Merge pull request #58975 from nextcloud/enh/42157/hid-warning

miaulalala · web-flow · commit 294e5397f372 · 2026-03-17T19:17:55.000+01:00
fix(initializeSession): only log HMAC problem to critical logs if indeed critical
diff --git a/lib/private/Security/Crypto.php b/lib/private/Security/Crypto.php
@@ -159,7 +159,7 @@ private function decryptWithoutSecret(string $authenticatedCiphertext, string $p
 			}
 		} else {
 			if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $hmacKey), $hmac)) {
-				throw new Exception('HMAC does not match.');
+				throw new \RuntimeException('HMAC does not match.');
 			}
 		}
 
diff --git a/lib/private/Session/CryptoSessionData.php b/lib/private/Session/CryptoSessionData.php
@@ -58,6 +58,15 @@ protected function initializeSession() {
 					512,
 					JSON_THROW_ON_ERROR,
 				);
+			} catch (\RuntimeException $e) {
+				// Even though this might be critical in general, we are automatically trying again and will likely succeed.
+				// We only log to info to not spam the logs with a well-known problem the admin cannot do anything about.
+				// See https://github.com/nextcloud/server/issues/42157
+				logger('core')->info('Could not decrypt or decode encrypted session data', [
+					'exception' => $e,
+				]);
+				$this->sessionValues = [];
+				$this->regenerateId(true, false);
 			} catch (\Exception $e) {
 				logger('core')->critical('Could not decrypt or decode encrypted session data', [
 					'exception' => $e,

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ private function decryptWithoutSecret(string $authenticatedCiphertext, string $p`
`159`	`159`	`}`
`160`	`160`	`} else {`
`161`	`161`	`if (!hash_equals($this->calculateHMAC($parts[0] . $parts[1], $hmacKey), $hmac)) {`
`162`		`- throw new Exception('HMAC does not match.');`
	`162`	`+ throw new \RuntimeException('HMAC does not match.');`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`