webdav/profind issue on admin overview page

[jean-io]

Hello,

When I go to my admin setting page, I have a message saying Your web server is not yet properly set up to allow file synchronization, because the WebDAV interface seems to be broken. After investigating I a found the following bug:

Steps to reproduce

1. log in as admin
2. go to overview page in admin settings
3. open developer tools and go to network tab
4. reload page and find line PROFIND webdav (see image below)

Actual behaviour

The request sent to server is <?xml version: "1.0"?><d:propfind xmlns:d, this probably uncomplete.
Other PROFIND request for caldav and carddav have empty request.

I also use webdav with this installation of Nextcloud and there is no issue.

Expected behaviour

No content as parametter for PROFIND webdav?

Server configuration

I am running Nextcloud 14.0.3 on Archlinux with PHP 7.2 and Apache 2.4. I also added modSecurity, this is why I have an error 500 (see image below). modSecurity find that <?xml version: "1.0"?><d:propfind xmlns:d looks like a XSS attack and ends the connection with an error.

Thank for Nextcloud 👍

[nextcloud-bot]

GitMate.io thinks possibly related issues are #3738 (Webdav), #5947 (webDAV PROPFIND), #6773 (Migration overview issues), #12042 (WebDav issue with One Drive), and #11804 (https windows webdav issue ).

[ChristophWurst]

This cut off request is very weird. Can you reproduce with other browsers as well? Is it possibly one of your extensions that mangles the request?

[jean-io]

I will try with an other browser when I get home.

Regarding extensions, here is the list of active apps installed on my Nextcloud setup:

• Accessibility 1.0.1 Official
• Activity 2.7.0 Official
• Auditing / Logging 1.4.0 Official
• Brute-force settings 1.2.0 Official
• Calendar 1.6.4 Official
• Checksum 0.4.1
• Collaborative tags 1.4.0 Official
• Comments 1.4.0 Official
• Contacts 2.1.7 Official
• Default encryption module 2.2.0 Official
• Deleted files 1.4.1 Official
• Federation 1.4.0 Official
• File sharing 1.6.2 Official
• First run wizard 2.3.0 Official
• Gallery 18.1.0 Official
• Log Reader 2.0.0 Official
• Mail 0.11.0 Official
• Metadata 0.8.0
• Monitoring 1.4.0 Official
• Nextcloud announcements 1.3.0 Official
• Notifications 2.2.1 Official
• Password policy 1.4.0 Official
• PDF viewer 1.3.2 Official
• Share by mail 1.4.0 Official
• Social sharing via email 1.0.4 Official
• Social sharing via Facebook 1.0.3 Official
• Support 1.0.0 Official
• Talk 4.0.1 Official
• Tasks 0.9.8
• Text editor 2.6.0 Official
• Theming 1.5.0 Official
• Two Factor TOTP Provider 1.5.0 Official
• Update notification 1.4.1 Official
• Usage survey 1.2.0 Official
• Versions 1.7.1 Official
• Video player 1.3.0 Official

Most of them are offical, I don't think this issue is related to an app.

[jean-io]

I also updated to Nextcloud 14.0.4 and this bug is still present.

[ChristophWurst]

I meant browser extensions rather than Nextcloud apps.

[jean-io]

Hello,

On OSX with Chrome -> no issue
On OSX with Firefox -> issue is present
On Windows with Firefox -> issue present

The only plugin present on my Firefox is addblock. The bug persist when addblock is disabled.

What I do not understand is why there is form data for testing webdav but not on caldav and carddav.

[ChristophWurst]

What I do not understand is why there is form data for testing webdav but not on caldav and carddav.

caldav and carddav are based on webdav

[jean-io]

I know, so why testing webdav is different than testing caldav and carddav? This bug is not present on cardav and caldav...

I see that tag 'needs info' is still present, what more do you need? Can you replecate?

[baoang]

Similar issue.

I noticed @Ricain has installed Modsecurity, and I believe from my perspective the issue of not passing the nextcloud security check is related to the Modsecurity config, or False positive alarming.

My workaround is to check the log file and locate where the problem is, and then add to the Apache's vhost config file a few lines.

    <Directory "/path/to/your/nextcloud/installationDir/">
        <IfModule security2_module>
            SecRuleRemoveById 949110
        </IfModule>
    </Directory>

My Modesecurity ver: modsecurity-2.9.3
Rules: owasp-modsecurity-crs-3.1.0

[jean-io]

@baoang you are right for the security check, but this issue is about why PROPFIND request for webdav send a partial header and not PROPFIND requests for caldav and carddav check (headers for caldav and carddav are empty).

This partial webdav header is not allowed by owasp-modsecurity-crs. In my local network (at home) where modsecurity is disabled for private IP ranges, webdav check is OK, but header sent for that check is still partial. So it's not a modsecurity related issue.

At least I am not alone with this issue 🙂

[kesselb]

The content type is wrong. Request is sent with application/x-www-form-urlencoded; charset=UTF-8 but should be application/xml; charset=utf-8.

Index: core/js/setupchecks.js
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- core/js/setupchecks.js	(revision 5de3ea04170afd25a31f249a922feb3f9b189242)
+++ core/js/setupchecks.js	(date 1579200483572)
@@ -40,6 +40,7 @@
 						'<d:propfind xmlns:d="DAV:">' +
 						'<d:prop><d:resourcetype/></d:prop>' +
 						'</d:propfind>',
+				contentType: 'application/xml; charset=utf-8',
 				complete: afterCall,
 				allowAuthErrors: true
 			});

Are you able to enable the modsecurity rule again with the above patch?

[kesselb]

cc @ricain @baoang 🏓