Server: CSRF check failed after creation of password protected share link

Created on 29 Jan 2019 · 16Comments · Source: nextcloud/server

Steps to reproduce

Create a share link with password protection
Copy link to clipboard
Log out
In the same browser session try to open the link to check it
Enter password

Expected behaviour

The data should be accessible after entering the correct password

Actual behaviour

"CSRF check failed" error message is displayed (not an issue if password protection isn't set)
After closing the browser and reopening it, the share can be accessed as expected

Server configuration

This happens on two differently hosted nextcloud instances:
14.0.6 on shared webhosting, apache, mysql, php 7.2
15.0.2 manjaro i3 linux, nginx, mariadb, php 7.2

Client configuration

Manjaro Linux, Firefox 64.0.2

0. Needs triage bug

Source

bpcurse

All 16 comments

I can't reproduce with Nextcloud 16.

ChristophWurst on 26 Mar 2019

This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 6 Jun 2019

@bpcurse do you still see the issue? Apparently there are a few instances where this keeps happening, but we could not identify any pattern yet.

ChristophWurst on 11 Jun 2019

@ChristophWurst Thanks for following up on this.

I cannot reproduce this issue anymore on
15.0.5 (shared webhosting, apache, mysql, php 7.2) and
16.0.1 (Manjaro i3 linux, nginx 1.14.2, mariadb 10.3.13, php 7.3.3)
using Firefox 67.0.1 on Manjaro Linux.

Seems that either the Nextcloud updates or the Firefox update solved this. Sorry for not being able to pinpoint.

bpcurse on 12 Jun 2019

No worries. I was just hoping we could find the reason for the bug as some instances are still affected. But great to hear it's working for you :)

ChristophWurst on 12 Jun 2019

@ChristophWurst Found it, seems to happen on slightly older Firefox browsers regardless of the nextcloud version! After experimenting with older Firefox versions (linux x86_64, german) from Mozilla archives, it happens again (using a shared text file created through files app). Collabora online is installed.

Test results:
Firefox 63.0.3 (failed)
Firefox 64.0.2 (failed)
Firefox 65.0.2 (failed)
Firefox 66.0.2 (success)
Firefox 67.0.1 (success)

Also the display in the address bar changes after logout:

https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?redirect_url=/index.php/apps/files/%3Fdir%3D/%26fileid%3D133 (is shown on the failing versions and immediate relogin is not possible)
https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?clear=1 (is shown on the newer versions)

bpcurse on 12 Jun 2019

Thank you so much for this information! Sounds like we can finally investigate why this is happening for some users. They just have a different browser than us, hence it's not reproducible :man_facepalming:

ChristophWurst on 12 Jun 2019

🎉1

I haven't tested yet but it might fulfill our suspicious that some browser do not reload the page properly and an outdated CSRF token remains somehow.

ChristophWurst on 12 Jun 2019

You are welcome, glad I could help :)

bpcurse on 12 Jun 2019

Test results:
Firefox 63.0.3 (failed)
Firefox 64.0.2 (failed)
Firefox 65.0.2 (failed)
Firefox 66.0.2 (success)
Firefox 67.0.1 (success)

Also the display in the address bar changes after logout:
* https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?redirect_url=/index.php/apps/files/%3Fdir%3D/%26fileid%3D133 (is shown on the failing versions and immediate relogin is not possible)

* https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?clear=1 (is shown on the newer versions)

Unfortunately I can not reproduce this. Neither the CSRF error nor the logout URL. It's always the latter URL logout. May I ask how you've run these old FF versions?

ChristophWurst on 12 Jun 2019

I rechecked and it seems that I have to apologize for writing "regardless of the nextcloud version".
The change in the address bar happens on 15.0.5 AND 16.0.1 but the "csrf check failed" message appears ONLY on 15.0.5. Sorry for misleading you, as you probably tested against up to date 16?

Anyway here is my course of action, step by step:

This was done on Manjaro Linux against a shared hosting 15.0.5 nextcloud server at all-inkl.

Download the old version from https://ftp.mozilla.org/pub/firefox/releases/
e.g. 64.0.2: https://ftp.mozilla.org/pub/firefox/releases/64.0.2/linux-x86_64/de/
Extract the files
Deactivate your network connection or block outgoing packets to prevent the old version to immediately update to the latest version.
Close all running firefox instances
Start the older version by double clicking the firefox file in the directory you extracted to.
Open the settings menu, go to updates and make sure they are not installed automatically
Make sure you are now running the old version by checking the help / about firefox menu
Reactivate your network connection or unblock outgoing packets
To recreate the problem follow the steps as described in the initial issue description

@ChristophWurst I could send you an access link and password with failing csrf check via email, if you want.

bpcurse on 13 Jun 2019

👍1

Tried with FF64 from the link above (clean profile) and Nextcloud 15.0.5 (from git) and it just worked: https://im4.ezgif.com/tmp/ezgif-4-a04669664e82.gif What am I doing wrong? :thinking: