[Bug]: nextcloudcmd incorrectly trusts bad TLS certs

[nickrbogdanov]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

I have a self hosted Nextcloud instance using my own private CA for TLS certs. When running nextcloudcmd without the --trust, it disregards the cert validation failure as "This is not an actual error" and proceeds with the sync anyway. I expected it to reject the untrusted server cert and assume it is a MITM attack:

# nextcloudcmd --non-interactive -n ~/Nextcloud https://nextcloud.lan
09-10 12:25:54:348 [ info nextcloud.sync.accessmanager ]:	2 "" "https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json" has X-Request-ID "18ff47a0-a482-4456-a489-7aa747170c58"
09-10 12:25:54:348 [ info nextcloud.sync.networkjob ]:	OCC::JsonApiJob created for "https://nextcloud.lan" + "ocs/v1.php/cloud/capabilities" ""
09-10 12:25:54:545 [ info nextcloud.sync.account ]:	"SSL-Errors happened for url  \"https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json\" \tError in  QSslCertificate(\"3\", [REDACTED] : \"The root certificate of the certificate chain is self-signed, and untrusted\" ( \"The root certificate of the certificate chain is self-signed, and untrusted\" ) \n " Certs are known and trusted! This is not an actual error.
09-10 12:25:54:871 [ info nextcloud.sync.networkjob.jsonapi ]:	JsonApiJob of QUrl("https://nextcloud.lan/ocs/v1.php/cloud/capabilities?format=json") FINISHED WITH STATUS "OK"

After adding the root CA cert to the system's trust store the validation passes and the warning goes away.

I am running the latest nextcloud-desktop-cmd package, version 2.6.2-1build1, on Ubuntu Server 20.04.2 LTS.

I did not see this problem in the NextCloud CVE list.

Steps to reproduce

Run nextcloudcmd against a server that has a TLS cert that the system won't validate.

Expected behavior

Abort the operation if the server's TLS cert cannot be validated, unless --trust is specified to explicitly override the security checks.

Which files are affected by this bug

src/libsync/account.cpp

Operating system

Linux

Which version of the operating system you are running.

Ubuntu 20.04.2 LTS

Package

Distro package manager

Nextcloud Server version

24.0.3

Nextcloud Desktop Client version

2.6.2-1build1

Is this bug present after an update or on a fresh install?

Fresh desktop client install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

No response

Additional info

No response

[nursoda]

@mgallien If this is true, this bug should be labelled "security" and be handled as such (i.e. be prioritized)!
@nickrbogdanov You know that there's another way to report bugs that thwart security?

[nickrbogdanov]

Friendly ping, is this something the authors were/weren't able to corroborate?

[mgallien]

this has been fixed by this release https://github.com/nextcloud/desktop/releases/tag/v3.6.1
no idea why we forgot to close this issue when merging a fix