CSRF check failed when trying to share files from Desktop or iOS app

[martinackerl]

After updating the core from 10.5.0 to 10.6.0 the sharing feature in the macOS and iOS app does not work anymore.

When using the web interface, sharing works as expected.

Expected behaviour:

Right-click on a file in my ownCloud folder, -> copy public link -> paste the link in the browser -> file can be downloaded.

Actual behaviour

Right-click on a file in my ownCloud folder, -> copy public link -> the window with the sharing options opens, displaying “CSRF check failed” in red. All options for creating shares are greyed out.

The iOS app displays the same message when trying to create a public link to a file.

Steps to reproduce

As described above.

Server configuration

Operating system: Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU/Linux Web server: Apache Database: MySQL 5.5 PHP version: 7.4 ownCloud version: 10.6.0

Storage backend (external storage): none

Client configuration

Client version: Desktop: 2.7.4 (build 2934) iOS: 11.4.5 build 182

Operating system: MacOS 10.14.6; MacOS 11.1; iOS 14.2

OS language: german

Installation path of client: /Applications/

Logs

Client logfile: Output of owncloud --logwindow or owncloud --logfile log.txt
01-11 10:14:57:710 [ warning gui.sharing.ocs ]: Reply to “GET” QUrl(“https://(urlDELETEDforPRIVACY)/ocs/v1.php/apps/files_sharing/api/v1/shares”) (QPair(“path”,"/Bildschirmfoto 2021-01-03 um 12.50.59.png"), QPair(“reshares”,“true”)) has unexpected status code: 996 “{“ocs”:{“meta”:{“status”:“failure”,“statuscode”:996,“message”:“CSRF check failed”,“totalitems”:”",“itemsperpage”:""},“data”:[]}}"
01-11 10:14:57:710 [ warning gui.socketapi.publiclink ]: Share fetch/create error 996 “CSRF check failed”

Web server error log:

(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:57 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:57 +0100] “GET /index.php/apps/files/api/v1/thumbnail/150/150//Bildschirmfoto%202021-01-03%20um%2012.50.59.png HTTP/1.1” 200 16667 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “PROPFIND /remote.php/dav/files/octestuser/Bildschirmfoto%202021-01-03%20um%2012.50.59.png HTTP/1.1” 207 548 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”
(IP-ADRESS-DELETED) - - [11/Jan/2021:10:14:58 +0100] “GET /ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2FBildschirmfoto%202021-01-03%20um%2012.50.59.png&reshares=true&format=json HTTP/1.1” 200 128 (urlDELETEDforPRIVACY) “-” “Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64)” “-”

Server logfile: ownCloud log (data/owncloud.log):

Can’t find unusual messages.

Updated from an older ownCloud or fresh install: Update from 10.5

Where did you install ownCloud from: Initially Installed Owncloud 8 from the ZIP Archive provided at owncloud.com years ago and used the update function ever since.

Signing status (ownCloud 9.0 and above):

No errors have been found.

The content of config/config.php:

Can be provided on request

List of activated apps:

Only standard apps

Are you using external storage, if yes which one: local/smb/sftp/... NO

Are you using encryption: yes/no NO

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/... NO

[C0rby]

@martinackerl do you have the 'mod_rewrite' module enabled and if not could you enable it and check if your issue still occurs? :crossed_fingers:

[martinackerl]

@C0rby I think I have. This is in my .htaccess : I already tried it with the two last lines removed, but it makes no difference.

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
  RewriteRule ^core/signature\.json - [R=404,L]
  RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]

# inserted by me for ssl force 
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://(urlDELETEDforPRIVACY)/$1 [R=301,L]

[C0rby]

I think I have.

Could you check just to make sure? The issue I found is that Apache is stripping the Authorization header when passing the request to the PHP context. RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] this rewrite rule is passing it in again but it will only do it when mod_rewrite is enabled. Locally this fixed the issue for me. If in your setup it IS enabled and the issue still occurs then I need to dig deeper...

[martinackerl]

Sorry, could you please hint me how I can check this for sure? It is installed on a managed Ionos-Hosting. Edit: php_info does not list Loaded Modules.

However, I am pretty sure it is activated because the two lines I added do make a difference. When I open my Owncloud via Webbrowser via http://(URLtomyCloud)/ it instantly forwards to https://(URLtomyCloud)/ When I remove those lines, I can access my OwnCloud also directly via http.

[C0rby]

Could you try this?

<?php
    print in_array('mod_rewrite', apache_get_modules()) ? "Enabled" : "Disabled";
?>

[martinackerl]

Its not allowed... 😕 Fatal error: Uncaught Error: Call to undefined function apache_get_modules() ………

[micbar]

---------------  On Debian based systems --------------- 
$ apache2ctl -t -D DUMP_MODULES   
OR 
$ apache2ctl -M

---------------  On RHEL based systems --------------- 
$ apachectl -t -D DUMP_MODULES   
OR 
$ httpd -M
$ apache2ctl -M

[C0rby]

I think the problem here is that @martinackerl is on a managed hoster. I'm out of ideas. I think the next step would be to ask your hoster about the setup. Is the apache configured with php-module or cgi?

[martinackerl]

@micbar I have access to a bash shell via ssh, but the commands don't seem to work (I am not expericenced)

Linux infong68 4.4.236-icpu-055 #2 SMP Mon Sep 21 13:48:35 UTC 2020 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
(uiserver):u6??????2:~$ apache2ctl -M
-bash: apache2ctl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ httpd -M
-bash: httpd: Kommando nicht gefunden.
(uiserver):u6??????2:~$ apachectl -t -D DUMP_MODULES
-bash: apachectl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ 

@C0rby this is what php_info states: (is this what you are looking for?)

Server API	CGI/FastCGI
Virtual Directory Support	disabled
Configuration File (php.ini) Path	/etc/php7.4
Loaded Configuration File	/etc/php7.4/php.ini

[C0rby]

Not quite. You could try ls /etc/apache2/mods-enabled.

[martinackerl]

There is no apache2 directory in /etc

(uiserver):u????????:/etc$ ls
adduser.conf        debsums-ignore       issue.net       mysql      php7.3      shadow-
alternatives        default          joe         nanorc     php7.4      shells
apparmor.d      deluser.conf         kernel      nemesis        php8.0      skel
apt         dictionaries-common  ldap        netconfig      profile     ssh
authd.conf      dpkg             ld.so.cache     networks       profile.d       ssl
bash.bashrc     emacs            ld.so.conf      nsswitch.conf  protocols       subgid
bash_completion     environment      ld.so.conf.d    oneclick       python      subuid
bash_completion.d   fakechroot       libaudit.conf   opt        python2.7       subversion
bindresvport.blacklist  fonts            libnl-3         os-release     python3     sysctl.conf
ca-certificates     fstab            libpaper.d      pam.conf       python3.7       sysctl.d
ca-certificates.conf    ftd          localtime       pam.d      quotagrpadmins  systemd
calendar        gai.conf         logcheck        papersize      quotatab        terminfo
cbi         ghostscript      login.defs      passwd     rc0.d       timezone
complete.tcsh       gitconfig        logrotate.conf  passwd-        rc1.d       ucf.conf
cron.allow      groff            logrotate.d     pear4.4.conf   rc2.d       ufw
cron.d          group            lynx        pear5.2.conf   rc3.d       ui-sendmail-wrapper.conf
cron.daily      group-           magic       pear5.4.conf   rc4.d       update-motd.d
cron.deny       gshadow          magic.mime      pear5.5.conf   rc5.d       vim
cron.hourly     gshadow-         mailcap         pear6.conf     rc6.d       warnquota.conf
cron.monthly        gss          mailcap.order   pear7.1.conf   rcS.d       wgetrc
crontab         host.conf        mail.rc         pear7.3.conf   resolv.conf     wordpress
cron.weekly     hostname         manpath.config  pear7.4.conf   rmt         X11
csh         hosts            mc          pear8.0.conf   rpc         xattr.conf
csh.cshrc       hosts.allow      mercurial       perl       rssh.conf       zsh
csh.login       hosts.deny       mime.types      php4.4     securetty
csh.logout      ImageMagick-6        mke2fs.conf     php5.2     security
debconf.conf        init.d           mkshrc      php5.4     selinux
debian_chroot       inputrc          motd        php5.5     services
debian_version      issue            mtab        php7.1     shadow

[C0rby]

Then unfortunately I'm out of ideas. Maybe try to contact the ionic support to figure out how your system is setup. If mod_rewrite is enabled and if not how to enable it. And once you have that and still can reproduce the issue feel free to ping me again.

[martinackerl]

I will do this. Thank you very much. What I find odd is that it worked fine for years, and suddenly after the update to 10.6.0 this problem emerged.

[micbar]

are you admin user? you can create a config report from the webUI.

excerpt from my test instance

"phpinfo": {
        "apache2handler": {
            "Apache Version": "Apache\/2.4.43 (Unix) OpenSSL\/1.1.1g PHP\/7.2.32",
            "Apache API Version": "20120211",
            "Server Administrator": "you@example.com",
            "Hostname:Port": "cloud.local:0",
            "User\/Group": "mbarz(501)\/20",
            "Max Requests": "Per Child: 0 - Keep Alive: on - Max Per Connection: 100",
            "Timeouts": "Connection: 60 - Keep-Alive: 5",
            "Virtual Server": "Yes",
            "Server Root": "\/usr\/local\/opt\/httpd",
            "Loaded Modules": "core mod_so http_core prefork mod_authn_file mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_core mod_access_compat mod_auth_basic mod_socache_shmcb mod_filter mod_deflate mod_mime mod_log_config mod_env mod_headers mod_setenvif mod_version mod_ssl mod_unixd mod_status mod_autoindex mod_dir mod_alias mod_rewrite mod_php7",
            "engine": "1",
            "last_modified": "0",
            "xbithack": "0"
        },

[micbar]

"Loaded Modules"

@C0rby @martinackerl Pro tip 😄

[C0rby]

"Loaded Modules"

@C0rby @martinackerl Pro tip smile

I also considered it but @martinackerl did try phpinfo before and this didn't show the loaded modules. It's worth a try though... :see_no_evil:

[micbar]

There is a big difference

1) php on the cli is not using apache in between

2) generating the configreport via WebUI routes the request through apache.

[martinackerl]

@micbar thanks for the hint, but the config report also gives me no apache2handler section. 🤷‍♂️

Anyway, I talked with the support in the meantime and they told me that mod_rewrite is active and apache is configured with php-module.

[micbar]

Then we must conclude, that your owncloud is not served by apache. 🤷‍♂️

[martinackerl]

@micbar I respectfully object 🧐. OwnClouds config report says:

{
    "basic": {
        "license key": "***REMOVED SENSITIVE VALUE***",
        "date": "Thu, 14 Jan 2021 16:23:00 +0000",
        "ownCloud version": "10.6.0.5",
        "ownCloud version string": "10.6.0",
        "ownCloud edition": "Community",
        "server OS": "Linux",
        "server OS version": "Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU\/Linux",
        "server SAPI": "cgi-fcgi",
        "webserver version": "Apache",

[micbar]

🤔

"server SAPI": "cgi-fcgi",

no mod_php

That means that your apache is not using mod_php

[C0rby]

"server SAPI": "cgi-fcgi"

This info is helpful though. :+1:

[C0rby]

@martinackerl, okay so just to test I setup a system with fcgi and it worked there too. That means something in your setup is missing.

Maybe you still need to add AllowOverride All to your apache VirtualHost config. But I would close this issue now since it is a config issue.

[martinackerl]

@C0rby Thank you for your efforts and your time. I absolutely understand if you don't want to spend any more of it on this issue, but I still think this is a bug in the 10.6 core that can not be ignored.

So I made 2 complete new installations (core 10.5 and core 10.6) via the zip file from owncloud.com on two different subdomains, kept every setting standard, even using SQLite.

On core 10.6 I still get this error when trying to share a file from the client software. Share fetch/create error 996 “CSRF check failed”

On core 10.5 everything works as expected.

A standard installation on a standard hosting of a very big hoster should just work or at least give the user a clear hint what to do. There is no error 996 in the documentation.

Please open the issue again so that at least someone else can try to find a solution.

[held-vitalij]

Our company had the same issue like @martinackerl with sharing on macOS after upgrading to core 10.6. We found out that the issue was caused by the changes of this commit: https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a

We put the "@NoCSRFRequired" parameter back to every function in this file "apps/files_sharing/lib/Controller/Share20OcsController.php" and sharing is working again on macOS without the CSRF check error.

@C0rby it would be nice if you could check why your changes cause this issue and how it could be solved.

[martinackerl]

@held-vitalij Thank you for the tip! Using apps/files_sharing/lib/Controller/Share20OcsController.php from Version 10.5 does the trick. It's at least a workaround! I still think this should be fixed.

[micbar]

@held-vitalij @martinackerl The change you are referring to was necessary to close an attack vector. It was reported to us by an external and we mitigated it.

See advisory https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/

Our mobile and desktop clients always send an Authorization header. So with a proper server config, it will work. Using the 10.5 version of the apps/files_sharing/lib/Controller/Share20OcsController.php is not recommended due to the known issue.

[micbar]

@ho4ho We officially support mod_php only because it is thread-safe. But many instances are using fcgi on their own risk.

[martinackerl]

My hosting support ensured me that mod_rewrite ist enabled and AllowOverride All is configured.

Still I get the CSRF error - on a brand new clean install.

Could you please take another look into the changes in 10.6 that trigger this error? Would be much appreciated.

[held-vitalij]

Hello @martinackerl,

wie solved the problem by adding: RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] to our site-file /etc/apache2/sites-available/owncloud-ssl.conf. Maybe there is a problem in your .htaccess-file that the apache ignores some settings.

[martinackerl]

Hello @martinackerl,

wie solved the problem by adding: RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] to our site-file /etc/apache2/sites-available/owncloud-ssl.conf. Maybe there is a problem in your .htaccess-file that the apache ignores some settings.

Thanks @held-vitalij but I have no access to /etc/apache2/ on my hoster. But the RewriteRule is present in the .htaccess of OwnCloud.

[micbar]

@martinackerl some hosters do not allow to set apache config by .htaccess files.

[martinackerl]

@micbar So this means since version 10.6 OwnCloud is not compatible with managed hosting providers anymore and can only be used on dedicated servers. Is this correct? If not, it would be much appreciated if you could just tell me, what I need to ask from my hosting provider. Or maybe @ho4ho has a hint for me?

[martinackerl]

1. The RewriteRule is active in the .htaccess of OwnCloud. I did not change anything. Clean install.

2. My hosting support ensured me that Apache has mod_rewrite enabled and AllowOverride All configured.

3. I do not understand why the RewriteRule also needs to be in the apache2 config. But I can ask the support tomorrow if it already is or if it can be added.

I am an user, not a coder - please tell me what I am missing.

[micbar]

If not, it would be much appreciated if you could just tell me, what I need to ask from my hosting provider. Or maybe @ho4ho has a hint for me?

Fact is, that the auth headers, which are sent by our clients are not reaching ownCloud. In the past, we accepted cookie auth, so this was not a problem.

Ask your provider why the headers are not transmitted by apache. Maybe there is some kind of middleware (Loadbalancer, reverse proxy) in between, which rewrites your headers.

[martinackerl]

Ask your provider why the headers are not transmitted by apache. Maybe there is some kind of middleware (Loadbalancer, reverse proxy) in between, which rewrites your headers.

Hi @micbar, i got an answer from Ionos: "It seems that mod_security is refusing access. You probably need to install your Software (OwnCloud) on a dedicated server."

[martinackerl]

@micbar somebody found a solution over at ownCloud Central: https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24 I hope this could be implemented as a permanent fix in the next release.

[Raffhomework]

@micbar somebody found a solution over at ownCloud Central: https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24 I hope this could be implemented as a permanent fix in the next release.

Thanks for this update @martinackerl ;)

[johndball]

Maybe you still need to add AllowOverride All to your apache VirtualHost config.

Could one need be done by hosting support.

My install is self hosted. Had zero issues with sharing until upgrading to 10.8.0.4. Post upgrade, when signing into the web portal I received "cannot find directory /" and no files were listed. Additionally, I received the same CSRF error when sharing in the app.

Modifying apache2.conf sections <Directory /var/www> AllowOverride All from None and just directory / solved both issues for me.

[ascpial]

I had the same issue. I was allowed to fix it by adding this in my apache2 virtualhost:

<Directory /var/www/owncloud>
    AllowOverride All
    RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</Directory>

EDIT: both AllowOverride and RewriteEngine are required

[samuraiohelson]

i have the #

I had the same issue. I was allowed to fix it by adding this in my apache2 virtualhost:

<Directory /var/www/owncloud>
    AllowOverride All
    RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</Directory>

EDIT: both AllowOverride and RewriteEngine are required

It works for me Thanks

[fgadot]

I'm having the same issue since I upgraded to the latest Desktop app on macOS. Is there any fix for this ?

apache 2.4.56 (cpanel) php 7.4.33

httpd -M |grep -i rewri rewrite_module (shared)

[fgadot]

Hi, I tried all solutions provided without success. Any other idea?

On Apr 13, 2023, at 12:29 PM, ho4ho @.***> wrote:

@fgadot https://github.com/fgadot Look previous comment, many hint to fixing server config available:

38287 (comment) https://github.com/owncloud/core/issues/38287#issuecomment-1012520522

https://central.owncloud.org/t/csrf-check-failed-when-trying-to-share-files/29991/24

38287 (comment) https://github.com/owncloud/core/issues/38287#issuecomment-780409646

— Reply to this email directly, view it on GitHub https://github.com/owncloud/core/issues/38287#issuecomment-1507257150, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALQM3GS5TVC3LNJS76Z3AOLXBASWLANCNFSM4V674QAQ. You are receiving this because you were mentioned.

[IljaN]

https://github.com/owncloud/core/issues/38287#issuecomment-1012520522 fixed it also for me. Thx.