CSRF check failed after creation of password protected share link

[bpcurse]

Steps to reproduce

1. Create a share link with password protection
2. Copy link to clipboard
3. Log out
4. In the same browser session try to open the link to check it
5. Enter password

Expected behaviour

The data should be accessible after entering the correct password

Actual behaviour

"CSRF check failed" error message is displayed (not an issue if password protection isn't set)
After closing the browser and reopening it, the share can be accessed as expected

Server configuration

This happens on two differently hosted nextcloud instances:
14.0.6 on shared webhosting, apache, mysql, php 7.2
15.0.2 manjaro i3 linux, nginx, mariadb, php 7.2

Client configuration

Manjaro Linux, Firefox 64.0.2

[ChristophWurst]

I can't reproduce with Nextcloud 16.

[stale]

This issue has been automatically marked as stale because it has not had recent activity and it seems to be missing some essential informations. It will be closed if no further activity occurs. Thank you for your contributions.

[ChristophWurst]

@bpcurse do you still see the issue? Apparently there are a few instances where this keeps happening, but we could not identify any pattern yet.

[bpcurse]

@ChristophWurst Thanks for following up on this.

I cannot reproduce this issue anymore on
15.0.5 (shared webhosting, apache, mysql, php 7.2) and
16.0.1 (Manjaro i3 linux, nginx 1.14.2, mariadb 10.3.13, php 7.3.3)
using Firefox 67.0.1 on Manjaro Linux.

Seems that either the Nextcloud updates or the Firefox update solved this. Sorry for not being able to pinpoint.

[ChristophWurst]

No worries. I was just hoping we could find the reason for the bug as some instances are still affected. But great to hear it's working for you :)

[bpcurse]

@ChristophWurst Found it, seems to happen on slightly older Firefox browsers regardless of the nextcloud version! After experimenting with older Firefox versions (linux x86_64, german) from Mozilla archives, it happens again (using a shared text file created through files app). Collabora online is installed.

Test results:
Firefox 63.0.3 (failed)
Firefox 64.0.2 (failed)
Firefox 65.0.2 (failed)
Firefox 66.0.2 (success)
Firefox 67.0.1 (success)

Also the display in the address bar changes after logout:

• https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?redirect_url=/index.php/apps/files/%3Fdir%3D/%26fileid%3D133 (is shown on the failing versions and immediate relogin is not possible)
• https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?clear=1 (is shown on the newer versions)

[ChristophWurst]

Thank you so much for this information! Sounds like we can finally investigate why this is happening for some users. They just have a different browser than us, hence it's not reproducible 🤦‍♂️

[ChristophWurst]

I haven't tested yet but it might fulfill our suspicious that some browser do not reload the page properly and an outdated CSRF token remains somehow.

[bpcurse]

You are welcome, glad I could help :)

[ChristophWurst]

Test results:
Firefox 63.0.3 (failed)
Firefox 64.0.2 (failed)
Firefox 65.0.2 (failed)
Firefox 66.0.2 (success)
Firefox 67.0.1 (success)

Also the display in the address bar changes after logout:

* https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?redirect_url=/index.php/apps/files/%3Fdir%3D/%26fileid%3D133 (is shown on the failing versions and immediate relogin is not possible)

* https://cloud.xxxxxxxxxxxxxxx.de/index.php/login?clear=1 (is shown on the newer versions)

Unfortunately I can not reproduce this. Neither the CSRF error nor the logout URL. It's always the latter URL logout. May I ask how you've run these old FF versions?

[bpcurse]

I rechecked and it seems that I have to apologize for writing "regardless of the nextcloud version".
The change in the address bar happens on 15.0.5 AND 16.0.1 but the "csrf check failed" message appears ONLY on 15.0.5. Sorry for misleading you, as you probably tested against up to date 16?

Anyway here is my course of action, step by step:

This was done on Manjaro Linux against a shared hosting 15.0.5 nextcloud server at all-inkl.

• Download the old version from https://ftp.mozilla.org/pub/firefox/releases/
  e.g. 64.0.2: https://ftp.mozilla.org/pub/firefox/releases/64.0.2/linux-x86_64/de/
• Extract the files
• Deactivate your network connection or block outgoing packets to prevent the old version to immediately update to the latest version.
• Close all running firefox instances
• Start the older version by double clicking the firefox file in the directory you extracted to.
• Open the settings menu, go to updates and make sure they are not installed automatically
• Make sure you are now running the old version by checking the help / about firefox menu
• Reactivate your network connection or unblock outgoing packets
• To recreate the problem follow the steps as described in the initial issue description

@ChristophWurst I could send you an access link and password with failing csrf check via email, if you want.

[ChristophWurst]

Tried with FF64 from the link above (clean profile) and Nextcloud 15.0.5 (from git) and it just worked: https://im4.ezgif.com/tmp/ezgif-4-a04669664e82.gif What am I doing wrong? 🤔

@ChristophWurst I could send you an access link and password with failing csrf check via email, if you want.

Yes, please send me one to christoph at nextcloud dot com.

[bpcurse]

Will send it to you within the hour. Hopefully it will shed some light onto this.

[bpcurse]

The ezgif link from your previous post leads to a 404.

[ChristophWurst]

Some more debugging progress can be found at #17065

[skjnldsv]

Moving to 17065 then