Nextcloud 17 Beta 2 arrived! But still no news?

MichaIng · August 25, 2019, 2:32pm

Okay I went the step now and updated Nextcloud 16.0.4 => 17.0.0 Beta 2.

Process via web based updater

I used the web based updater, since it should be generally slightly more vulnerable. If it fails, often the console-based update method works instead. So when one really want to help testing, use the web updater, if one want to stay on the safe side (while still want to test Beta versions), use the console-based (occ) update method.
No issues

Incompatible apps

AppOrder
Calendar
Impersonate
Ransomware protection

Enable untested app

AppOrder works without issues, icons are ordered as I chose, start app opens as chosen, re-ordering via settings works. No related Nextcloud or server log.
Calendar ~~works perfectly fine as well, web UI, client (CalDAV) sync, settings, no related log entries.~~
EDIT: Got official NC17-compatible update meanwhile.
Impersonate works fine as well. I am wondering why impersonating a user produces two warnings in logs. This should be infos instead since for users/admins with sufficient permissions this is expected. However, no other logs that would indicate an error.
EDIT: Got official NC17-compatible update meanwhile.

Ransomware protection ~~fails with a massive secondly repeating error message:~~
EDIT: This has been fixed with a new app release, works well now!

[no app in context] Error: InvalidArgumentException: Notifier Ransomware-Schutz (id: ransomware_protection) is not considered because it is using the old way to register. at <<closure>>

0. /var/www/nextcloud/apps/ransomware_protection/lib/AppInfo/Application.php line 86
   OC\Notification\Manager->registerNotifier(Closure {}, Closure {})
1. /var/www/nextcloud/apps/ransomware_protection/lib/AppInfo/Application.php line 46
   OCA\RansomwareProtection\AppInfo\Application->registerNotificationNotifier()
2. /var/www/nextcloud/apps/ransomware_protection/appinfo/app.php line 25
   OCA\RansomwareProtection\AppInfo\Application->register()
3. /var/www/nextcloud/lib/private/legacy/app.php line 260
   undefinedundefinedrequire_once("/var/www/nextcl ... p")
4. /var/www/nextcloud/lib/private/legacy/app.php line 154
   OC_App::requireAppFile(OCA\RansomwarePr ... {})
5. /var/www/nextcloud/lib/private/legacy/app.php line 127
   OC_App::loadApp("ransomware_protection")
6. /var/www/nextcloud/lib/base.php line 985
   OC_App::loadApps()
7. /var/www/nextcloud/index.php line 42
   OC::handleRequest()

POST /nextcloud/settings/apps/disable
from 149.233.241.245 by Micha at 2019-08-25T15:20:58+02:10

[Nextcloud 17 Beta 2] Secondly thrown error message · Issue #52 · nextcloud/ransomware_protection · GitHub

Other error log entries

[cron] Error: Error: Call to a member function getTime() on null at <<closure>>

0. /var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php line 46
   OCP\BackgroundJob\Job->execute(OC\BackgroundJob\JobList {}, OC\Log {})
1. /var/www/nextcloud/cron.php line 124
   OCP\BackgroundJob\QueuedJob->execute(OC\BackgroundJob\JobList {}, OC\Log {})

at 2019-08-25T15:15:03+02:00

Occurred only once during the first 15-minutely cron job after the update. The next cron jobs ran without any error, so I guess it was a one-time error.

Affected server config

The X security headers are implemented in a different way now:

X-Frame-Options "SAMEORIGIN" has been added to .htaccess and is expected to be set manually in non-Apache (non-htaccess capable) webserver configs, otherwise the admin panel will print a warning. This aligns this security header with the other ones, so it is sent not only by PHP (script internally) but by the webserver itself.
All security headers got the always options, which means that they are send as well with non-2xx answers, e.g. 30x (redirection) and 40x (error).
The example Nginx config has already been updated to reflect these changes: NGINX configuration — Nextcloud latest Administration Manual latest documentation
Although there are still some minor flaws in it: Update Nginx subdir headers to match webroot config by MichaIng · Pull Request #1597 · nextcloud/documentation · GitHub

If you have other web sites/applications on the same webserver, e.g. Nextcloud only being one sub directory, AND it is Apache, then this as well means the following:

Apache maintains two separate tables for headers. One for 2xx-only headers (without always option) and one for headers with always option. This means that headers can be send doubled as 2xx response, if they were added to both tables.
Nextcloud still does not like this, and the admin panel will show a warning about each security header that is send doubled (added to both tables).
So this means, to get rid of the warning, you can either:
- Set/Add all headers, applied to webroot, only with the always option, so the 2xx-only response table stays empty.
- Or unset all 2xx-only headers within you Nextcloud vhost/dir config.

New apps

The new Text app is installed and enabled by default. See the related news:

It seems to work well, however I just recognised it due to info channel log entries every 15 minutes (system cron):

github.com/nextcloud/text

Degrade "Removed X inactive sessions" log to debug

opened 02:31PM - 25 Aug 19 UTC

closed 06:32AM - 24 Oct 19 UTC

MichaIng

enhancement good first issue 1. to develop

**Is your feature request related to a problem? Please describe.** Not really a… problem, I just think that all regular background jobs should be debug logs, not info. **Describe the solution you'd like** Degrade the "Removed X inactive sessions" log to debug, which is related to a background job, cleaning inactive collaborative text sessions, executed every 15 minutes with system cron. **Describe alternatives you've considered** IMO there is no alternative. No other regular background job (with config+apps I use) logs to info channel, so Nextcloud Text should stay align with this. **Additional context** > [text] Info: Removed 0 inactive sessions