You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I’m currently running tests on a Nextcloud instance recently deployed by a colleague. During these tests I looked at whether there was a limit to the number of characters that could be entered when a user used the functionality to change their password.
I first tried with 800 characters and received a pop-up message ‘Unable to change personal password’. After a bit of research I came across a post indicating that the limit was set at 469, which is correct because I only get a pop-up after 470 characters. Nextcloud | Report #1727424 - No password length limit when creating a user as an administrator | HackerOne
Also, I see in the hardening guidelines that bcrypt is only supposed to consider the first 72 characters which doesn’t seem to be the case here.
The problem is that if a user changes their password to a new one of between 215 and 469 characters, the server won’t display a pop-up, but will still accept the password (an error 500 is visible when inspecting the Network tab) and the user will no longer be able to log in.
When the user enters their credentials and logs in, they are automatically returned to the ‘Internal Server Error’ page and cannot do anything. The administrator then has to change their password to unblock it.
Do you think this is a problem on our side or could it be a bug?
Steps to reproduce
Login with a user and access /settings/user/security
Change password with one whose length is between 215 and 469 characters
2.1 Inspect Network tab
Attempt to reconnect with the new password
Expected behavior
The user is able to log in using long password.
I would have liked to limit the authorized size myself but I can't find an option to do so.
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
{"reqId":"ZitxWupCQwENSxkXUse59gAAAAM","level":3,"time":"2024-04-26T09:18:19+00:00","remoteAddr":"x.x.x.x","user":"xxxx","app":"index","method":"POST","url":"/index.php/login","message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36","version":"28.0.1.1","exception":{"Exception":"Exception","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","Line":169,"Previous":{"Exception":"TypeError","Message":"base64_encode(): Argument #1 ($string) must be of type string, null given","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":400,"function":"base64_encode"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":531,"function":"encryptPassword","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/public/AppFramework/Db/TTransactional.php","line":63,"function":"OC\\Authentication\\Token\\{closure}","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","line":500,"function":"atomic","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":245,"function":"updatePasswords","class":"OC\\Authentication\\Token\\PublicKeyTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Listeners/UserLoggedInListener.php","line":60,"function":"updatePasswords","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/ServiceEventListener.php","line":86,"function":"handle","class":"OC\\Authentication\\Listeners\\UserLoggedInListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":230,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":59,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":94,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/EventDispatcher.php","line":106,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":392,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php","line":39,"function":"completeLogin","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\CompleteLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php","line":60,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\LoggedInCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php","line":68,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\EmailLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php","line":53,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UidLoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php","line":57,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php","line":39,"function":"process","class":"OC\\Authentication\\Login\\UserDisabledCheckCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php","line":52,"function":"processNextOrFinishSuccessfully","class":"OC\\Authentication\\Login\\ALoginCommand","type":"->"},{"file":"/var/www/nextcloud/lib/private/Authentication/Login/Chain.php","line":107,"function":"process","class":"OC\\Authentication\\Login\\PreLoginHookCommand","type":"->"},{"file":"/var/www/nextcloud/core/Controller/LoginController.php","line":307,"function":"process","class":"OC\\Authentication\\Login\\Chain","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"tryLogin","class":"OC\\Core\\Controller\\LoginController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php","Line":400},"message":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400","exception":[],"CustomMessage":"base64_encode(): Argument #1 ($string) must be of type string, null given in file '/var/www/nextcloud/lib/private/Authentication/Token/PublicKeyTokenProvider.php' line 400"},"id":"662b7787ace93"}
Additional info
Browser console error:
encryption.js:12 Uncaught ReferenceError: OC is not defined
at encryption.js:12:1
(anonymous) @ encryption.js:12
The text was updated successfully, but these errors were encountered:
Bug description
Hi,
I’m currently running tests on a Nextcloud instance recently deployed by a colleague. During these tests I looked at whether there was a limit to the number of characters that could be entered when a user used the functionality to change their password.
I first tried with 800 characters and received a pop-up message ‘Unable to change personal password’. After a bit of research I came across a post indicating that the limit was set at 469, which is correct because I only get a pop-up after 470 characters.
Nextcloud | Report #1727424 - No password length limit when creating a user as an administrator | HackerOne
Also, I see in the hardening guidelines that bcrypt is only supposed to consider the first 72 characters which doesn’t seem to be the case here.
The problem is that if a user changes their password to a new one of between 215 and 469 characters, the server won’t display a pop-up, but will still accept the password (an error 500 is visible when inspecting the Network tab) and the user will no longer be able to log in.
When the user enters their credentials and logs in, they are automatically returned to the ‘Internal Server Error’ page and cannot do anything. The administrator then has to change their password to unblock it.
Do you think this is a problem on our side or could it be a bug?
Steps to reproduce
/settings/user/security
2.1 Inspect Network tab
Expected behavior
The user is able to log in using long password.
I would have liked to limit the authorized size myself but I can't find an option to do so.
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
Browser console error:
The text was updated successfully, but these errors were encountered: