Direct download does not work for cross-site requests #35519
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
The direct download link, returned by this API request, does not work if embedded into any other website.
Steps to reproduce
- As an authenticated user, fetch direct download link with
POST /ocs/v2.php/apps/dav/api/v1/direct. - Take direct download link from response and put it into any anchor tag of your website (not nextcloud).
- Open a private browser window (free of cookies) and open the website.
- Click the link.
- Open the website again and click the link again.
Expected behavior
The download behaviour should happen everytime I click the link.
Installation method
Community Docker image
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.0
Web server
Apache (supported)
Database engine version
MySQL
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost:8080",
"nextcloud.local"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "24.0.3.2",
"overwrite.cli.url": "http:\/\/localhost:8080",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"allow_local_remote_servers": "1",
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"overwriteprotocol": "https",
"loglevel": 2,
"maintenance": false,
"theme": ""
}
}List of activated Apps
Enabled:
- accessibility: 1.10.0
- activity: 2.16.0
- bruteforcesettings: 2.4.0
- circles: 24.0.0
- cloud_federation_api: 1.7.0
- collectives: 1.5.1
- comments: 1.14.0
- contacts: 4.2.2
- contactsinteraction: 1.5.0
- dashboard: 7.4.0
- dav: 1.22.0
- federatedfilesharing: 1.14.0
- federation: 1.14.0
- files: 1.19.0
- files_pdfviewer: 2.5.0
- files_rightclick: 1.3.0
- files_sharing: 1.16.2
- files_trashbin: 1.14.0
- files_versions: 1.17.0
- files_videoplayer: 1.13.0
- firstrunwizard: 2.13.0
- groupfolders: 12.0.2
- integration_openproject: 2.1.0
- logreader: 2.9.0
- lookup_server_connector: 1.12.0
- nextcloud_announcements: 1.13.0
- notifications: 2.12.0
- oauth2: 1.12.0
- password_policy: 1.14.0
- photos: 1.6.0
- privacy: 1.8.0
- provisioning_api: 1.14.0
- recommendations: 1.3.0
- serverinfo: 1.14.0
- settings: 1.6.0
- sharebymail: 1.14.0
- spreed: 14.0.6
- support: 1.7.0
- survey_client: 1.12.0
- systemtags: 1.14.0
- text: 3.5.1
- theming: 1.15.0
- twofactor_backupcodes: 1.13.0
- updatenotification: 1.14.0
- user_status: 1.4.0
- viewer: 1.8.0
- weather_status: 1.4.0
- workflowengine: 2.6.0
Disabled:
- admin_audit
- encryption
- files_external
- user_ldapNextcloud Signing status
No errors have been found.Nextcloud Logs
{"reqId":"vifcuHKr0T2v2d9aydgl","level":2,"time":"2022-11-30T12:12:47+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"oh7532vEBNTh8ndAnIBT","level":3,"time":"2022-11-30T12:28:25+00:00","remoteAddr":"172.25.0.2","user":"--","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/dav/api/v1/direct","message":"TypeError: OCA\\DAV\\Controller\\DirectController::__construct(): Argument #4 ($userId) must be of type string, null given at /var/www/html/apps/dav/lib/Controller/DirectController.php#63","userAgent":"Apache-HttpClient/4.5.13 (Java/17.0.5)","version":"24.0.3.2","data":{"app":"PHP"}}
{"reqId":"28dSD3V0hhbIMDKuGtsI","level":3,"time":"2022-11-30T12:30:03+00:00","remoteAddr":"172.25.0.2","user":"--","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/dav/api/v1/direct","message":"TypeError: OCA\\DAV\\Controller\\DirectController::__construct(): Argument #4 ($userId) must be of type string, null given at /var/www/html/apps/dav/lib/Controller/DirectController.php#63","userAgent":"Apache-HttpClient/4.5.13 (Java/17.0.5)","version":"24.0.3.2","data":{"app":"PHP"}}
{"reqId":"wmA9bXmSZiLXk2S6F1iT","level":2,"time":"2022-11-30T13:19:15+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-result data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"wmA9bXmSZiLXk2S6F1iT","level":2,"time":"2022-11-30T13:19:15+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"W57pdtZueQnpWjS20lGB","level":2,"time":"2022-11-30T13:46:03+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-result data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}
{"reqId":"W57pdtZueQnpWjS20lGB","level":2,"time":"2022-11-30T13:46:03+00:00","remoteAddr":"172.25.0.2","user":"admin","app":"no app in context","method":"GET","url":"/apps/dashboard/","message":"Invalid oauth-connection-error-message data provided to provideInitialState by integration_openproject","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0","version":"24.0.3.2","data":[]}Additional info
The request done by clicking the <a> tag with the target reference returns a 503. It does not happen, if executed in a browser without any cookies set for the nextcloud host. Yet, executing it once opens the NC domain, and doing so sets cookies. Hence, doing it twice, even in a "fresh" browser leads to the same error behaviour.
For example purposes I used a simple HTML like:
<!DOCTYPE html>
<html>
<head>
<title>Test direct download</title>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<a href="https://YOUR.HOSTl/remote.php/direct/YOUR_TOKEN">Click me</a>
</body>
</html>