Disqualified password without warning does not prevent file share to work

ℹ️ Support
, ,
1

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 33.0.3
  • Operating system and version (e.g., Ubuntu 24.04):
    • Debian Bookwarm
  • Web server and version (e.g, Apache 2.4.25):
    • Ngingx
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • Ngingx
  • PHP version (e.g, 8.3):
    • 8.3
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • Today
  • Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
    • Bare Metal
  • Are you using CloudfIare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

[When creating a folder share and settings up password, user can set a disqualified password without a proper warning to the share and what is really bad, the share works after that (without the password). Tested on latest Mac OS + Firefox + Win11Pro + Firefox. On the latter user the errors warning does appear but it is small non-modal warning which is easy to be ignored.

Steps to replicate it (hint: details matter!):

  1. Create a folder share (Mac OS + FF)

  2. Set a password that does not qualify the requirements

  3. Share goes public without a any warning that the share is not protected by the password

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

-

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

-

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/____:

-

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

-

Apps

The output of occ app:list (if possible).

Tips for increasing the likelihood of a response

  • Use the preformatted text formatting option in the editor for all log entries and configuration output.
  • If screenshots are useful, feel free to include them.
    • If possible, also include key error output in text form so it can be searched for.
  • Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.
2

Just to add a remark → on Mac + FF combination, even qualified password does not work / is set correctly if you do not hit Enter on password field after writeing a new password to it first. So without a Enter even quolified password is silently rejected!

3

So the correct behaviour should be that the user, who wanted to protect the share with password, is warned in a way that he/she cannot proceed without a proper password which is really set to the share. Share should not be made public if the intented password is not working.