Hi all,
I use:
Nextcloud version (eg, 12.0.2): 13.0.6
Operating system and version (eg, Ubuntu 17.04): Debian 9
Apache or nginx version (eg, Apache 2.4.25): Nginx 1.14
PHP version (eg, 7.1): 7.0.30-0+deb9u1
The issue you are facing:
I have a problem that CSP header shows different nonce than I see in HTML.
script-src 'nonce-anJEM0lLR1E0VDZEbjljWEZaVThra3dVRVVYODE1WjREemFma0dxcW1jaz06dUlHbldlRGNsbmI1cmFWR1djWUU5Q2RXVUJiS2x2c2RWM0R6cFZuTzd2QT0=' 'unsafe-eval';
But in HTML I see:
<script nonce="OFdjQldYZzVmNmRIK0xrcy9ZRHRqQXYycFF5ajJLU1FTTFo0MFArcmtDOD06eDFaUklEbDFDTzg5eXN0OXNkUFY2bUMwNUYrVm1jbjFFUEFVNWN6UDV4WT0=" defer src="/core/vendor/core.js?v=53c05fc6-6"></script>
And console in Firefox shows this message on every page load:
Refused to execute inline script because it violates the following Content Security Policy directive: inline («script-src»).
Is this the first time you’ve seen this error? (Y/N): Y
Steps to replicate it:
- I’ve used previous versions on NC without problems
- Updated from 13.0.5 to 13.0.6
- Just can’t login with TOTP, disable TOTP from logged place and some other things.
The output of your Nextcloud log in Admin > Logging:
When I try to use TOTP code I get this:
Exception: HMAC does not match.
/var/www/nextcloud/apps/twofactor_totp/lib/Service/Totp.php - line 131: OC\Security\Crypto->decrypt(*** sensitive parameters replaced ***)
/var/www/nextcloud/apps/twofactor_totp/lib/Provider/TotpProvider.php - line 93: OCA\TwoFactorTOTP\Service\Totp->validateSecret(Object(OC\User\User), '734892')
/var/www/nextcloud/lib/private/Authentication/TwoFactorAuth/Manager.php - line 215: OCA\TwoFactorTOTP\Provider\TotpProvider->verifyChallenge(*** sensitive parameters replaced ***)
/var/www/nextcloud/core/Controller/TwoFactorChallengeController.php - line 169: OC\Authentication\TwoFactorAuth\Manager->verifyChallenge(*** sensitive parameters replaced ***)
[internal function] OC\Core\Controller\TwoFactorChallengeController->solveChallenge(*** sensitive parameters replaced ***)
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 161: call_user_func_array(Array, Array)
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 91: OC\AppFramework\Http\Dispatcher->executeController(Object(OC\Core\Controller\TwoFactorChallengeController), 'solveChallenge')
/var/www/nextcloud/lib/private/AppFramework/App.php - line 115: OC\AppFramework\Http\Dispatcher->dispatch(Object(OC\Core\Controller\TwoFactorChallengeController), 'solveChallenge')
/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main('OC\\Core\\Control...', 'solveChallenge', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/nextcloud/lib/private/Route/Router.php - line 297: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
/var/www/nextcloud/lib/base.php - line 999: OC\Route\Router->match('/login/challeng...')
/var/www/nextcloud/index.php - line 42: OC handleRequest()
{main}
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
<?php
$CONFIG = array (
'instanceid' => '*******',
'passwordsalt' => '***************',
'secret' => '**********',
'trusted_domains' =>
array (
0 => 'cloud.*****.me',
),
'datadirectory' => '/mnt/***/nextcloud_data',
'overwrite.cli.url' => 'https://cloud.******.me',
'dbtype' => 'mysql',
'version' => '13.0.6.1',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'mysql.utf8mb4' => true,
'trashbin_retention_obligation' => 'auto',
'versions_retention_obligation' => 'auto, 5',
'installed' => true,
'loglevel' => 2,
'logdateformat' => 'F d, Y H:i:s',
'log_rotate_size' => 20971520,
'theme' => 'compact',
'remember_login_cookie_lifetime' => 1296000,
'session_lifetime' => 259200,
'session_keepalive' => true,
'maintenance' => false,
'logfile' => '/var/log/nextcloud/nextcloud.log',
'appstore.experimental.enabled' => true,
'debug' => false,
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/var/run/redis/redis.sock',
'port' => 0,
),
'dbpassword' => '********************',
'mail_from_address' => 'cloud',
'mail_smtpmode' => 'php',
'mail_domain' => '**********.me',
'filesystem_check_changes' => 1,
'updater.release.channel' => 'stable',
'dbport' => '',
);
The output of your Apache/nginx/system log in /var/log/____
:
Nothing suspicious