Open martinackerl opened 3 years ago
@martinackerl do you have the 'mod_rewrite' module enabled and if not could you enable it and check if your issue still occurs? :crossed_fingers:
@C0rby I think I have. This is in my .htaccess : I already tried it with the two last lines removed, but it makes no difference.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
RewriteRule ^core/signature\.json - [R=404,L]
RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
# inserted by me for ssl force
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://(urlDELETEDforPRIVACY)/$1 [R=301,L]
I think I have.
Could you check just to make sure? The issue I found is that Apache is stripping the Authorization header when passing the request to the PHP context.
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
this rewrite rule is passing it in again but it will only do it when mod_rewrite
is enabled.
Locally this fixed the issue for me. If in your setup it IS enabled and the issue still occurs then I need to dig deeper...
Sorry, could you please hint me how I can check this for sure? It is installed on a managed Ionos-Hosting. Edit: php_info does not list Loaded Modules.
However, I am pretty sure it is activated because the two lines I added do make a difference. When I open my Owncloud via Webbrowser via http://(URLtomyCloud)/ it instantly forwards to https://(URLtomyCloud)/ When I remove those lines, I can access my OwnCloud also directly via http.
Could you try this?
<?php
print in_array('mod_rewrite', apache_get_modules()) ? "Enabled" : "Disabled";
?>
Its not allowed... 😕
Fatal error: Uncaught Error: Call to undefined function apache_get_modules() ………
--------------- On Debian based systems ---------------
$ apache2ctl -t -D DUMP_MODULES
OR
$ apache2ctl -M
--------------- On RHEL based systems ---------------
$ apachectl -t -D DUMP_MODULES
OR
$ httpd -M
$ apache2ctl -M
I think the problem here is that @martinackerl is on a managed hoster. I'm out of ideas. I think the next step would be to ask your hoster about the setup. Is the apache configured with php-module or cgi?
@micbar I have access to a bash shell via ssh, but the commands don't seem to work (I am not expericenced)
Linux infong68 4.4.236-icpu-055 #2 SMP Mon Sep 21 13:48:35 UTC 2020 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
(uiserver):u6??????2:~$ apache2ctl -M
-bash: apache2ctl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ httpd -M
-bash: httpd: Kommando nicht gefunden.
(uiserver):u6??????2:~$ apachectl -t -D DUMP_MODULES
-bash: apachectl: Kommando nicht gefunden.
(uiserver):u6??????2:~$
@C0rby this is what php_info states: (is this what you are looking for?)
Server API | CGI/FastCGI |
---|---|
Virtual Directory Support | disabled |
Configuration File (php.ini) Path | /etc/php7.4 |
Loaded Configuration File | /etc/php7.4/php.ini |
Not quite.
You could try ls /etc/apache2/mods-enabled
.
There is no apache2 directory in /etc
(uiserver):u????????:/etc$ ls
adduser.conf debsums-ignore issue.net mysql php7.3 shadow-
alternatives default joe nanorc php7.4 shells
apparmor.d deluser.conf kernel nemesis php8.0 skel
apt dictionaries-common ldap netconfig profile ssh
authd.conf dpkg ld.so.cache networks profile.d ssl
bash.bashrc emacs ld.so.conf nsswitch.conf protocols subgid
bash_completion environment ld.so.conf.d oneclick python subuid
bash_completion.d fakechroot libaudit.conf opt python2.7 subversion
bindresvport.blacklist fonts libnl-3 os-release python3 sysctl.conf
ca-certificates fstab libpaper.d pam.conf python3.7 sysctl.d
ca-certificates.conf ftd localtime pam.d quotagrpadmins systemd
calendar gai.conf logcheck papersize quotatab terminfo
cbi ghostscript login.defs passwd rc0.d timezone
complete.tcsh gitconfig logrotate.conf passwd- rc1.d ucf.conf
cron.allow groff logrotate.d pear4.4.conf rc2.d ufw
cron.d group lynx pear5.2.conf rc3.d ui-sendmail-wrapper.conf
cron.daily group- magic pear5.4.conf rc4.d update-motd.d
cron.deny gshadow magic.mime pear5.5.conf rc5.d vim
cron.hourly gshadow- mailcap pear6.conf rc6.d warnquota.conf
cron.monthly gss mailcap.order pear7.1.conf rcS.d wgetrc
crontab host.conf mail.rc pear7.3.conf resolv.conf wordpress
cron.weekly hostname manpath.config pear7.4.conf rmt X11
csh hosts mc pear8.0.conf rpc xattr.conf
csh.cshrc hosts.allow mercurial perl rssh.conf zsh
csh.login hosts.deny mime.types php4.4 securetty
csh.logout ImageMagick-6 mke2fs.conf php5.2 security
debconf.conf init.d mkshrc php5.4 selinux
debian_chroot inputrc motd php5.5 services
debian_version issue mtab php7.1 shadow
Then unfortunately I'm out of ideas. Maybe try to contact the ionic support to figure out how your system is setup. If mod_rewrite is enabled and if not how to enable it. And once you have that and still can reproduce the issue feel free to ping me again.
I will do this. Thank you very much. What I find odd is that it worked fine for years, and suddenly after the update to 10.6.0 this problem emerged.
are you admin user? you can create a config report from the webUI.
excerpt from my test instance
"phpinfo": {
"apache2handler": {
"Apache Version": "Apache\/2.4.43 (Unix) OpenSSL\/1.1.1g PHP\/7.2.32",
"Apache API Version": "20120211",
"Server Administrator": "you@example.com",
"Hostname:Port": "cloud.local:0",
"User\/Group": "mbarz(501)\/20",
"Max Requests": "Per Child: 0 - Keep Alive: on - Max Per Connection: 100",
"Timeouts": "Connection: 60 - Keep-Alive: 5",
"Virtual Server": "Yes",
"Server Root": "\/usr\/local\/opt\/httpd",
"Loaded Modules": "core mod_so http_core prefork mod_authn_file mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_core mod_access_compat mod_auth_basic mod_socache_shmcb mod_filter mod_deflate mod_mime mod_log_config mod_env mod_headers mod_setenvif mod_version mod_ssl mod_unixd mod_status mod_autoindex mod_dir mod_alias mod_rewrite mod_php7",
"engine": "1",
"last_modified": "0",
"xbithack": "0"
},
"Loaded Modules"
@C0rby @martinackerl Pro tip 😄
"Loaded Modules"
@C0rby @martinackerl Pro tip smile
I also considered it but @martinackerl did try phpinfo
before and this didn't show the loaded modules.
It's worth a try though... :see_no_evil:
There is a big difference
1) php on the cli is not using apache in between
2) generating the configreport via WebUI routes the request through apache.
@micbar thanks for the hint, but the config report also gives me no apache2handler section. 🤷♂️
Anyway, I talked with the support in the meantime and they told me that mod_rewrite is active and apache is configured with php-module.
Then we must conclude, that your owncloud is not served by apache. 🤷♂️
@micbar I respectfully object 🧐. OwnClouds config report says:
{
"basic": {
"license key": "***REMOVED SENSITIVE VALUE***",
"date": "Thu, 14 Jan 2021 16:23:00 +0000",
"ownCloud version": "10.6.0.5",
"ownCloud version string": "10.6.0",
"ownCloud edition": "Community",
"server OS": "Linux",
"server OS version": "Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU\/Linux",
"server SAPI": "cgi-fcgi",
"webserver version": "Apache",
🤔
"server SAPI": "cgi-fcgi",
no mod_php
That means that your apache is not using mod_php
"server SAPI": "cgi-fcgi"
This info is helpful though. :+1:
@martinackerl, okay so just to test I setup a system with fcgi and it worked there too. That means something in your setup is missing.
Maybe you still need to add AllowOverride All
to your apache VirtualHost config.
But I would close this issue now since it is a config issue.
@C0rby Thank you for your efforts and your time. I absolutely understand if you don't want to spend any more of it on this issue, but I still think this is a bug in the 10.6 core that can not be ignored.
So I made 2 complete new installations (core 10.5 and core 10.6) via the zip file from owncloud.com on two different subdomains, kept every setting standard, even using SQLite.
On core 10.6 I still get this error when trying to share a file from the client software.
Share fetch/create error 996 “CSRF check failed”
On core 10.5 everything works as expected.
A standard installation on a standard hosting of a very big hoster should just work or at least give the user a clear hint what to do. There is no error 996 in the documentation.
Please open the issue again so that at least someone else can try to find a solution.
Our company had the same issue like @martinackerl with sharing on macOS after upgrading to core 10.6. We found out that the issue was caused by the changes of this commit: https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a
We put the "@NoCSRFRequired" parameter back to every function in this file "apps/files_sharing/lib/Controller/Share20OcsController.php" and sharing is working again on macOS without the CSRF check error.
@C0rby it would be nice if you could check why your changes cause this issue and how it could be solved.
@held-vitalij Thank you for the tip! Using apps/files_sharing/lib/Controller/Share20OcsController.php from Version 10.5 does the trick. It's at least a workaround! I still think this should be fixed.
@held-vitalij @martinackerl The change you are referring to was necessary to close an attack vector. It was reported to us by an external and we mitigated it.
See advisory https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/
Our mobile and desktop clients always send an Authorization
header. So with a proper server config, it will work.
Using the 10.5 version of the apps/files_sharing/lib/Controller/Share20OcsController.php is not recommended due to the known issue.
@ho4ho We officially support mod_php
only because it is thread-safe. But many instances are using fcgi on their own risk.
My hosting support ensured me that mod_rewrite
ist enabled and AllowOverride All
is configured.
Still I get the CSRF error - on a brand new clean install.
Could you please take another look into the changes in 10.6 that trigger this error? Would be much appreciated.
Hello @martinackerl,
wie solved the problem by adding:
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to our site-file /etc/apache2/sites-available/owncloud-ssl.conf
.
Maybe there is a problem in your .htaccess-file that the apache ignores some settings.
Hello @martinackerl,
wie solved the problem by adding:
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to our site-file/etc/apache2/sites-available/owncloud-ssl.conf
. Maybe there is a problem in your .htaccess-file that the apache ignores some settings.
Thanks @held-vitalij but I have no access to /etc/apache2/
on my hoster.
But the RewriteRule is present in the .htaccess
of OwnCloud.
@martinackerl some hosters do not allow to set apache config by .htaccess files.
@micbar So this means since version 10.6 OwnCloud is not compatible with managed hosting providers anymore and can only be used on dedicated servers. Is this correct? If not, it would be much appreciated if you could just tell me, what I need to ask from my hosting provider. Or maybe @ho4ho has a hint for me?
The RewriteRule
is active in the .htaccess of OwnCloud. I did not change anything. Clean install.
My hosting support ensured me that Apache has mod_rewrite
enabled and AllowOverride All
configured.
I do not understand why the RewriteRule
also needs to be in the apache2 config. But I can ask the support tomorrow if it already is or if it can be added.
I am an user, not a coder - please tell me what I am missing.
If not, it would be much appreciated if you could just tell me, what I need to ask from my hosting provider. Or maybe @ho4ho has a hint for me?
Fact is, that the auth headers, which are sent by our clients are not reaching ownCloud. In the past, we accepted cookie auth, so this was not a problem.
Ask your provider why the headers are not transmitted by apache. Maybe there is some kind of middleware (Loadbalancer, reverse proxy) in between, which rewrites your headers.
Ask your provider why the headers are not transmitted by apache. Maybe there is some kind of middleware (Loadbalancer, reverse proxy) in between, which rewrites your headers.
Hi @micbar, i got an answer from Ionos: "It seems that mod_security is refusing access. You probably need to install your Software (OwnCloud) on a dedicated server."
@micbar somebody found a solution over at ownCloud Central: https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24 I hope this could be implemented as a permanent fix in the next release.
@micbar somebody found a solution over at ownCloud Central: https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24 I hope this could be implemented as a permanent fix in the next release.
Thanks for this update @martinackerl ;)
Maybe you still need to add
AllowOverride All
to your apache VirtualHost config.Could one need be done by hosting support.
My install is self hosted. Had zero issues with sharing until upgrading to 10.8.0.4. Post upgrade, when signing into the web portal I received "cannot find directory /" and no files were listed. Additionally, I received the same CSRF error when sharing in the app.
Modifying apache2.conf sections <Directory /var/www> AllowOverride All from None and just directory / solved both issues for me.
I had the same issue. I was allowed to fix it by adding this in my apache2 virtualhost:
<Directory /var/www/owncloud>
AllowOverride All
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</Directory>
EDIT: both AllowOverride and RewriteEngine are required
i have the #
I had the same issue. I was allowed to fix it by adding this in my apache2 virtualhost:
<Directory /var/www/owncloud> AllowOverride All RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] </Directory>
EDIT: both AllowOverride and RewriteEngine are required
It works for me Thanks
I'm having the same issue since I upgraded to the latest Desktop app on macOS. Is there any fix for this ?
apache 2.4.56 (cpanel) php 7.4.33
httpd -M |grep -i rewri rewrite_module (shared)
Hi, I tried all solutions provided without success. Any other idea?
On Apr 13, 2023, at 12:29 PM, ho4ho @.***> wrote:
@fgadot https://github.com/fgadot Look previous comment, many hint to fixing server config available:
38287 (comment) https://github.com/owncloud/core/issues/38287#issuecomment-1012520522
https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24
38287 (comment) https://github.com/owncloud/core/issues/38287#issuecomment-780409646
— Reply to this email directly, view it on GitHub https://github.com/owncloud/core/issues/38287#issuecomment-1507257150, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALQM3GS5TVC3LNJS76Z3AOLXBASWLANCNFSM4V674QAQ. You are receiving this because you were mentioned.
https://github.com/owncloud/core/issues/38287#issuecomment-1012520522 fixed it also for me. Thx.
After updating the core from 10.5.0 to 10.6.0 the sharing feature in the macOS and iOS app does not work anymore.
When using the web interface, sharing works as expected.
Expected behaviour:
Right-click on a file in my ownCloud folder, -> copy public link -> paste the link in the browser -> file can be downloaded.
Actual behaviour
Right-click on a file in my ownCloud folder, -> copy public link -> the window with the sharing options opens, displaying “CSRF check failed” in red. All options for creating shares are greyed out.
The iOS app displays the same message when trying to create a public link to a file.
Steps to reproduce
As described above.
Server configuration
Operating system: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux Web server: Apache Database: MySQL 5.5 PHP version: 7.4 ownCloud version: 10.6.0
Storage backend (external storage): none
Client configuration
Client version: Desktop: 2.7.4 (build 2934) iOS: 11.4.5 build 182
Operating system: MacOS 10.14.6; MacOS 11.1; iOS 14.2
OS language: german
Installation path of client: /Applications/
Logs
Web server error log:
Server logfile: ownCloud log (data/owncloud.log):
Can’t find unusual messages.
Updated from an older ownCloud or fresh install: Update from 10.5
Where did you install ownCloud from: Initially Installed Owncloud 8 from the ZIP Archive provided at owncloud.com years ago and used the update function ever since.
Signing status (ownCloud 9.0 and above):
The content of config/config.php:
List of activated apps:
Are you using external storage, if yes which one: local/smb/sftp/... NO
Are you using encryption: yes/no NO
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... NO