Core: CSRF check failed when trying to share files from Desktop or iOS app

@martinackerl do you have the 'mod_rewrite' module enabled and if not could you enable it and check if your issue still occurs? :crossed_fingers:

@C0rby I think I have. This is in my .htaccess :
I already tried it with the two last lines removed, but it makes no difference.

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates|changelog)/.* - [R=404,L]
  RewriteRule ^core/signature\.json - [R=404,L]
  RewriteRule ^(?:core/skeleton)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]

# inserted by me for ssl force 
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(.*)$ https://(urlDELETEDforPRIVACY)/$1 [R=301,L]

I think I have.

Could you check just to make sure? The issue I found is that Apache is stripping the Authorization header when passing the request to the PHP context.
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}] this rewrite rule is passing it in again but it will only do it when mod_rewrite is enabled.
Locally this fixed the issue for me. If in your setup it IS enabled and the issue still occurs then I need to dig deeper...

Sorry, could you please hint me how I can check this for sure? It is installed on a managed Ionos-Hosting.
_Edit_: php_info does not list Loaded Modules.

However, I am pretty sure it is activated because the two lines I added do make a difference. When I open my Owncloud via Webbrowser via http://(URLtomyCloud)/ it instantly forwards to https://(URLtomyCloud)/
When I remove those lines, I can access my OwnCloud also directly via http.

Could you try this?

<?php
    print in_array('mod_rewrite', apache_get_modules()) ? "Enabled" : "Disabled";
?>

Its not allowed... 😕
Fatal error: Uncaught Error: Call to undefined function apache_get_modules() ………

---------------  On Debian based systems --------------- 
$ apache2ctl -t -D DUMP_MODULES   
OR 
$ apache2ctl -M

---------------  On RHEL based systems --------------- 
$ apachectl -t -D DUMP_MODULES   
OR 
$ httpd -M
$ apache2ctl -M

I think the problem here is that @martinackerl is on a managed hoster.
I'm out of ideas. I think the next step would be to ask your hoster about the setup.
Is the apache configured with php-module or cgi?

@micbar I have access to a bash shell via ssh, but the commands don't seem to work (I am not expericenced)

Linux infong68 4.4.236-icpu-055 #2 SMP Mon Sep 21 13:48:35 UTC 2020 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
(uiserver):u6??????2:~$ apache2ctl -M
-bash: apache2ctl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ httpd -M
-bash: httpd: Kommando nicht gefunden.
(uiserver):u6??????2:~$ apachectl -t -D DUMP_MODULES
-bash: apachectl: Kommando nicht gefunden.
(uiserver):u6??????2:~$ 

@C0rby
this is what php_info states: (is this what you are looking for?)

Server API | CGI/FastCGI
-- | --
Virtual Directory Support | disabled
Configuration File (php.ini) Path | /etc/php7.4
Loaded Configuration File | /etc/php7.4/php.ini

Not quite.
You could try ls /etc/apache2/mods-enabled.

There is no apache2 directory in /etc

(uiserver):u????????:/etc$ ls
adduser.conf        debsums-ignore       issue.net       mysql      php7.3      shadow-
alternatives        default          joe         nanorc     php7.4      shells
apparmor.d      deluser.conf         kernel      nemesis        php8.0      skel
apt         dictionaries-common  ldap        netconfig      profile     ssh
authd.conf      dpkg             ld.so.cache     networks       profile.d       ssl
bash.bashrc     emacs            ld.so.conf      nsswitch.conf  protocols       subgid
bash_completion     environment      ld.so.conf.d    oneclick       python      subuid
bash_completion.d   fakechroot       libaudit.conf   opt        python2.7       subversion
bindresvport.blacklist  fonts            libnl-3         os-release     python3     sysctl.conf
ca-certificates     fstab            libpaper.d      pam.conf       python3.7       sysctl.d
ca-certificates.conf    ftd          localtime       pam.d      quotagrpadmins  systemd
calendar        gai.conf         logcheck        papersize      quotatab        terminfo
cbi         ghostscript      login.defs      passwd     rc0.d       timezone
complete.tcsh       gitconfig        logrotate.conf  passwd-        rc1.d       ucf.conf
cron.allow      groff            logrotate.d     pear4.4.conf   rc2.d       ufw
cron.d          group            lynx        pear5.2.conf   rc3.d       ui-sendmail-wrapper.conf
cron.daily      group-           magic       pear5.4.conf   rc4.d       update-motd.d
cron.deny       gshadow          magic.mime      pear5.5.conf   rc5.d       vim
cron.hourly     gshadow-         mailcap         pear6.conf     rc6.d       warnquota.conf
cron.monthly        gss          mailcap.order   pear7.1.conf   rcS.d       wgetrc
crontab         host.conf        mail.rc         pear7.3.conf   resolv.conf     wordpress
cron.weekly     hostname         manpath.config  pear7.4.conf   rmt         X11
csh         hosts            mc          pear8.0.conf   rpc         xattr.conf
csh.cshrc       hosts.allow      mercurial       perl       rssh.conf       zsh
csh.login       hosts.deny       mime.types      php4.4     securetty
csh.logout      ImageMagick-6        mke2fs.conf     php5.2     security
debconf.conf        init.d           mkshrc      php5.4     selinux
debian_chroot       inputrc          motd        php5.5     services
debian_version      issue            mtab        php7.1     shadow

Then unfortunately I'm out of ideas.
Maybe try to contact the ionic support to figure out how your system is setup. If mod_rewrite is enabled and if not how to enable it.
And once you have that and still can reproduce the issue feel free to ping me again.

I will do this. Thank you very much.
What I find odd is that it worked fine for years, and suddenly after the update to 10.6.0 this problem emerged.

are you admin user? you can create a config report from the webUI.

excerpt from my test instance

"phpinfo": {
        "apache2handler": {
            "Apache Version": "Apache\/2.4.43 (Unix) OpenSSL\/1.1.1g PHP\/7.2.32",
            "Apache API Version": "20120211",
            "Server Administrator": "[email protected]",
            "Hostname:Port": "cloud.local:0",
            "User\/Group": "mbarz(501)\/20",
            "Max Requests": "Per Child: 0 - Keep Alive: on - Max Per Connection: 100",
            "Timeouts": "Connection: 60 - Keep-Alive: 5",
            "Virtual Server": "Yes",
            "Server Root": "\/usr\/local\/opt\/httpd",
            "Loaded Modules": "core mod_so http_core prefork mod_authn_file mod_authn_core mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_core mod_access_compat mod_auth_basic mod_socache_shmcb mod_filter mod_deflate mod_mime mod_log_config mod_env mod_headers mod_setenvif mod_version mod_ssl mod_unixd mod_status mod_autoindex mod_dir mod_alias mod_rewrite mod_php7",
            "engine": "1",
            "last_modified": "0",
            "xbithack": "0"
        },

"Loaded Modules"

@C0rby @martinackerl Pro tip 😄

"Loaded Modules"

@C0rby @martinackerl Pro tip smile

I also considered it but @martinackerl did try phpinfo before and this didn't show the loaded modules.
It's worth a try though... :see_no_evil:

There is a big difference

1) php on the cli is not using apache in between

2) generating the configreport via WebUI routes the request through apache.

@micbar thanks for the hint, but the config report also gives me no apache2handler section. 🤷‍♂️

Anyway, I talked with the support in the meantime and they told me that
mod_rewrite is active and
apache is configured with php-module.

Then we must conclude, that your owncloud is not served by apache. 🤷‍♂️

@micbar I respectfully object 🧐. OwnClouds config report says:

{
    "basic": {
        "license key": "***REMOVED SENSITIVE VALUE***",
        "date": "Thu, 14 Jan 2021 16:23:00 +0000",
        "ownCloud version": "10.6.0.5",
        "ownCloud version string": "10.6.0",
        "ownCloud edition": "Community",
        "server OS": "Linux",
        "server OS version": "Linux info 3.0 #1337 SMP Tue Jan 01 00:00:00 CEST 2000 all GNU\/Linux",
        "server SAPI": "cgi-fcgi",
        "webserver version": "Apache",

🤔

"server SAPI": "cgi-fcgi",

no mod_php

That means that your apache is not using mod_php

"server SAPI": "cgi-fcgi"

This info is helpful though. :+1:

@martinackerl, okay so just to test I setup a system with fcgi and it worked there too.
That means something in your setup is missing.

Maybe you still need to add AllowOverride All to your apache VirtualHost config.
But I would close this issue now since it is a config issue.

@C0rby Thank you for your efforts and your time. I absolutely understand if you don't want to spend any more of it on this issue, but I still think this is a bug in the 10.6 core that can not be ignored.

So I made 2 complete new installations (core 10.5 and core 10.6) via the zip file from owncloud.com on two different subdomains, kept every setting standard, even using SQLite.

On core 10.6 I still get this error when trying to share a file from the client software.
Share fetch/create error 996 “CSRF check failed”

On core 10.5 everything works as expected.

A standard installation on a standard hosting of a very big hoster should just work or at least give the user a clear hint what to do.
There is no error 996 in the documentation.

Please open the issue again so that at least someone else can try to find a solution.

Our company had the same issue like @martinackerl with sharing on macOS after upgrading to core 10.6.
We found out that the issue was caused by the changes of this commit: https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a

We put the "@NoCSRFRequired" parameter back to every function in this file "apps/files_sharing/lib/Controller/Share20OcsController.php" and sharing is working again on macOS
without the CSRF check error.

@C0rby it would be nice if you could check why your changes cause this issue and how it could be solved.

@held-vitalij Thank you for the tip!
Using apps/files_sharing/lib/Controller/Share20OcsController.php from Version 10.5 does the trick.
It's at least a workaround!
I still think this should be fixed.

https://github.com/owncloud/core/commit/3b4027fc538a035108dea7c65384c65ce07ecf5a (#38019):

-           if (!$this->request->passesCSRFCheck()) {
+           if (!$this->request->passesCSRFCheck() && $this->request->getHeader("Authorization") === null) {

Could problem by cgi-fcgi config not pass header Authorization correctly?

https://doc.owncloud.com/server/10.6/admin_manual/installation/system_requirements.html#server say:

Apache 2.4 with prefork and mod_php

no support for like cgi-fcgi by ownCloud?

@held-vitalij @martinackerl The change you are referring to was necessary to close an attack vector. It was reported to us by an external and we mitigated it.

See advisory https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/

Our mobile and desktop clients always send an Authorization header. So with a proper server config, it will work.
Using the 10.5 version of the apps/files_sharing/lib/Controller/Share20OcsController.php is not recommended due to the known issue.

@ho4ho We officially support mod_php only because it is thread-safe. But many instances are using fcgi on their own risk.

My hosting support ensured me that mod_rewrite ist enabled and AllowOverride All is configured.

Still I get the CSRF error - on a brand new clean install.

Could you please take another look into the changes in 10.6 that trigger this error?
Would be much appreciated.

Hello @martinackerl,

wie solved the problem by adding:
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to our site-file /etc/apache2/sites-available/owncloud-ssl.conf.
Maybe there is a problem in your .htaccess-file that the apache ignores some settings.

Looked like thing existing in .htacces by ownCloud:

https://github.com/owncloud/core/blob/v10.6.0/.htaccess#L1-L14
https://github.com/owncloud/core/blob/v10.6.0/.htaccess#L71-L73

Hello @martinackerl,

wie solved the problem by adding:
RewriteEngine on RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
to our site-file /etc/apache2/sites-available/owncloud-ssl.conf.
Maybe there is a problem in your .htaccess-file that the apache ignores some settings.

Thanks @held-vitalij but I have no access to /etc/apache2/ on my hoster.
But the RewriteRule is present in the .htaccess of OwnCloud.