Steps to reproduce
- Add account, set the password.
- Place the site behind reverse proxy for ssl.
- Login on an iPhone, iOS app.
Expected behaviour
Login should go through. The same account logs in w/o issues on Android and Windows app, as well as browsers on windows and mac. Macos app also w/o issues. Just iOS app.
Actual behaviour
Get the CSRF Access Denied error.
Server configuration
Operating system: debian gnu/linux 9 (stretch) docker container, under openshift.
Web server: nginx
Database: mariadb
PHP version:
Nextcloud version: (see Nextcloud admin page) 13-fpm (13.0.6)
Updated from an older Nextcloud/ownCloud or fresh install: no
Where did you install Nextcloud from: docker.io/nextcloud
Signing status:
CSRF Access Denied after correctly entering credentials username/password. Token based auth spins forever.
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
No errors have been found.
List of activated apps:
App list
any apps there by default, none installed on top of that. this is a fresh install. ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder ```Nextcloud configuration:
Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
or
Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'instanceid' => 'ocmcrrkeis6l',
'passwordsalt' => 'blah',
'secret' => 'blah',
'trusted_domains' =>
array (
0 => 'cloud.blah.net',
1 => 'nextcloud.os.lnsz.local',
),
'datadirectory' => '/var/www/html/data',
'overwrite.cli.url' => 'http://cloud.blah.net',
'dbtype' => 'mysql',
'version' => '13.0.6.1',
'dbname' => 'nextcloud',
'dbhost' => 'mariadb.default.svc',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'blah',
'installed' => true,
'csrf.disabled' => true,
);
I’ve added the last line in an attempt to disable csrf … no go.
Are you using external storage, if yes which one: local running ceph
Are you using encryption: no
Are you using an external user-backend, if yes which one: no.
Client configuration
Browser: iOS app.
Operating system: iOS.
Logs
Web server error log
Web server error log
2018/09/29 19:51:57 [info] 5#5: *3604 client closed connection while waiting for request, client: 10.131.0.1, server: 0.0.0.0:8080
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "POST /login?redirect_url=/login/flow/redirect%3FclientIdentifier%3D%26stateToken%3DIUp4U4eMRJKz8hRMZL3oZ9VXwL9LZxLhn5wL09W2xniJfzMa5PvIg2MtY4DLLzHb&user=blah HTTP/1.0" 303 0 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /login/flow/redirect?clientIdentifier=&stateToken=IUp4U4eMRJKz8hRMZL3oZ9VXwL9LZxLhn5wL09W2xniJfzMa5PvIg2MtY4DLLzHb HTTP/1.0" 200 5323 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /core/js/oc.js?v=ec5f41dd HTTP/1.0" 200 3313 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "POST /login/flow HTTP/1.0" 412 4582 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:58 +0000] "GET /core/js/oc.js?v=ec5f41dd HTTP/1.0" 200 3313 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:59 +0000] "GET /cron.php HTTP/1.0" 200 20 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
| 10.130.0.1 - - [29/Sep/2018:19:51:59 +0000] "GET /cron.php HTTP/1.0" 200 20 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.22.4"
above is from the nginx log.. that makes mention of iOS
Nextcloud log (data/nextcloud.log)
Nextcloud log
| ::1 - 29/Sep/2018:20:03:32 +0000 "GET /cron.php" 200
| ::1 - blah 29/Sep/2018:20:03:54 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - 29/Sep/2018:20:04:03 +0000 "GET /index.php" 200
| ::1 - 29/Sep/2018:20:04:03 +0000 "GET /index.php" 302
| 127.0.0.1 - blah 29/Sep/2018:20:04:24 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:04:24 +0000 "GET /ocs/v2.php" 200
| 127.0.0.1 - blah 29/Sep/2018:20:04:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:05:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:05:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:06:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:06:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:07:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:07:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:08:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:08:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:09:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:09:24 +0000 "GET /ocs/v2.php" 200
| ::1 - blah 29/Sep/2018:20:09:54 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:10:23 +0000 "GET /status.php" 200
| ::1 - blah 29/Sep/2018:20:10:24 +0000 "PROPFIND /remote.php" 207
| 127.0.0.1 - blah 29/Sep/2018:20:10:54 +0000 "PROPFIND /remote.php" 207
| ::1 - blah 29/Sep/2018:20:11:24 +0000 "PROPFIND /remote.php" 207
CSRF access denied not logged here.
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Can CSRF be disabled altogether?
