Skip to content

ForbiddenException while using CardDAV when "Allow file system access" turned off and if encryption is enabled #37753

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
ForbiddenException while using CardDAV when "Allow file system access" turned off and if encryption is enabled#37753
Labels
0. Needs triagePending check for reproducibility or if it fits our roadmap25-feedbackbugfeature: authenticationfeature: carddavRelated to CardDAV internalsfeature: encryption (server-side)
@nickoffff

Description

@nickoffff
nickoffff
opened on Apr 15, 2023

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

I am using Contacts app to sync contacts to an iPhone via CardDav. In order to access contacts from the iOS I created an app password. During creation I unset the checkbox "Allow file system access" for security reasons. Everything works fine but the log file is flooded with the exception listed below. When I check "Allow file system access" for the app password then the exception is gone but iOS thus have file access with the rights pertained to user.

Steps to reproduce

  1. Create new app password
  2. Unset "allow file system access"
  3. Configure CardDav on iOS
  4. Sync contacts on iOS

Expected behavior

No exceptions in the log file

Installation method

Community Manual installation with Archive

Nextcloud Server version

25

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***\/nextcloud",
        "dbtype": "mysql",
        "version": "25.0.5.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "enable_previews": true,
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "log_type": "file",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "logtimezone": "Europe\/Berlin",
        "log_rotate_size": 20971520,
        "encryption.legacy_format_support": false,
        "maintenance": false,
        "theme": "",
        "trashbin_retention_obligation": "auto, 30",
        "versions_retention_obligation": "30, auto",
        "default_phone_region": "DE",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mysql.utf8mb4": true,
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN"
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - audioplayer: 3.3.1
  - bruteforcesettings: 2.5.0
  - calendar: 4.3.3
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.2.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - encryption: 2.13.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_external: 1.17.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.4
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - suspicious_login: 4.3.0
  - systemtags: 1.15.0
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - contactsinteraction: 1.6.0
  - spreed: 15.0.5
  - twofactor_totp
  - user_ldap
  - weather_status: 1.5.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"7BruMtr4SbU2rjCnHicr","level":3,"time":"2023-04-15T12:42:35+02:00","remoteAddr":"*** sensitive parameters replaced ***","user":"*** sensitive parameters replaced ***","app":"no app in context","method":"REPORT","url":"/nextcloud/remote.php/dav/addressbooks/users/*** sensitive parameters replaced ***/kontakte/","message":"This request is not allowed to access the filesystem","userAgent":"iOS/16.4.1 (20E252) dataaccessd/1.0","version":"25.0.5.1","exception":{"Exception":"OC\\ForbiddenException","Message":"This request is not allowed to access the filesystem","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":1181,"function":"mkdir","class":"OC\\Lockdown\\Filesystem\\NullStorage","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/View.php","line":270,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Encryption/Keys/Storage.php","line":484,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/var/www/nextcloud/lib/private/Encryption/Keys/Storage.php","line":337,"function":"keySetPreparation","class":"OC\\Encryption\\Keys\\Storage","type":"->"},{"file":"/var/www/nextcloud/lib/private/Encryption/Keys/Storage.php","line":131,"function":"setKey","class":"OC\\Encryption\\Keys\\Storage","type":"->"},{"file":"/var/www/nextcloud/apps/encryption/lib/KeyManager.php","line":333,"function":"setUserKey","class":"OC\\Encryption\\Keys\\Storage","type":"->"},{"file":"/var/www/nextcloud/apps/encryption/lib/KeyManager.php","line":292,"function":"setPublicKey","class":"OCA\\Encryption\\KeyManager","type":"->"},{"file":"/var/www/nextcloud/apps/encryption/lib/Users/Setup.php","line":53,"function":"storeKeyPair","class":"OCA\\Encryption\\KeyManager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/encryption/lib/Hooks/UserHooks.php","line":179,"function":"setupUser","class":"OCA\\Encryption\\Users\\Setup","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Hook.php","line":106,"function":"login","class":"OCA\\Encryption\\Hooks\\UserHooks","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Server.php","line":621,"function":"emit","class":"OC_Hook","type":"::"},{"function":"OC\\{closure}","class":"OC\\Server","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Hooks/EmitterTrait.php","line":106,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/lib/private/Hooks/PublicEmitter.php","line":40,"function":"emit","class":"OC\\Hooks\\BasicEmitter","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":401,"function":"emit","class":"OC\\Hooks\\PublicEmitter","type":"->"},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":671,"function":"completeLogin","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":354,"function":"loginWithToken","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":452,"function":"login","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Auth.php","line":113,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php","line":103,"function":"validateUserPass","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Auth.php","line":229,"function":"check","class":"Sabre\\DAV\\Auth\\Backend\\AbstractBasic","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Auth.php","line":136,"function":"auth","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":180,"function":"check","class":"OCA\\DAV\\Connector\\Sabre\\Auth","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php","line":135,"function":"check","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"beforeMethod","class":"Sabre\\DAV\\Auth\\Plugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":456,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":360,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":35,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":171,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Lockdown/Filesystem/NullStorage.php","Line":41,"CustomMessage":"--"},"id":"643a7ff2d99a1"}

Additional info

No response

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmap25-feedbackbugfeature: authenticationfeature: carddavRelated to CardDAV internalsfeature: encryption (server-side)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions