Lower log level when accessing forbidden filenames

MrJoe · June 1, 2025, 12:03pm

I have configured in my config.php some forbidden filenames (e.g. .htaccess, thumbs.db, …) to avoid misuse. Since quiet a while and many major release updates (don’t ask why I ask only now ) I observe a mass of error entries in the log like “InvalidPath “thumbs.db” is a forbidden file or folder name.” as soon as I access (in case of thumbs.db) with a windows machince a directory containing pictures.

Is there any chance to lower the log level in that case (I would not see anything higher than information or even switch of any logging of that event, as it is an intended behaviour)?

I did not find any configuration option to do so and changing the code in FilenameValidator.php is not very long lasting for further updates.

Currently I use Nextcloud 31.0.5 with php 8.2.28 on a Debian 12 machine.

Thanks.

Joe

zomtec2311 · June 1, 2025, 12:27pm

Open the logreader app and look at the settings. Here you can change the log level

MrJoe · June 1, 2025, 1:33pm

Thanks for your quick reply. I’m not 100% sure if I got your proposal correct: you mean to change the log level of Nextcloud by e.g. deactivate to log error events at all?

This would not be my intention, as other error events should be logged. In my case I only want to suppress the error log entry of forbidden filenames as it is flooding my log. Can be done easily, if the log level of forbidden filenames would be information, as per default Nextcloud don’t care about information events (at least in my case it is set to warning and only logs warnings and higher).

Or do you mean to keep logging error events, but hide them from the log viewer. In that case I still would have no chance to see a real error event in the log.

So indeed the solution from my perspective would be either to avoid any log entry in case of forbidden filenames (it’s an intended function) or to be able to set the log level of those events to either Information or debugging. Any chance to realize something like that without patching the code? Or would this be a valid feature request for upcoming versions?

Question to the experts: how would you patch the function checkForbiddenName() in lib/private/files/FilenameValidator.php? Removing the throw new ReservedWordException($this->l10n->t('"%1$s" is a forbidden file or folder name.', [$filename])); would disable the forbidden filenames function at all as the functionality seems to rely on throwing/not throwing an exception (see function isFilenameValid in same file)

jtr · June 1, 2025, 2:37pm

Can you post one of the full log entries with the entire stack trace?

Also, are you using admin_audit by chance?

I thought most of these were only logged through the auditor, but I may be wrong. The filename validation recently went through a rewrite so maybe some of the code paths where these exceptions would be generated are not being caught consistently or something.

MrJoe · June 1, 2025, 3:54pm

I do not use admin_audit.

Here is the raw log entry of one event:
{"reqId":"rmWDsxRMUgMGasTFqmES","level":3,"time":"2025-06-01T15:40:36+00:00","remoteAddr":"-removed_due_to_privacy-","user":"-removed_due_to_privacy-","app":"webdav","method":"PROPFIND","url":"/remote.php/webdav/xyz/Thumbs.db","message":"\"thumbs.db\" is a forbidden file or folder name.","userAgent":"Microsoft-WebDAV-MiniRedir/10.0.26100","version":"31.0.5.1","exception":{"Exception":"OCA\\DAV\\Connector\\Sabre\\Exception\\InvalidPath","Message":"\"thumbs.db\" is a forbidden file or folder name.","Code":0,"Trace":[{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":971,"function":"getNodeForPath","class":"OCA\\DAV\\Connector\\Sabre\\ObjectTree","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1664,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1649,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":49,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":73,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":145,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/ObjectTree.php","Line":78,"message":"\"thumbs.db\" is a forbidden file or folder name.","exception":[],"CustomMessage":"\"thumbs.db\" is a forbidden file or folder name."},"id":"683c7482c268b"}

Do you see anything in the log entry/stack trace?

As mentioned before: everything works fine except the flooding of the log due to “normal” usage. So I would be really happy, if we can omit that log entry in feature by e.g. classifying it as information or debug.