CSRF check failed after upgrade to 9.1

cipher · July 21, 2016, 4:21pm

Steps to reproduce

did an upgrade from latest 9.0.x version to 9.1 via apt-get update && apt-get upgrade → no errors
run occ upgrade → no errors
disabled maintenance mode

Actual behaviour
when trying to login via web-page it shows: Access forbidden (Zugriff verboten) CSRF check failed.
windows clients also can not connect to owncloud server

Server configuration
server based on vmware image provided from owncloud and regularly updated/upgraded to latest version.
Operating system: ubuntu

anon30676603 · July 21, 2016, 4:24pm

Maybe related to:

github.com/owncloud/core

File Sharing stack overflow, memory issue, crash, CSRF issue on 9.1.0

opened 03:20PM - 21 Jul 16 UTC

closed 03:22PM - 16 Aug 16 UTC

Revisor01

Type:Bug feature:sharing regression sev1-critical

### Steps to reproduce 1. Upgrade to owncloud 9.1 2. Login 3. It shows CSRF chec…k failed 4. Deactivated files_sharing via occ 5. Login workes ### Expected behaviour Login and works ### Actual behaviour shows CSRF check failed ### Server configuration **Operating system**: **Web server:** all-inkl.com **Database:** 5.6.30 **PHP version:** 5.6.23 **ownCloud version:** (see ownCloud admin page) 9.1 **Updated from an older ownCloud or fresh install:** updated from 9.0.3 **Where did you install ownCloud from:** Install from tar.bz2 **Signing status (ownCloud 9.0 and above):** ``` Login as admin user into your ownCloud and access http://example.com/index.php/settings/integrity/failed paste the results here. ``` **List of activated apps:** Enabled: - activity: 2.3.2 - calendar: 1.2.2 - comments: 0.3.0 - contacts: 1.3.1.0 - dav: 0.2.5 - federatedfilesharing: 0.3.0 - federation: 0.1.0 - files: 1.5.1 - files_pdfviewer: 0.8.1 - files_texteditor: 2.1 - files_trashbin: 0.9.0 - files_sharing 0.10.0 - files_versions: 1.3.0 - files_videoplayer: 0.9.8 - gallery: 15.0.0 - notifications: 0.3.0 - provisioning_api: 0.5.0 - systemtags: 0.3.0 - updatenotification: 0.2.1 Disabled: - encryption - external - files_antivirus - files_external - firstrunwizard - templateeditor - user_external - user_ldap **The content of config/config.php:** $CONFIG = array ( 'trusted_domains' => array ( 0 => 'owncloud..de', 1 => 'owncloud..de', 2 => '.de', 3 => 'www.owncloud..de', 4 => 'www.owncloud..de', 5 => '.de', ), 'datadirectory' => '/www/htdocs///ownclouddata/data', 'tempdirectory' => '/www/htdocs///ownclouddata/tmp', 'overwrite.cli.url' => 'http://.de/cloud/owncloud', 'dbtype' => 'mysql', 'version' => '9.1.0.15', 'dbname' => 'd01cd1d3', 'dbhost' => '127.0.0.1', 'dbtableprefix' => 'oc_', 'filesystem_check_changes' => 0, 'dbuser' => 'd01cd1d3', 'dbpassword' => '', 'installed' => true, 'forcessl' => true, 'theme' => '', 'maintenance' => false, 'loglevel' => 3, 'mail_smtpmode' => 'smtp', 'appstore.experimental.enabled' => true, 'mail_from_address' => 'info', 'mail_domain' => 'owncloud.de', 'mail_smtpauthtype' => 'LOGIN', 'mail_smtphost' => 'w01078ba.kasserver.com', 'mail_smtpport' => '465', 'mail_smtpauth' => 1, 'mail_smtpname' => '', 'mail_smtppassword' => '', 'trashbin_retention_obligation' => 'auto', 'enabledPreviewProviders' => array ( 0 => 'OC\Preview\Image', 1 => 'OC\Preview\MP3', 2 => 'OC\Preview\TXT', 3 => 'OC\Preview\MarkDown', 4 => 'OC\Preview\Epub', 5 => 'OC\Preview\PDF', 6 => 'OC\Preview\OpenDocument', 7 => 'OC\Preview\StarOffice', 8 => 'OC\Preview\MSOfficeDoc', 9 => 'OC\Preview\MSOffice2003', 10 => 'OC\Preview\MSOffice2007', ), 'updater.secret' => '', 'mail_smtpsecure' => 'ssl', ); **Are you using external storage, if yes which one:** local/smb/sftp/... **Are you using encryption:** yes/no no **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... ### Client configuration **Browser:** Chrome **Operating system:** Mac OSX 10.11.6 ### Logs #### Web server error log {"reqId":"V5DHUlUNh8EAAC3bt5kAAAAk","remoteAddr":"217.93.9.75","app":"core","message":"starting upgrade from 9.0.1.3 to 9.1.0.15","level":0,"time":"2016-07-21T13:00:03+00:00","method":"GET","url":"\/core\/ajax\/update.php?requesttoken=%3D%%3D","user":"--"} {"reqId":"V5DHUlUNh8EAAC3bt5kAAAAk","remoteAddr":"217.93.9.75","app":"core","message":"Exception: {\"Exception\":\"Exception\",\"Message\":\"Die Anwendung konnte nicht installiert werden, weil Sie nicht mit dieser Version von ownCloud kompatibel ist.\",\"Code\":0,\"Trace\":\"#grity(Array, '\\/www\\/htdocs\\/w01...', '\\/www\\/htdocs\\/w01...', false)\n#1 \\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/lib\\/private\\/Installer.php(263): OC\\Installer::updateApp(Array)\n#2 \\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/lib\\/private\\/Updater.php(454): OC\\Installer::updateAppByOCSId('164356')\n#3 \\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/lib\\/private\\/Updater.php(254): OC\\Updater->upgradeAppStoreApps(Array)\n#4 \\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/lib\\/private\\/Updater.php(150): OC\\Updater->doUpgrade('9.1.0.15', '9.0.1.3')\n#5 \\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/core\\/ajax\\/update.php(193): OC\\Updater->upgrade()\n#6 {main}\",\"File\":\"\\/www\\/htdocs\\/w01078ba\\/simon\\/cloud\\/owncloud\\/lib\\/private\\/Installer.php\",\"Line\":377}","level":3,"time":"2016-07-21T13:02:21+00:00","method":"GET","url":"\/core\/ajax\/update.php?requesttoken=I3g2NToLJgUlehQpPikjBWMvOQMBV2wbOgQyOzwgN2U%3D%3AfSRxkQHLRIfSJLAsZFmNMb4BcfhZfNO5pfFUDm96pio%3D","user":"--"} #### ownCloud log (data/owncloud.log) #### Browser log ``` Insert your browser log here, this could for example include: a) The javascript console log b) The network log c) ... ```

cipher · July 21, 2016, 4:38pm

thanks, disabling files_sharing via occ worked. I can login to owncloud.

But, I am using this feature quite often to share links. How can I get this functionality back?

anon30676603 · July 21, 2016, 4:39pm

The issue has been reported at the bugtracker as you can see above. You can subscribe to that issue to get informed if a solution is provided there.

cipher · July 21, 2016, 4:40pm

thanks for the quick support!

ruuskil · July 21, 2016, 5:35pm

I had the same problem. Clients were not able to log in but I was allowed to log in as adminstrator and I disabled the file sharing app from the admin panel. Now my clients can log in but can’t share the files of course. I hope you fix this soon because file sharing is one of the key reasons we use OC…

PVince81 · July 22, 2016, 6:34am

Please also post your details in the ticket, the more clues the better

sonicelo · July 28, 2016, 8:40am

I have the same problem.

After yum update, it updated to latest version on CentOS 7. The database update went fine, but now I am unable to log in anymore, neither as a user or administrator.

How can I help to supply more information?

How can I disable the files_sharing?
I used sudo -u apache php occ app:disable files_sharing but it did not help.

Kind regards

EDIT:
List of enabled/disabled apps:

Enabled:

activity: 2.3.2

comments: 0.3.0

dav: 0.2.5

federatedfilesharing: 0.3.0

federation: 0.1.0

files: 1.5.1

files_pdfviewer: 0.8.1

files_texteditor: 2.1

files_trashbin: 0.9.0

files_versions: 1.3.0

files_videoplayer: 0.9.8

firstrunwizard: 1.1

gallery: 15.0.0

notifications: 0.3.0

provisioning_api: 0.5.0

systemtags: 0.3.0

templateeditor: 0.1

updatenotification: 0.2.1

user_external: 0.4
Disabled:

encryption

external

files_antivirus

files_external

files_sharing

user_ldap

anon30676603 · July 28, 2016, 8:47am

As this is a known bug and everything is currently discussed in File Sharing stack overflow, memory issue, crash, CSRF issue on 9.1.0 · Issue #25557 · owncloud/core · GitHub i’m closing here. Please follow the discussion there until a solution/fix is provided there.

If disabling the files_sharing app doesn’t work (people have also reported that at the link) revert to your backup before you have upgraded to oC 9.1.0 for now.