcloud-data:/tmp:/dev/urandom) at /var/www/nextcloud/lib/private/Template/ResourceLocator.php#100

Steps to reproduce

  1. access Nextcloud's web GUI (logged in or not)

Expected behavior

Paths should be put together correctly and then checked. A path outside of Nextcloud's own directory should not be created.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.mydomain.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.4.1",
        "overwrite.cli.url": "https:\/\/cloud.mydomain.de",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "overwriteprotocol": "https",
        "default_language": "de",
        "default_locale": "de_DE",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "check_for_working_wellknown_setup": false,
        "logtimezone": "Europe\/Berlin",
        "share_folder": "\/Shared\/",
        "simpleSignUpLink.shown": false,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "maintenance": false,
        "loglevel": 2,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE",
        "app_install_overwrite": [
            "files_texteditor",
            "files_markdown"
        ],
        "mail_sendmailmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": "true",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "maintenance_window_start": 2
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - checksum: 1.2.4
  - circles: 28.0.0
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dav: 1.29.1
  - deck: 1.12.2
  - drawio: 3.0.2
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_markdown: 2.4.1
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_texteditor: 2.15.1
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - onlyoffice: 9.1.2
  - password_policy: 1.18.0
  - photos: 2.4.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - support: 1.11.1
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - unroundedcorners: 1.1.2
  - updatenotification: 1.18.0
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - bruteforcesettings: 2.8.0
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - files_external: 1.20.0
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - firstrunwizard: 2.17.0 (installed 2.6.0)
  - recommendations: 2.0.0 (installed 0.5.0)
  - survey_client: 1.16.0 (installed 1.5.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - user_ldap: 1.19.0
  - user_status: 1.8.1 (installed 1.0.1)
  - weather_status: 1.8.0 (installed 1.0.0)

Nextcloud Signing status

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
    - INVALID_HASH
        - core/js/mimetypelist.js
    - EXTRA_FILE
        - core/img/filetypes/drawio.svg
        - core/img/filetypes/dwb.svg

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/js/mimetypelist.js] => Array
                        (
                            [expected] => 550ab566d30693bfa24ec4b15d9df87731ae8a3be8f79dabf94757e5b8b20eec6e4b678f17af1718297f2872f6b04519eeb024d1dff11947f29da431c7f11201
                            [current] => 301654cbbe168b8723530db88fd2e40ad688f4e6b0bdaeade5b4fe34bd94d9d3cfe760821e97dc792e585d4b6ccff838597bfd46466bb07d30ff84df4cb79518
                        )

                )

            [EXTRA_FILE] => Array
                (
                    [core/img/filetypes/drawio.svg] => Array
                        (
                            [expected] => 
                            [current] => 92e0974cf869bf8ab969c3442dc2b80d55fde36441d22924db74916a06b407520aa2a9dc39336f9157195ebede697ffac0e639360879255ab91932d406e1897d
                        )

                    [core/img/filetypes/dwb.svg] => Array
                        (
                            [expected] => 
                            [current] => 43731dd5f17a048112ea5109b40b02ec019b3ee2324385a0f448e3bd2264cb13dc160ab018d893f92f8e2f168fd09009b51578c8c6b97a02a1617c67ac087701
                        )

                )

        )

)

Nextcloud Logs

{
    "reqId": "JlARZoXuaLQL7d7AqHBu",
    "level": 3,
    "time": "2024-04-11T15:37:58+02:00",
    "remoteAddr": "93.202.xxx.xxx",
    "user": "admin",
    "app": "PHP",
    "method": "GET",
    "url": "/settings/admin/overview",
    "message": "is_file(): open_basedir restriction in effect. File(/var/www/nextcloudapps//core/js/merged-template-prepend.js) is not within the allowed path(s): (/var/www/nextcloud:/var/nextcloud-data:/tmp:/dev/urandom) at /var/www/nextcloud/lib/private/Template/ResourceLocator.php#100",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
    "version": "28.0.4.1",
    "data": {
        "app": "PHP"
    },
    "id": "6617e7b7c9fcc"
}

{
    "reqId": "JlARZoXuaLQL7d7AqHBu",
    "level": 3,
    "time": "2024-04-11T15:37:58+02:00",
    "remoteAddr": "93.202.xxx.xxx",
    "user": "admin",
    "app": "PHP",
    "method": "GET",
    "url": "/settings/admin/overview",
    "message": "is_file(): open_basedir restriction in effect. File(/var/www/nextcloudapps//core/js/merged-template-prepend.mjs) is not within the allowed path(s): (/var/www/nextcloud:/var/nextcloud-data:/tmp:/dev/urandom) at /var/www/nextcloud/lib/private/Template/ResourceLocator.php#100",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
    "version": "28.0.4.1",
    "data": {
        "app": "PHP"
    },
    "id": "6617e7b7c9fe1"
}

{
    "reqId": "o3wE6xmPeKMYCNxssZSJ",
    "level": 3,
    "time": "2024-04-11T15:42:06+02:00",
    "remoteAddr": "93.202.xxx.xxx",
    "user": "--",
    "app": "PHP",
    "method": "GET",
    "url": "/login",
    "message": "is_file(): open_basedir restriction in effect. File(/var/www/nextcloudapps//core/l10n/de_DE.js) is not within the allowed path(s): (/var/www/nextcloud:/var/nextcloud-data:/tmp:/dev/urandom) at /var/www/nextcloud/lib/private/Template/ResourceLocator.php#100",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0",
    "version": "28.0.4.1",
    "data": {
        "app": "PHP"
    },
    "id": "6617e8b655a9c"
}

{
    "reqId": "o3wE6xmPeKMYCNxssZSJ",
    "level": 3,
    "time": "2024-04-11T15:42:06+02:00",
    "remoteAddr": "93.202.xxx.xxx",
    "user": "--",
    "app": "PHP",
    "method": "GET",
    "url": "/login",
    "message": "is_file(): open_basedir restriction in effect. File(/var/www/nextcloudapps//core/l10n/de_DE.mjs) is not within the allowed path(s): (/var/www/nextcloud:/var/nextcloud-data:/tmp:/dev/urandom) at /var/www/nextcloud/lib/private/Template/ResourceLocator.php#100",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0",
    "version": "28.0.4.1",
    "data": {
        "app": "PHP"
    },
    "id": "6617e8b655aab"
}

Additional info

No response

kesselb commented 6 months ago

Thanks for your report :

Should be fixed by https://github.com/nextcloud/server/pull/44408 with 28.0.5.