Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Session blocked when a user changes their password to one that is too long #45090

Open
5 of 8 tasks
Kipok42 opened this issue Apr 29, 2024 · 0 comments
Open
5 of 8 tasks

[Bug]: Session blocked when a user changes their password to one that is too long #45090

Kipok42 opened this issue Apr 29, 2024 · 0 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 28-feedback bug

Comments

@Kipok42
Copy link

Kipok42 commented Apr 29, 2024

⚠️ This issue respects the following points: ⚠️

Bug description

Hi,
I’m currently running tests on a Nextcloud instance recently deployed by a colleague. During these tests I looked at whether there was a limit to the number of characters that could be entered when a user used the functionality to change their password.
I first tried with 800 characters and received a pop-up message ‘Unable to change personal password’. After a bit of research I came across a post indicating that the limit was set at 469, which is correct because I only get a pop-up after 470 characters.
Nextcloud | Report #1727424 - No password length limit when creating a user as an administrator | HackerOne
Also, I see in the hardening guidelines that bcrypt is only supposed to consider the first 72 characters which doesn’t seem to be the case here.

The problem is that if a user changes their password to a new one of between 215 and 469 characters, the server won’t display a pop-up, but will still accept the password (an error 500 is visible when inspecting the Network tab) and the user will no longer be able to log in.
When the user enters their credentials and logs in, they are automatically returned to the ‘Internal Server Error’ page and cannot do anything. The administrator then has to change their password to unblock it.
Do you think this is a problem on our side or could it be a bug?

Steps to reproduce

  1. Login with a user and access /settings/user/security
  2. Change password with one whose length is between 215 and 469 characters
    2.1 Inspect Network tab
  3. Attempt to reconnect with the new password

Expected behavior

The user is able to log in using long password.
I would have liked to limit the authorized size myself but I can't find an option to do so.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

<?php
$CONFIG = array (
  'instanceid' => 'xxxx',
  'passwordsalt' => 'xxxx',
  'secret' => 'xxxx',
  'trusted_domains' =>
  array (
    0 => 'x.x.x.x',
    1 => 'nextcloud.test.loc',
  ),
  'datadirectory' => 'xxxx',
  'dbtype' => 'mysql',
  'version' => '28.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.test.loc',
  'installed' => true,
  'has_internet_connection' => false,
  'debug' => 'false',
  'maintenance' => false,
  'dbname' => 'xxxx',
  'dbhost' => 'xxxx',
  'dbuser' => 'xxxx',
  'dbpassword' => 'xxxx',
  'mail_from_address' => 'xxxx',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'xxxx',
  'mail_smtphost' => 'xxxx',
  'mail_smtpport' => 'xxxx',
  'mail_smtpsecure' => 'ssl',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'xxxx',
  'mail_smtppassword' => 'xxxx',
);

List of activated Apps

Enabled:
  - activity: 2.20.0
  - bruteforcesettings: 2.8.0
  - circles: 28.0.0-dev
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - encryption: 2.16.0
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - spreed: 18.0.1
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - user_status: 1.8.1
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - files_external: 1.20.0
  - nextcloud_announcements: 1.17.0 (installed 1.17.0)
  - notifications: 2.16.0 (installed 2.16.0)
  - photos: 2.4.0 (installed 2.4.0)
  - support: 1.11.0 (installed 1.11.0)
  - survey_client: 1.16.0 (installed 1.16.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - updatenotification: 1.18.0 (installed 1.18.0)
  - user_ldap: 1.19.0
  - weather_status: 1.8.0 (installed 1.8.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"ZitxWupCQwENSxkXUse59gAAAAM","level":3,"time":"2024-04-26T09:18:19+00:00","remoteAddr":"x.x.x.x","user":"xxxx","app":"index","method":"POST","url":"/index.php/login","message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"28.0.1.1","exception":{"Exception":"Exception","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","Line":169,"Previous":{"Exception":"TypeError","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":400,"function":"base64_encode"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":531,"function":"encryptPassword","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/public/AppFramework/Db/TTransactional.php","line":63,"function":"OC\\Authentication\\Token\\{closure}","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":500,"function":"atomic","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":245,"function":"updatePasswords","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Listeners/UserLoggedInListener.php","line":60,"function":"updatePasswords","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php","line":86,"function":"handle","class":"OC\\Authentication\\Listeners\\UserLoggedInListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":230,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":59,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":94,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":106,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":392,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php","line":39,"function":"completeLogin","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\CompleteLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php","line":60,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\LoggedInCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php","line":68,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\EmailLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php","line":53,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UidLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php","line":57,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UserDisabledCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php","line":52,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/Chain.php","line":107,"function":"process","class":"OC\\Authentication\\Login\\PreLoginHookCommand","type":"->"},{"file":"/var/www/nextcloud/core/Controller/LoginController.php","line":307,"function":"process","class":"OC\\Authentication\\Login\\Chain","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":400},"message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","exception":[],"CustomMessage":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400"},"id":"662b7787ace93"}

Additional info

Browser console error:

encryption.js:12 Uncaught ReferenceError: OC is not defined
    at encryption.js:12:1
(anonymous) @ encryption.js:12
@Kipok42 Kipok42 added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 28-feedback bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szaimen @Kipok42