I noticed this using nextcloudcmd to sync to my server with a webroot of '/nextcloud'... the sync would perform a query for /nextcloud/status.php and would receive the cookies:
However, further connections would fail with precondition failed and the server logging "Request does not pass strict cookie check" errors.
The bug appears to be caused by the session not being created for status.php requests (see lib/base.php:391) where the session is only started if not status.php - this results in the wrong samesite cookies being sent with the "__Host-" prefix (see lib/base.php:496) as the session cookie path is "/". As the session later has a path of "/nextcloud" - later requests validate samesite cookies without the "__Host-" prefix and fail.
The fix is as simple as not sending the samesite cookies for status.php requests as they will not be correctly named.
I have a simple patch I'll attach here, but I could easily supply a PR if that's easier...
{
"system": {
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "31.0.7.1",
"installedat": "1330837776.1564",
"lastupdatedat": "1332112178.9197",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "US",
"installed": true,
"forcessl": true,
"forbidden_filenames": [
".htaccess"
],
"enablebackup": false,
"enable_previews": true,
"preview_max_x": 4096,
"preview_max_y": 4096,
"preview_libreoffice_path": "\/usr\/bin\/libreoffice",
"preview_office_cl_parameters": "",
"enabledPreviewProviders": [
"OC\\Preview\\PNG",
"OC\\Preview\\JPEG",
"OC\\Preview\\GIF",
"OC\\Preview\\HEIC",
"OC\\Preview\\BMP",
"OC\\Preview\\XBitmap",
"OC\\Preview\\MP3",
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown"
],
"enable_avatars": true,
"overwrite.cli.url": "https:\/\/www.example.net\/nextcloud",
"overwritehost": "",
"overwriteprotocol": "",
"overwritewebroot": "\/nextcloud",
"overwritecondaddr": "",
"theme": "",
"default_language": "en",
"3rdpartyroot": "",
"3rdpartyurl": "",
"defaultapp": "files",
"knowledgebaseenabled": true,
"appstoreenabled": false,
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpdebug": false,
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "25",
"mail_smtptimeout": 10,
"mail_smtpauthtype": "LOGIN",
"trashbin_retention_obligation": "180, auto",
"allow_user_to_change_display_name": true,
"appcodechecker": true,
"loglevel": 2,
"log_type": "file",
"logdateformat": "F d, Y H:i:s",
"logtimezone": "US\/Pacific",
"log_query": false,
"log_authfailip": false,
"log_rotate_size": 10485760,
"remember_login_cookie_lifetime": 1296000,
"session_lifetime": 86400,
"lost_password_link": "disabled",
"custom_csp_policy": "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *",
"xframe_restriction": true,
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"updatechecker": false,
"has_internet_connection": true,
"check_for_working_wellknown_setup": true,
"check_for_working_htaccess": true,
"check_data_directory_permissions": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"apps_paths": [
{
"path": "\/usr\/local\/share\/nextcloud\/apps",
"url": "\/apps",
"writable": false
}
],
"user_backends": [
{
"class": "\\OCA\\UserExternal\\IMAP",
"arguments": [
"localhost"
]
}
],
"maintenance": false,
"openssl": [],
"singleuser": false,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"dbindex": 0,
"timeout": 1.5
},
"trusted_domains": [
"example.net",
"www.example.net"
],
"secret": "***REMOVED SENSITIVE VALUE***",
"htaccess.RewriteBase": "\/nextcloud",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"csrf.optout": [
"\/^WebDAVFS\/",
"\/^Microsoft-WebDAV-MiniRedir\/"
],
"simpleSignUpLink.shown": false,
"mysql.utf8mb4": true,
"upgrade.disable-web": true,
"updater.release.channel": "stable",
"app_install_overwrite": [
"ocr",
"user_external"
],
"bulkupload.enabled": true,
"maintenance_window_start": 10
}
}
Bug description
I noticed this using nextcloudcmd to sync to my server with a webroot of '/nextcloud'... the sync would perform a query for /nextcloud/status.php and would receive the cookies:
However, further connections would fail with precondition failed and the server logging "Request does not pass strict cookie check" errors.
The bug appears to be caused by the session not being created for status.php requests (see lib/base.php:391) where the session is only started if not status.php - this results in the wrong samesite cookies being sent with the "__Host-" prefix (see lib/base.php:496) as the session cookie path is "/". As the session later has a path of "/nextcloud" - later requests validate samesite cookies without the "__Host-" prefix and fail.
The fix is as simple as not sending the samesite cookies for status.php requests as they will not be correctly named.
I have a simple patch I'll attach here, but I could easily supply a PR if that's easier...
nextcloud.patch
Steps to reproduce
Expected behavior
Sync completes
Nextcloud Server version
31
Operating system
Other
PHP engine version
PHP 8.3
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
Configuration report
{ "system": { "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "31.0.7.1", "installedat": "1330837776.1564", "lastupdatedat": "1332112178.9197", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "default_phone_region": "US", "installed": true, "forcessl": true, "forbidden_filenames": [ ".htaccess" ], "enablebackup": false, "enable_previews": true, "preview_max_x": 4096, "preview_max_y": 4096, "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "preview_office_cl_parameters": "", "enabledPreviewProviders": [ "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\BMP", "OC\\Preview\\XBitmap", "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown" ], "enable_avatars": true, "overwrite.cli.url": "https:\/\/www.example.net\/nextcloud", "overwritehost": "", "overwriteprotocol": "", "overwritewebroot": "\/nextcloud", "overwritecondaddr": "", "theme": "", "default_language": "en", "3rdpartyroot": "", "3rdpartyurl": "", "defaultapp": "files", "knowledgebaseenabled": true, "appstoreenabled": false, "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpdebug": false, "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "25", "mail_smtptimeout": 10, "mail_smtpauthtype": "LOGIN", "trashbin_retention_obligation": "180, auto", "allow_user_to_change_display_name": true, "appcodechecker": true, "loglevel": 2, "log_type": "file", "logdateformat": "F d, Y H:i:s", "logtimezone": "US\/Pacific", "log_query": false, "log_authfailip": false, "log_rotate_size": 10485760, "remember_login_cookie_lifetime": 1296000, "session_lifetime": 86400, "lost_password_link": "disabled", "custom_csp_policy": "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *", "xframe_restriction": true, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "updatechecker": false, "has_internet_connection": true, "check_for_working_wellknown_setup": true, "check_for_working_htaccess": true, "check_data_directory_permissions": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "apps_paths": [ { "path": "\/usr\/local\/share\/nextcloud\/apps", "url": "\/apps", "writable": false } ], "user_backends": [ { "class": "\\OCA\\UserExternal\\IMAP", "arguments": [ "localhost" ] } ], "maintenance": false, "openssl": [], "singleuser": false, "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "dbindex": 0, "timeout": 1.5 }, "trusted_domains": [ "example.net", "www.example.net" ], "secret": "***REMOVED SENSITIVE VALUE***", "htaccess.RewriteBase": "\/nextcloud", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "csrf.optout": [ "\/^WebDAVFS\/", "\/^Microsoft-WebDAV-MiniRedir\/" ], "simpleSignUpLink.shown": false, "mysql.utf8mb4": true, "upgrade.disable-web": true, "updater.release.channel": "stable", "app_install_overwrite": [ "ocr", "user_external" ], "bulkupload.enabled": true, "maintenance_window_start": 10 } }List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response