Server: CSRF check not passed message when dragging folders into Nextcloud 13 Web interface
Steps to reproduce
- Use KDE Plasma desktop 5.13.5 (Arch Linux - haven't tested with other desktops yet)
- Use Firefox 62.0 or Chromium 69.0.3497.81
- Drag and drop folder of with 3-4 files (can be empty files) into non-root folder (hover until subfolder highlights, then release mouse)
- See error "CSRF check not passed" in the centre top of the browser window
- Open uploaded folders in Nextcloud, find no contents
Expected behaviour
No error messages in window, and contents in uploaded folders
Actual behaviour
CSRF check not passed error displayed, no contents in uploaded folders.
Server configuration
Operating system: Custom Docker image based off Alpine 3.8
Web server: Nginx 1.14.0
Database: MariaDB 10.2.17
PHP version: 7.2.9
Nextcloud version: 13.0.6
Updated from an older Nextcloud/ownCloud or fresh install: Updated from previous Nextcloud (Docker container rebuilt, occ upgrade run)
Where did you install Nextcloud from: Downloaded tarball from https://download.nextcloud.com/server/releases/
Signing status:
Signing status
No errors have been found.
List of activated apps:
- activity: 2.6.1
- admin_audit: 1.3.0
- bruteforcesettings: 1.1.0
- calendar: 1.6.1
- comments: 1.3.0
- contacts: 2.1.5
- dav: 1.4.7
- federatedfilesharing: 1.3.1
- federation: 1.3.0
- files: 1.8.0
- files_sharing: 1.5.0
- files_texteditor: 2.5.1
- files_trashbin: 1.3.0
- files_versions: 1.6.0
- files_videoplayer: 1.2.0
- firstrunwizard: 2.2.1
- gallery: 18.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.1.0
- mail: 0.8.3
- nextcloud_announcements: 1.2.0
- notes: 2.4.1
- notifications: 2.1.2
- oauth2: 1.1.1
- password_policy: 1.3.0
- provisioning_api: 1.3.0
- serverinfo: 1.3.0
- sharebymail: 1.3.0
- spreed: 3.2.5
- survey_client: 1.1.0
- systemtags: 1.3.0
- theming: 1.4.5
- twofactor_backupcodes: 1.2.3
- twofactor_totp: 1.4.1
- twofactor_u2f: 1.5.5
- updatenotification: 1.3.0
- workflowengine: 1.3.0
Disabled: - encryption
- files_external
- files_pdfviewer
- user_external
- user_ldap
Nextcloud configuration:
Config report
'
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"owncloud.opendmz.com",
"nextcloud.opendmz.com"
],
"apps_paths": [
{
"path": "\/nextcloud\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/nextcloud\/apps2",
"url": "\/apps2",
"writable": true
}
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "13.0.6.1",
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"forwarded_for_headers": [
"HTTP_X_FORWARDED",
"HTTP_FORWARDED_FOR"
],
"overwriteprotocol": "https",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"forcessl": false,
"mail_smtpmode": "smtp",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "465",
"loglevel": 0,
"theme": "",
"maintenance": false,
"secret": "REMOVED SENSITIVE VALUE",
"filesystem_check_changes": 1,
"filelocking.enabled": "false",
"memcache.local": "\OC\Memcache\APCu",
"memcache.distributed": "\OC\Memcache\Redis",
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 6379,
"timeout": 0,
"dbindex": 0
},
"trashbin_retention_obligation": "auto",
"overwrite.cli.url": "https:\/\/owncloud.opendmz.com",
"mail_smtpauthtype": "LOGIN",
"mail_smtpsecure": "ssl"
}
}
Are you using external storage, if yes which one: local network NFS share
Are you using encryption: no
Are you using an external user-backend, if yes which one: No
Client configuration
Browser: Firefox or Chromium
Operating system: Arch Linux
Logs
Web server error log
Web server error log
Many entries like the below, 401 error.
nginx_1 | <IP removed> - - [11/Sep/2018:20:28:56 +0000] "PUT /remote.php/dav/uploads/cvandesande/web-file-upload-d77b458e407ebec3f22ca35e73263548-1536697693852/0 HTTP/1.1" 401 233 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36" "<IP removed>"
Nextcloud log (data/nextcloud.log)
Nextcloud log
Insert your Nextcloud log here
Debug | webdav | Sabre\DAV\Exception\NotAuthenticated:聽CSRF check not passed./nextcloud/apps/dav/lib/Connector/Sabre/Auth.php - line 155: OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 201: OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 150: Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))[internal function] Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 466: Sabre\Event\EventEmitter->emit('beforeMethod', Array)/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))/nextcloud/apps/dav/appinfo/v1/webdav.php - line 80: Sabre\DAV\Server->exec()/nextcloud/remote.php - line 164: require_once('/nextcloud/apps...'){main}
-- | -- | --
Browser log
Browser log
send @ core.js?v=5c5ae5ee-5:4
ajax @ core.js?v=5c5ae5ee-5:4
send @ merged-index.js?v=5c5ae5ee-5:2713
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
x @ core.js?v=5c5ae5ee-5:4
(anonymous) @ core.js?v=5c5ae5ee-5:4
load (async)
send @ core.js?v=5c5ae5ee-5:4
ajax @ core.js?v=5c5ae5ee-5:4
send @ merged-index.js?v=5c5ae5ee-5:2713
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
x @ core.js?v=5c5ae5ee-5:4
(anonymous) @ core.js?v=5c5ae5ee-5:4
load (async)
send @ core.js?v=5c5ae5ee-5:4
ajax @ core.js?v=5c5ae5ee-5:4
send @ merged-index.js?v=5c5ae5ee-5:2713
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
add @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
each @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
a.Deferred @ core.js?v=5c5ae5ee-5:7
then @ core.js?v=5c5ae5ee-5:2
_onSend @ merged-index.js?v=5c5ae5ee-5:2757
(anonymous) @ core.js?v=5c5ae5ee-5:13
data.submit @ merged-index.js?v=5c5ae5ee-5:2481
(anonymous) @ merged-index.js?v=5c5ae5ee-5:571
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ merged-index.js?v=5c5ae5ee-5:837
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ client.js?v=5c5ae5ee-5:704
Promise.then (async)
_simpleCall @ client.js?v=5c5ae5ee-5:701
createDirectory @ client.js?v=5c5ae5ee-5:722
(anonymous) @ merged-index.js?v=5c5ae5ee-5:833
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ merged-index.js?v=5c5ae5ee-5:837
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ client.js?v=5c5ae5ee-5:707
Promise.then (async)
_simpleCall @ client.js?v=5c5ae5ee-5:701
createDirectory @ client.js?v=5c5ae5ee-5:722
(anonymous) @ merged-index.js?v=5c5ae5ee-5:833
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
add @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
each @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
a.Deferred @ core.js?v=5c5ae5ee-5:7
then @ core.js?v=5c5ae5ee-5:2
ensureFolderExists @ merged-index.js?v=5c5ae5ee-5:832
ensureFolderExists @ merged-index.js?v=5c5ae5ee-5:829
submit @ merged-index.js?v=5c5ae5ee-5:524
(anonymous) @ merged-index.js?v=5c5ae5ee-5:860
_.each._.forEach @ core.js?v=5c5ae5ee-5:166
submitUploads @ merged-index.js?v=5c5ae5ee-5:858
onNoConflicts @ merged-index.js?v=5c5ae5ee-5:1257
checkExistingFiles @ merged-index.js?v=5c5ae5ee-5:1061
add @ merged-index.js?v=5c5ae5ee-5:1275
_trigger @ core.js?v=5c5ae5ee-5:13
(anonymous) @ merged-index.js?v=5c5ae5ee-5:2844
each @ core.js?v=5c5ae5ee-5:2
_onAdd @ merged-index.js?v=5c5ae5ee-5:2837
(anonymous) @ core.js?v=5c5ae5ee-5:13
(anonymous) @ merged-index.js?v=5c5ae5ee-5:3082
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ merged-index.js?v=5c5ae5ee-5:2905
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
(anonymous) @ core.js?v=5c5ae5ee-5:2
j @ core.js?v=5c5ae5ee-5:2
fireWith @ core.js?v=5c5ae5ee-5:2
e.(anonymous function) @ core.js?v=5c5ae5ee-5:2
(anonymous) @ merged-index.js?v=5c5ae5ee-5:2928
core.js?v=5c5ae5ee-5:4 PUT https://owncloud.opendmz.com/remote.php/webdav/Documents/New%20Folder1/Text%20File%20(3) 401 (Unauthorized)
cvandesande
All 10 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/2938 ("CSRF check failed" error message), https://github.com/nextcloud/server/issues/8467 (NextCloud 13 folder/file display bug), https://github.com/nextcloud/server/issues/8370 (strange mistake with drag end drop web file interfaces), https://github.com/nextcloud/server/issues/10895 (LDAP Users missed files folder in home folder; but show on web interface (nextcloud 13.0.4)), and https://github.com/nextcloud/server/issues/8310 (Disable web app by own cloud interface (NO NEXTCLOUD THEME)).
nextcloud-bot
on 11 Sep 2018
Also experiencing this problem. Effectively a fresh install (I added a handful of official apps and camerarawpreviews).
Can confirm that dragging a folder from the desktop onto a group shared folder will trigger the error but navigating into the group shared folder and dragging the folder to white space will upload just fine.
This is happening with the files stored locally on the NextCloud system.
Server configuration
Operating system: FreeBSD 11.2 (iocage jail on FreeNAS box)
Web server: Apache 2.4.34
Database: MySQL 5.6.41
PHP version: 7.1.21
Nextcloud version: 14.0.0
Updated from an older Nextcloud/ownCloud or fresh install: New
Where did you install Nextcloud from: Ports Collection
Enabled PKG List
- admin_audit: 1.4.0
- bruteforcesettings: 1.1.0
- camerarawpreviews: 0.5.6
- cloud_federation_api: true
- comments: 1.4.0
- contacts: 2.1.6
- dav: true
- federatedfilesharing: true
- files: true
- files_pdfviewer: 1.3.2
- files_sharing: 1.6.2
- files_trashbin: 1.4.1
- files_videoplayer: 1.3.0
- gallery: 18.1.0
- groupfolders: 1.3.3
- logreader: 2.0.0
- lookup_server_connector: true
- oauth2: true
- password_policy: 1.4.0
- provisioning_api: true
- serverinfo: 1.4.0
- twofactor_backupcodes: true
- user_saml: 1.6.2
- workflowengine: true
Disabled PKG List
- accessibility
- activity
- encryption
- federation
- files_accesscontrol
- files_external
- files_texteditor
- files_versions
- firstrunwizard
- nextcloud_announcements
- notifications
- sharebymail
- support
- survey_client
- systemtags
- theming
- updatenotification
- user_external
- user_ldap
DarkRider1768
on 12 Sep 2018
I am also having this issue, the problem arises when you drag and drop a folder onto an existing folder. This is a pretty bad bug and needs to be fixed as it prevents the upload from succeeding.
anojht
on 22 Sep 2018
Thanks for your help
HoseBarreras
on 5 Oct 2018
I am also having this problem. -
Specifically: Drag & Drop mp3 files onto an existing (group shared) album folder in files app.
Interestingly, about half of the files succeeded the half not copied: "CSRF check not passed"
Guest OS: Win 10 Pro
Guest Browser: Google Chrome: 71.0.3578.98
Server OS: Debian 9.5
Web Server: Apache 2.4.25
Database: MySQL 10.1.26
PHP: 7.1.22
NextCloud Server: 14.0.1 - Update pending
Updated from an older NextCloud/ownCloud or fresh install: New
Where did you install NextCloud from: zip download, nextcloud website
MBfromOK
on 22 Dec 2018
Hi there, also have this problem with a fresh snap install :(
sizeur
on 2 Jan 2019
Experiencing the same issue when dragging a folder to the browser.
gsrigo
on 15 Jan 2019
I can confirm that this is an issue on FF with the latest server master. A little debugging tells me the DAV requests to create the folder and upload the files do not all have a request token set. MKCOL and PROPFIND do, PUT does not. This might be an issue with the davclient lib.
ChristophWurst
on 28 Jan 2019
I can confirm that this is an issue on FF with the latest server master. A little debugging tells me the DAV requests to create the folder and upload the files do not all have a request token set.
MKCOLandPROPFINDdo,PUTdoes not. This might be an issue with the davclient lib.
cc @skjnldsv @danxuliu
MorrisJobke
on 28 Jan 2019
@danxuliu is already debugging it.
ChristophWurst
on 28 Jan 2019
Related issues
MariusBluem
路
3Comments
ghost
路
3Comments
j-ed
路
3Comments
williambargent
路
3Comments
dl5rcw
路
3Comments
Most helpful comment
@danxuliu is already debugging it.