[Bug]: encryption - sharing a folder breaks access to the folder

[brotkastn]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Since the Upgrade to 27.0 i am unable to access files stored in a shared folder (shared via public link). Neither the uploading nextcloud User nor those who use the public share link can download the files. The Browser will save the file, however instead of the actual content it contains a HTML-Text containing the following error.

(...)
<h2>Error</h2>
	<ul>
			<li>
			<p>Cannot download file</p>
							<p class='hint'>Cannot read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.</p>
					</li>
		</ul>
(...)

The nextcloud log shows the error message path needs to be relative to the system wide data folder and point to a user specific file thrown by getUidAndFilename in /var/www/nextcloud/lib/private/Encryption/Keys/Storage.php after i create the public share via /ocs/v2.php/apps/files_sharing/api/v1/shares

Steps to reproduce

1. Have the default encryption module enabled
2. Create new folder, upload some files
3. Select all files, download those as .zip -> working
4. Share the new folder via public link
5. Open the link in a new browser, try to download the file -> The download does not include the file - but is an html document containing said error message
6. Even if i try to download the files using the nextcloud user who uploaded the files, the download does not work

Expected behavior

After sharing a folder i would like to be able to access my files.

Installation method

Community Manual installation with Archive

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.minad.de",
            "owncloud.minad.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/nextcloud.minad.de",
        "dbtype": "mysql",
        "version": "27.0.0.8",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_language": "de",
        "mail_smtpmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "theme": "",
        "loglevel": 1,
        "maintenance": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "enable_avatars": false,
        "updater.release.channel": "stable",
        "mail_sendmailmode": "pipe",
        "mysql.utf8mb4": true,
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "tls",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "encryption.legacy_format_support": true,
        "default_phone_region": "DE",
        "openssl": {
            "config": "\/var\/nextcloud-datadir\/openssl-legacy.cnf"
        }
    }
}

List of activated Apps

Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - calendar: 4.4.2
  - circles: 27.0.0
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.3.2
  - contactsinteraction: 1.8.0
  - cookbook: 0.10.2
  - dashboard: 7.7.0
  - dav: 1.27.0
  - deck: 1.10.0
  - encryption: 2.15.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud_announcements: 1.16.0
  - notes: 4.8.0
  - notifications: 2.15.0
  - oauth2: 1.15.0
  - password_policy: 1.17.0
  - photos: 2.3.0
  - polls: 5.0.5
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - related_resources: 1.2.0
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - tasks: 0.15.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - analytics: 4.9.4 (installed 4.9.4)
  - apporder: 0.15.0 (installed 0.15.0)
  - bruteforcesettings: 2.7.0 (installed 2.4.0)
  - checksum: 1.2.2 (installed 1.2.2)
  - documentserver_community: 0.1.13 (installed 0.1.13)
  - external: 5.2.0 (installed 5.2.0)
  - files_versions: 1.20.0 (installed 1.18.0)
  - keeweb: 0.6.13 (installed 0.6.13)
  - music: 1.8.4 (installed 1.8.4)
  - onlyoffice: 8.1.0 (installed 8.1.0)
  - previewgenerator: 5.3.0 (installed 5.3.0)
  - recognize: 4.2.0 (installed 4.2.0)
  - recommendations: 1.6.0 (installed 0.5.0)
  - suspicious_login: 5.0.0
  - twofactor_u2f: 6.3.0 (installed 6.3.0)
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"7cQT5d07ZBCIsuu71uOV","level":3,"time":"2023-06-27T12:07:11+00:00","remoteAddr":"192.168.122.82","user":"brot","app":"no app in context","method":"POST","url":"/ocs/v2.php/apps/files_sharing/api/v1/shares","message":"path needs to be relative to the system wide data folder and point to a user specific file","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0","version":"27.0.0.8","exception":{"Exception":"BadMethodCallException","Message":"path needs to be relative to the system wide data folder and point to a user specific file","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Encryption/Keys/Storage.php","line":366,"function":"getUidAndFilename","class":"OC\\Encryption\\Util","type":"->"},{"file":"/var/www/nextcloud/lib/private/Encryption/Keys/Storage.php","line":138,"function":"getFileKeyDir","class":"OC\\Encryption\\Keys\\Storage","type":"->"},{"file":"/var/www/nextcloud/apps/encryption/lib/KeyManager.php","line":381,"function":"setFileKey","class":"OC\\Encryption\\Keys\\Storage","type":"->"},{"file":"/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php","line":444,"function":"setShareKey","class":"OCA\\Encryption\\KeyManager","type":"->"},{"file":"/var/www/nextcloud/lib/private/Encryption/Update.php","line":192,"function":"update","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Encryption/Update.php","line":93,"function":"update","class":"OC\\Encryption\\Update","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Encryption/HookManager.php","line":35,"function":"postShared","class":"OC\\Encryption\\Update","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Hook.php","line":105,"function":"postShared","class":"OC\\Encryption\\HookManager","type":"::"},{"file":"/var/www/nextcloud/lib/private/Share20/LegacyHooks.php","line":175,"function":"emit","class":"OC_Hook","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":264,"function":"postShare","class":"OC\\Share20\\LegacyHooks","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":239,"function":"doDispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":73,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/EventDispatcher/SymfonyAdapter.php","line":121,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Share20/Manager.php","line":837,"function":"dispatch","class":"OC\\EventDispatcher\\SymfonyAdapter","type":"->"},{"file":"/var/www/nextcloud/apps/files_sharing/lib/Controller/ShareAPIController.php","line":720,"function":"createShare","class":"OC\\Share20\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"createShare","class":"OCA\\Files_Sharing\\Controller\\ShareAPIController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/ocs/v1.php","line":64,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/ocs/v2.php","line":23,"args":["/var/www/nextcloud/ocs/v1.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Encryption/Util.php","Line":228,"CustomMessage":"--"}}
{"reqId":"OLy3t0vBev3NtUVgdHni","level":3,"time":"2023-06-27T12:07:47+00:00","remoteAddr":"192.168.122.82","user":"brot","app":"no app in context","method":"GET","url":"/index.php/apps/files/ajax/download.php?dir=%2F&files=Test_Enc&downloadStartSecret=ezedr550tp8","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0","version":"27.0.0.8","data":[]}
{"reqId":"OLy3t0vBev3NtUVgdHni","level":3,"time":"2023-06-27T12:07:47+00:00","remoteAddr":"192.168.122.82","user":"brot","app":"no app in context","method":"GET","url":"/index.php/apps/files/ajax/download.php?dir=%2F&files=Test_Enc&downloadStartSecret=ezedr550tp8","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0","version":"27.0.0.8","exception":{"Exception":"OC\\Encryption\\Exceptions\\DecryptionFailedException","Message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":517,"function":"decrypt","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":316,"function":"readCache","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"function":"stream_read","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/3rdparty/icewind/streams/src/Wrapper.php","line":55,"function":"fread"},{"file":"/var/www/nextcloud/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php","line":96,"function":"stream_read","class":"Icewind\\Streams\\Wrapper","type":"->"},{"function":"stream_read","class":"Icewind\\Streams\\CallbackWrapper","type":"->"},{"file":"/var/www/nextcloud/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php","line":359,"function":"fread"},{"file":"/var/www/nextcloud/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php","line":213,"function":"streamFileData","class":"ZipStreamer\\ZipStreamer","type":"->"},{"file":"/var/www/nextcloud/lib/private/Streamer.php","line":165,"function":"addFileFromStream","class":"ZipStreamer\\ZipStreamer","type":"->"},{"file":"/var/www/nextcloud/lib/private/Streamer.php","line":132,"function":"addFileFromStream","class":"OC\\Streamer","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Files.php","line":217,"function":"addDirRecursive","class":"OC\\Streamer","type":"->"},{"file":"/var/www/nextcloud/apps/files/ajax/download.php","line":77,"function":"get","class":"OC_Files","type":"::"},{"file":"/var/www/nextcloud/lib/private/Route/Route.php","line":155,"args":["/var/www/nextcloud/apps/files/ajax/download.php"],"function":"require_once"},{"function":"OC\\Route\\{closure}","class":"OC\\Route\\Route","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":324,"function":"call_user_func"},{"file":"/var/www/nextcloud/lib/base.php","line":1064,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php","Line":398,"Hint":"Diese Datei kann nicht entschl\u00fcsselt werden, es handelt sich wahrscheinlich um eine geteilte Datei. Bitte kontaktiere den Eigent\u00fcmer der Datei und bitte darum, die Datei noch einmal mit dir zu teilen.","CustomMessage":"--"}}

Additional info

Thank you for your work <3

[fako1024]

I'm actually seeing something that might be related since the upgrade to 27 (using the official Docker image, aside from that my answers to the template questions would be comparable): Whenever I share a file via public link it becomes inaccessible (with the same error on the public link: "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you." as described by the OP). Maybe also related to #28862 (since the behavior for PDFs, images and text files matches the description - although to be fair, the symptoms would probably be the same for any issue that breaks / corrupts encrypted files)?

[brotkastn]

Issue #28862 sounds like might be related, however it even breaks the access to the files for the owner of the files. Since your files are then inaccessible for you, which is bad, i thought this warrants a new issue. Maybe the bug for both issues is the same though, i am happy to close this one then.

One thing i since learned since opening this issue is that deleting the share shows an error in the frontend: Error deleting the share - after refreshing the page the share is deleted. Removing the "share" will not restore access to those files.

If there is anything i can test, i will gladly provide the needed logs.

[yahesh]

While creating test cases for the encryption-recovery-tools I came across the same problem. When publicly sharing an encrypted file, Nextcloud 27 deletes all corresponding encryption keys for that file. This is severe. (/cc @come-nc)

P.S.: This can be reproduced like this:

$ podman run -d -p 8080:80 --name nextcloud docker.io/library/nextcloud:27.0.0

=> browse to http://localhost:8080/
=> create admin user

=> browse to http://localhost:8080/index.php/settings/apps
=> enable Default encryption module

$ podman exec -it nextcloud bash
$ su -s /bin/bash www-data
$ ./occ encryption:enable
$ ./occ encryption:disable-master-key

=> logout
=> login

$ ./occ encryption:encrypt-all
$ exit
$ exit

=> browse to http://localhost:8080/index.php/apps/files/?dir=/&fileid=2
=> share all files and folders as external links

[come-nc]

Can you try this patch:

diff --git a/apps/encryption/lib/Crypto/Encryption.php b/apps/encryption/lib/Crypto/Encryption.php
index 0bcaa167907..899d0f4315d 100644
--- a/apps/encryption/lib/Crypto/Encryption.php
+++ b/apps/encryption/lib/Crypto/Encryption.php
@@ -441,7 +441,7 @@ class Encryption implements IEncryptionModule {
                        $this->keyManager->deleteAllFileKeys($path);
 
                        foreach ($shareKeys as $uid => $keyFile) {
-                               $this->keyManager->setShareKey($this->path, $uid, $keyFile);
+                               $this->keyManager->setShareKey($path, $uid, $keyFile);
                        }
                } else {
                        $this->logger->debug('no file key found, we assume that the file "{file}" is not encrypted',

[yahesh]

@come-nc Yes, on a new installation, this fixed the problem.

[Juma7C9]

Still happening for me on 27.0.2, exactly as described in the first post, while 27.1.0 RC1 works correctly,

(Debian 12 Bookworm, PHP 8.2, Apache 2.4.57)