transistor91 commented 9 years ago

Steps to reproduce

Select File/Folder and click "Share"
Select "Share Link"
Expected behaviour

Window with properties for Share Link and the share link itself.

Actual behaviour

Error message: error_message

Server configuration

Operating system: openSUSE VERSION = 13.2

Web server: Server version: Apache/2.4.10 (Linux/SUSE) Server built: 2015-01-12 10:49:58.000000000 +0000 Server's Module Magic Number: 20120211:36 Server loaded: APR 1.5.1, APR-UTIL 1.5.3 Compiled using: APR 1.5.1, APR-UTIL 1.5.3 Architecture: 64-bit Server MPM: prefork threaded: no forked: yes (variable process count)

Database: MySQL Server version: 5.6.17 openSUSE package

ownCloud version: (see ownCloud admin page) ownCloud 7.0.4 (stable)

Updated from an older ownCloud or fresh install: Updated

List of activated apps:

Activity Bookmarks Calendar Contacts Deleted Files Documents External Storage Support First Run Wizard Full Text Search Mail Template Editor PDF Viewer Pictures Share Files Text Editor Updater Versions Video Viewer

The content of config/config.php:

<?php
$CONFIG = array (
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'datadirectory' => '/srv/www/htdocs/oc_data',
  'dbtype' => 'mysql',
  'version' => '7.0.4.2',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncloud',
  'dbpassword' => 'xxx',
  'installed' => true,
  'maxZipInputSize' => 0,
  'allowZipDownload' => true,
  'forcessl' => true,
  'theme' => '',
  'maintenance' => false,
  'overwritewebroot' => '/oc',
  'preview_libreoffice_path' => '/usr/bin/libreoffice',
  'trusted_domains' => 
  array (
    0 => 'xxx',
    1 => 'xxx',
  ),
  'loglevel' => '3',
  'mail_smtpmode' => 'php',
  'secret' => 'xxx',
);

Are you using external storage, if yes which one: local/smb/sftp/... No

Are you using encryption: yes/no No

Client configuration

Browser: All Browser on all Systems

Operating system:

Logs

Web server error log

/var/log/messages:

suhosin[30407]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'shareWith' (attacker 'xxx.xxx.x.xxx', file '/srv/www/htdocs/oc/index.php')
suhosin[30407]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'expirationDate' (attacker 'xxx.xxx.x.xxx', file '/srv/www/htdocs/oc/index.php')
suhosin[30407]: ALERT - dropped 2 request variables - (0 in GET, 2 in POST, 0 in COOKIE) (attacker 'xxx.xxx.x.xxx', file '/srv/www/htdocs/oc/index.php')

Related config for suhosin: The content of /etc/php5/conf.d/suhosin.ini:

extension = suhosin.so

; -----------------------------------------------------------------------------
; This file was taken from Mandriva Linux with their permission
; -----------------------------------------------------------------------------

[suhosin]

; -----------------------------------------------------------------------------
; Logging Options

; Defines what classes of security alerts are logged to the syslog daemon.
; Logging of errors of the class S_MEMORY are always logged to syslog, no
; matter what this configuration says, because a corrupted heap could mean that
; the other logging options will malfunction during the logging process.
;suhosin.log.syslog = 

; Defines the syslog facility that is used when ALERTs are logged to syslog.
;suhosin.log.syslog.facility = 

; Defines the syslog priority that is used when ALERTs are logged to syslog.
;suhosin.log.syslog.priority = 

; Defines what classes of security alerts are logged through the SAPI error log.
;suhosin.log.sapi = 

; Defines what classes of security alerts are logged to stdout. Mostly for debugging purposes.
;suhosin.log.stdout = 

; Defines what classes of security alerts are logged through the external
; logging.
;suhosin.log.script = 

; Defines what classes of security alerts are logged through the defined PHP
; script.
;suhosin.log.phpscript = 0

; Defines the full path to a external logging script. The script is called with
; 2 parameters. The first one is the alert class in string notation and the
; second parameter is the log message. This can be used for example to mail
; failing MySQL queries to your email address, because on a production system
; these things should never happen.
;suhosin.log.script.name = 

; Defines the full path to a PHP logging script. The script is called with 2
; variables registered in the current scope: SUHOSIN_ERRORCLASS and
; SUHOSIN_ERROR. The first one is the alert class and the second variable is
; the log message. This can be used for example to mail attempted remote URL
; include attacks to your email address.
;suhosin.log.phpscript.name = 

; Undocumented
;suhosin.log.phpscript.is_safe = Off

; When the Hardening-Patch logs an error the log message also contains the IP
; of the attacker. Usually this IP is retrieved from the REMOTE_ADDR SAPI
; environment variable. With this switch it is possible to change this behavior
; to read the IP from the X-Forwarded-For HTTP header. This is f.e. necessary
; when your PHP server runs behind a reverse proxy.
;suhosin.log.use-x-forwarded-for = Off

; -----------------------------------------------------------------------------
; Executor Options

; Defines the maximum stack depth allowed by the executor before it stops the
; script. Without this function an endless recursion in a PHP script could
; crash the PHP executor or trigger the configured memory_limit. A value of
; "0" disables this feature.
;suhosin.executor.max_depth = 0

; Defines how many "../" an include filename needs to contain to be considered
; an attack and stopped. A value of "2" will block "../../etc/passwd", while a
; value of "3" will allow it. Most PHP applications should work flawlessly with
; values "4" or "5". A value of "0" disables this feature.
;suhosin.executor.include.max_traversal = 0

; Comma separated whitelist of URL schemes that are allowed to be included from
; include or require statements. Additionally to URL schemes it is possible to
; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is
; specified, then the blacklist is evaluated.
;suhosin.executor.include.whitelist = 

; Comma separated blacklist of URL schemes that are not allowed to be included
; from include or require statements. Additionally to URL schemes it is
; possible to specify the beginning of allowed URLs. (f.e.: php://stdin) If no
; blacklist and no whitelist is specified all URL schemes are forbidden.
;suhosin.executor.include.blacklist = 

; Defines if PHP is allows to run code from files that are writable by the
; current process. If a file is created or modified by a PHP process, there
; is a potential danger of code injection. Only turn this on if you are sure
; that your application does not require writable PHP files.
;suhosin.executor.include.allow_writable_files = On

; Comma separated whitelist of functions that are allowed to be called. If the
; whitelist is empty the blacklist is evaluated, otherwise calling a function
; not in the whitelist will terminate the script and get logged.
;suhosin.executor.func.whitelist = 

; Comma separated blacklist of functions that are not allowed to be called. If
; no whitelist is given, calling a function within the blacklist will terminate
; the script and get logged. 
;suhosin.executor.func.blacklist = 

; Comma separated whitelist of functions that are allowed to be called from
; within eval(). If the whitelist is empty the blacklist is evaluated,
; otherwise calling a function not in the whitelist will terminate the script
; and get logged.
;suhosin.executor.eval.whitelist = 

; Comma separated blacklist of functions that are not allowed to be called from
; within eval(). If no whitelist is given, calling a function within the
; blacklist will terminate the script and get logged.
;suhosin.executor.eval.blacklist = 

; eval() is a very dangerous statement and therefore you might want to disable
; it completely. Deactivating it will however break lots of scripts. Because
; every violation is logged, this allows finding all places where eval() is
; used.
;suhosin.executor.disable_eval = Off

; The /e modifier inside preg_replace() allows code execution. Often it is the
; cause for remote code execution exploits. It is wise to deactivate this
; feature and test where in the application it is used. The developer using the
; /e modifier should be made aware that he should use preg_replace_callback()
; instead.
;suhosin.executor.disable_emodifier = Off

; This flag reactivates symlink() when open_basedir is used, which is disabled
; by default in Suhosin >= 0.9.6. Allowing symlink() while open_basedir is used
; is actually a security risk. 
;suhosin.executor.allow_symlink = Off

; -----------------------------------------------------------------------------
; Misc Options

; If you fear that Suhosin breaks your application, you can activate Suhosin's
; simulation mode with this flag. When Suhosin runs in simulation mode,
; violations are logged as usual, but nothing is blocked or removed from the
; request. (Transparent features are NOT deactivated in simulation mode.)
; (since v0.9.30 affects (dis)allowed functions)
suhosin.simulation = Off

; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
; first. It always uses resource slot 0. If Suhosin got this slot assigned APC
; will overwrite the information Suhosin stores in this slot. When this flag is
; set Suhosin will request 2 Slots and use the second one. This allows working
; correctly with these buggy APC versions.
;suhosin.apc_bug_workaround = Off

; When a SQL Query fails scripts often spit out a bunch of useful information
; for possible attackers. When this configuration directive is turned on, the
; script will silently terminate, after the problem has been logged. (This is
; not yet supported)
;suhosin.sql.bailout_on_error = Off

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a prefix that is automatically
; prepended to the database username, whenever a database connection is made.
; (Unless the username starts with the prefix)
;suhosin.sql.user_prefix = 

; This is an experimental feature for shared environments. With this
; configuration option it is possible to specify a postfix that is
; automatically appended to the database username, whenever a database
; connection is made. (Unless the username end with the postfix)
;
; With this feature it is possible for shared hosters to disallow customers to
; connect with the usernames of other customers. This feature is experimental,
; because support for PDO and PostgreSQL are not yet implemented. 
;suhosin.sql.user_postfix = 

; This directive controls if multiple headers are allowed or not in a header()
; call. By default the Hardening-Patch forbids this. (HTTP headers spanning
; multiple lines are still allowed).
;suhosin.multiheader = Off

; This directive controls if the mail() header protection is activated or not
; and to what degree it is activated. The appended table lists the possible
; activation levels.
suhosin.mail.protect = 1

; As long scripts are not running within safe_mode they are free to change the
; memory_limit to whatever value they want. Suhosin changes this fact and
; disallows setting the memory_limit to a value greater than the one the script
; started with, when this option is left at 0. A value greater than 0 means
; that Suhosin will disallows scripts setting the memory_limit to a value above
; this configured hard limit. This is for example usefull if you want to run
; the script normaly with a limit of 16M but image processing scripts may raise
; it to 20M.
;suhosin.memory_limit = 0

; -----------------------------------------------------------------------------
; Randomness Options

; Flag that controls if calls to srand() are ignored in favour of suhosin's 
; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding
;suhosin.srand.ignore = On

; Flag that controls if calls to mt_srand() are ignored in favour of suhosin's 
; own enhanced seeding - since 0.9.36 calls will trigger auto-reseeding
;suhosin.mt_srand.ignore = On

; Server configuration can add a string into the entropy generation to further
; improve the entropy used for reseeding rand()/mt_rand()
;suhosin.rand.seedingkey = 

; Controls if automatic reseeding of rand() / mt_rand() is done for every
; new request. Will improve security but decrease performance.
; suhosin.rand.reseed_every_request = Off

; -----------------------------------------------------------------------------
; Transparent Encryption Options

; Flag that decides if the transparent session encryption is activated or not.
;suhosin.session.encrypt = On

; Session data can be encrypted transparently. The encryption key used consists
; of this user defined string (which can be altered by a script via ini_set())
; and optionally the User-Agent, the Document-Root and 0-4 Octects of the
; REMOTE_ADDR.
;suhosin.session.cryptkey = 

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks)
;suhosin.session.cryptua = On

; Flag that decides if the transparent session encryption key depends on the
; Documentroot field.
;suhosin.session.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent session
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation. 
;suhosin.session.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; session. The difference to suhosin.session.cryptaddr is, that the IP is not
; part of the encryption key, so that the same session can be used for
; different areas with different protection levels on the site.
;suhosin.session.checkraddr = 0

; Flag that decides if the transparent cookie encryption is activated or not.
;suhosin.cookie.encrypt = 0

; Cookies can be encrypted transparently. The encryption key used consists of
; this user defined string and optionally the User-Agent, the Document-Root and
; 0-4 Octects of the REMOTE_ADDR.
;suhosin.cookie.cryptkey = 

; Flag that decides if the transparent session encryption key depends on the
; User-Agent field. (When activated this feature transparently adds a little
; bit protection against session fixation/hijacking attacks (if only session
; cookies are allowed))
;suhosin.cookie.cryptua = On

; Flag that decides if the transparent cookie encryption key depends on the
; Documentroot field.
;suhosin.cookie.cryptdocroot = On

; Number of octets (0-4) from the REMOTE_ADDR that the transparent cookie
; encryption key depends on. Keep in mind that this should not be used on sites
; that have visitors from big ISPs, because their IP address often changes
; during a session. But this feature might be interesting for admin interfaces
; or intranets. When used wisely this is a transparent protection against
; session hijacking/fixation.
;suhosin.cookie.cryptraddr = 0

; Number of octets (0-4) from the REMOTE_ADDR that have to match to decrypt the
; cookie. The difference to suhosin.cookie.cryptaddr is, that the IP is not
; part of the encryption key, so that the same cookie can be used for different
; areas with different protection levels on the site.
;suhosin.cookie.checkraddr = 0

; In case not all cookies are supposed to get encrypted this is a comma
; separated list of cookie names that should get encrypted. All other cookies
; will not get touched.
;suhosin.cookie.cryptlist = 

; In case some cookies should not be crypted this is a comma separated list of
; cookies that do not get encrypted. All other cookies will be encrypted.
;suhosin.cookie.plainlist = 

; -----------------------------------------------------------------------------
; Filtering Options

; Defines the reaction of Suhosin on a filter violation.
;suhosin.filter.action = 

; Defines the maximum depth an array variable may have, when registered through
; the COOKIE.
;suhosin.cookie.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; the COOKIE.
;suhosin.cookie.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the COOKIE. For array variables this is the name in front of the indices.
;suhosin.cookie.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the COOKIE. For array variables this includes all indices.
;suhosin.cookie.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the
; COOKIE.
;suhosin.cookie.max_value_length = 10000

; Defines the maximum number of variables that may be registered through the
; COOKIE.
;suhosin.cookie.max_vars = 100

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.cookie.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; the URL
;suhosin.get.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; the URL
;suhosin.get.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the URL. For array variables this is the name in front of the indices.
;suhosin.get.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; the URL. For array variables this includes all indices.
;suhosin.get.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the URL.
;suhosin.get.max_value_length = 512

; Defines the maximum number of variables that may be registered through the
; URL.
;suhosin.get.max_vars = 100

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.get.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; a POST request.
;suhosin.post.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; a POST request.
;suhosin.post.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; a POST request. For array variables this is the name in front of the indices.
;suhosin.post.max_name_length = 64

; Defines the maximum length of the total variable name when registered through
; a POST request. For array variables this includes all indices.
;suhosin.post.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through a POST
; request.
;suhosin.post.max_value_length = 1000000

; Defines the maximum number of variables that may be registered through a POST
; request.
;suhosin.post.max_vars = 1000

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.post.disallow_nul = 1

; Defines the maximum depth an array variable may have, when registered through
; GET , POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
;suhosin.request.max_array_depth = 50

; Defines the maximum length of array indices for variables registered through
; GET, POST or COOKIE. This setting is also an upper limit for the separate
; GET, POST, COOKIE configuration directives.
;suhosin.request.max_array_index_length = 64

; Defines the maximum length of variable names for variables registered through
; the COOKIE, the URL or through a POST request. This is the complete name
; string, including all indicies. This setting is also an upper limit for the
; separate GET, POST, COOKIE configuration directives.
;suhosin.request.max_totalname_length = 256

; Defines the maximum length of a variable that is registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
;suhosin.request.max_value_length = 1000000

; Defines the maximum number of variables that may be registered through the
; COOKIE, the URL or through a POST request. This setting is also an upper
; limit for the variable origin specific configuration directives.
;suhosin.request.max_vars = 1000

; Defines the maximum name length (excluding possible array indicies) of
; variables that may be registered through the COOKIE, the URL or through a
; POST request. This setting is also an upper limit for the variable origin
; specific configuration directives.
;suhosin.request.max_varname_length = 64

; When set to On ASCIIZ chars are not allowed in variables.
;suhosin.request.disallow_nul = 1

; When set to On the dangerous characters <>"'` are urlencoded when found
; not encoded in the server variables REQUEST_URI and QUERY_STRING. This
; will protect against some XSS vulnerabilities.
;suhosin.server.encode = 1

; When set to On the dangerous characters <>"'` are replaced with ? in
; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
; protect against some XSS vulnerabilities.
;suhosin.server.strip = 1

; Defines the maximum number of files that may be uploaded with one request.
;suhosin.upload.max_uploads = 25

; When set to On it is not possible to upload ELF executables.
;suhosin.upload.disallow_elf = 1

; When set to On it is not possible to upload binary files.
;suhosin.upload.disallow_binary = 0

; When set to On binary content is removed from the uploaded files.
;suhosin.upload.remove_binary = 0

; This defines the full path to a verification script for uploaded files. The
; script gets the temporary filename supplied and has to decide if the upload
; is allowed. A possible application for this is to scan uploaded files for
; viruses. The called script has to write a 1 as first line to standard output
; to allow the upload. Any other value or no output at all will result in the
; file being deleted.
;suhosin.upload.verification_script = 

; Specifies the maximum length of the session identifier that is allowed. When
; a longer session identifier is passed a new session identifier will be
; created. This feature is important to fight bufferoverflows in 3rd party
; session handlers.
;suhosin.session.max_id_length = 128

; Undocumented: Controls if suhosin coredumps when the optional suhosin patch 
; detects a bufferoverflow, memory corruption or double free. This is only
; for debugging purposes and should not be activated.
;suhosin.coredump = Off

; Undocumented: Controls if the encryption keys specified by the configuration
; are shown in the phpinfo() output or if they are hidden from it
;suhosin.protectkey = 1

; Controls if suhosin loads in stealth mode when it is not the only
; zend_extension (Required for full compatibility with certain encoders 
;  that consider open source untrusted. e.g. ionCube, Zend)
;suhosin.stealth = 1

; Controls if suhosin's ini directives are changeable per directory
; because the admin might want to allow some features to be controlable
; by .htaccess and some not. For example the logging capabilities can
; break safemode and open_basedir restrictions when .htaccess support is
; allowed and the admin forgot to fix their values in httpd.conf
; An empty value or a 0 will result in all directives not allowed in
; .htaccess. The string "legcprsum" will allow logging, execution, get, 
; post, cookie, request, sql, upload, misc features in .htaccess
;suhosin.perdir = "0"

ownCloud log (data/owncloud.log)

Nothing related to the error

Browser log

Nothing related to the error

LukasReschke commented 9 years ago

How did the request sent by your browser look like?

transistor91 commented 9 years ago

I don't know exactly how to get the necessary data, I tried with the Firefox Network Tool:

Headers:

Response headers (0,648 KB)
    Cache-Control:"no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
    Connection:"Keep-Alive"
    Content-Length:"72"
    Content-Type:"application/json; charset=utf-8"
    Date:"Wed, 04 Mar 2015 08:19:52 GMT"
    Expires:"Thu, 19 Nov 1981 08:52:00 GMT"
    Keep-Alive:"timeout=15, max=95"
    Pragma:"no-cache"
    Server:"Apache"
    Strict-Transport-Security:"max-age=31536000"
    X-Content-Type-Options:"nosniff"
    X-Frame-Options:"Sameorigin"
    X-Robots-Tag:"none"
    X-XSS-Protection:"1; mode=block"
    content-security-policy:"default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-    
    inline'; frame-src *; img-src *; font-src 'self' data:; media-src *"

Request headers (0,629 KB):
    Host:"xxx.xxx.xx"
    User-Agent:"xxxx"
    Accept:"*/*"
    Accept-Language:"en-US,en;q=0.5"
    Accept-Encoding:"gzip, deflate"
    Content-Type:"application/x-www-form-urlencoded; charset=UTF-8"
    requesttoken:"e0f5c60f71c41e6ffcc0"
    X-Requested-With:"XMLHttpRequest"
    Referer:"xxxx"
    Content-Length:"124"
    Cookie:"xxxx"
    Connection:"keep-alive"
    Pragma:"no-cache"
    Cache-Control:"no-cache"

Params:

Form data:
action:"share"
itemType:"folder"
itemSource:"117738"
shareType:"3"
shareWith:""
permissions:"1"
itemSourceName:"51+-+BofH"
expirationDate:""

If this is not enough please give me a hint how to get the necessary data. Thanks!