CSRF check failed when trying to share files

mackerl · January 13, 2021, 4:43pm

This is the log with http traffic:

01-13 17:33:59:643 [ info gui.folder ]:	Trying to check "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" for changes via ETag check. (time since last sync: 173 s)
01-13 17:33:59:643 [ debug gui.folder.manager ]	[ OCC::FolderMan::slotRunOneEtagJob ]:	Scheduling "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" to check remote ETag
01-13 17:33:59:643 [ info sync.accessmanager ]:	6 "PROPFIND" "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" has X-Request-ID "89cfad4d-87d6-4f49-a35a-c2ef5a22c954"
01-13 17:33:59:643 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:33:59:643 [ info sync.httplogger ]:	"89cfad4d-87d6-4f49-a35a-c2ef5a22c954: Request: PROPFIND https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/ Header: { Depth: 0, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Content-Type: text/xml; charset=utf-8, X-Request-ID: 89cfad4d-87d6-4f49-a35a-c2ef5a22c954, Content-Length: 105, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: [<?xml version=\"1.0\" ?>\n<d:propfind xmlns:d=\"DAV:\">\n  <d:prop>\n    <d:getetag/>\n  </d:prop>\n</d:propfind>\n]"
01-13 17:33:59:644 [ info sync.networkjob ]:	OCC::RequestEtagJob created for "https://REMOVED-URL-FOR-PRIVACY" + "/" "OCC::Folder"
01-13 17:34:00:132 [ info sync.httplogger ]:	"89cfad4d-87d6-4f49-a35a-c2ef5a22c954: Response: PROPFIND 207 https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/ Header: { Content-Type: application/xml; charset=utf-8, Transfer-Encoding: chunked, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:33:59 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Content-Security-Policy: default-src 'none';, Vary: Brief,Prefer, DAV: 1, 3, extended-mkcol, 2, } Data: [<?xml version=\"1.0\"?>\n<d:multistatus xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\" xmlns:oc=\"http://owncloud.org/ns\"><d:response><d:href>/remote.php/dav/files/martin.privat/</d:href><d:propstat><d:prop><d:getetag>&quot;9cae2c6972489b9cc67f42a06b48d3d5&quot;</d:getetag></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>\n]"
01-13 17:34:00:132 [ info sync.networkjob.etag ]:	Request Etag of QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/") FINISHED WITH STATUS "OK"
01-13 17:34:00:133 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::RequestEtagJob finished for "/"
01-13 17:34:00:618 [ info gui.socketapi ]:	Received SocketAPI message <-- "GET_MENU_ITEMS:/Users/martin/ownCloud/file-to-be-shared.png" from SocketApiSocket(0x600002650bc0)
01-13 17:34:00:618 [ info gui.socketapi ]:	Sending SocketAPI message --> "GET_MENU_ITEMS:BEGIN" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:00:618 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:SHARE::Teilen…" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:619 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:COPY_PUBLIC_LINK::Öffentlichen Link in die Zwischenablage kopieren" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:619 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:COPY_PRIVATE_LINK::Privater Link in die Zwischenablage kopiert" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:OPEN_PRIVATE_LINK::Im Browser öffnen" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:OPEN_PRIVATE_LINK_VERSIONS::Zeige Dateiversionen im Browser" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "GET_MENU_ITEMS:END" to SocketApiSocket(0x600002650bc0)
01-13 17:34:02:143 [ warning default ]:	QString::arg: 2 argument(s) missing in <p>Version %1. Weitere Informationen unter <a href="%3">https://%4</a></p><p>Für bekannte Fehler und die Hilfe, besuchen Sie bitte: <a href="https://central.owncloud.org/c/desktop-client">https://central.owncloud.org</a></p><p><small>Von Klaas Freitag, Daniel Molkentin, Olivier Goffart, Markus Götz, Jan-Christoph Borchardt,  Thomas Müller, Dominik Schmidt, Michael Stingl, Hannah von Reth und anderen.</small></p><p>Copyright ownCloud GmbH</p><p>Lizenziert unter den Bedingungen der GNU General Public License (GPL) Version 2.0.<br/>%5 und das %5 Logo sind eingetragene Warenzeichen von %4 in den USA, anderen Ländern, oder beidem.</p>
01-13 17:34:04:742 [ info gui.socketapi ]:	Received SocketAPI message <-- "COPY_PUBLIC_LINK:/Users/martin/ownCloud/file-to-be-shared.png" from SocketApiSocket(0x600002650bc0)
01-13 17:34:04:742 [ debug gui.socketapi.publiclink ]	[ OCC::GetOrCreatePublicLinkShare::run ]:	Fetching shares
01-13 17:34:04:742 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "89b35df2-b44e-4627-84fa-dc3a9f02ee14"
01-13 17:34:04:742 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:04:742 [ info sync.httplogger ]:	"89b35df2-b44e-4627-84fa-dc3a9f02ee14: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 89b35df2-b44e-4627-84fa-dc3a9f02ee14, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:04:743 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:05:151 [ info sync.httplogger ]:	"89b35df2-b44e-4627-84fa-dc3a9f02ee14: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:04 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:05:151 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:05:151 [ warning gui.socketapi.publiclink ]:	Share fetch/create error 996 "CSRF check failed"
01-13 17:34:05:151 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:05:151 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:05:151 [ info gui.application ]:	Opening share dialog "/file-to-be-shared.png" "/Users/martin/ownCloud/file-to-be-shared.png" QFlags(0x1|0x2|0x4|0x8|0x10)
01-13 17:34:05:152 [ info sync.accessmanager ]:	2 "" "https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png" has X-Request-ID "12a1a895-95f1-4bec-998a-97d9d6051bce"
01-13 17:34:05:152 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:05:152 [ info sync.httplogger ]:	"12a1a895-95f1-4bec-998a-97d9d6051bce: Request: GET https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png Header: { Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 12a1a895-95f1-4bec-998a-97d9d6051bce, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:05:152 [ info sync.networkjob ]:	OCC::ThumbnailJob created for "https://REMOVED-URL-FOR-PRIVACY" + "index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png" "OCC::ShareDialog"
01-13 17:34:05:152 [ info sync.accessmanager ]:	6 "PROPFIND" "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png" has X-Request-ID "df4b6da1-3171-471c-919c-04933a056366"
01-13 17:34:05:152 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:05:152 [ info sync.httplogger ]:	"df4b6da1-3171-471c-919c-04933a056366: Request: PROPFIND https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png Header: { Depth: 0, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Content-Type: text/xml; charset=utf-8, X-Request-ID: df4b6da1-3171-471c-919c-04933a056366, Content-Length: 261, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: [<?xml version=\"1.0\" ?>\n<d:propfind xmlns:d=\"DAV:\">\n  <d:prop>\n    <share-permissions xmlns=\"http://open-collaboration-services.org/ns\" />\n    <fileid xmlns=\"http://owncloud.org/ns\" />\n    <privatelink xmlns=\"http://owncloud.org/ns\" />\n  </d:prop>\n</d:propfind>\n]"
01-13 17:34:05:153 [ info sync.networkjob ]:	OCC::PropfindJob created for "https://REMOVED-URL-FOR-PRIVACY" + "/file-to-be-shared.png" ""
01-13 17:34:05:566 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"
01-13 17:34:05:705 [ info sync.httplogger ]:	"12a1a895-95f1-4bec-998a-97d9d6051bce: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png Header: { Content-Type: image/png, Content-Length: 16667, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:05 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', Content-Disposition: inline; filename=\"\", } Data: [16667 bytes of image/png data]"
01-13 17:34:05:707 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::ThumbnailJob finished for "index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png"
01-13 17:34:06:173 [ info sync.httplogger ]:	"df4b6da1-3171-471c-919c-04933a056366: Response: PROPFIND 207 https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png Header: { Content-Type: application/xml; charset=utf-8, Transfer-Encoding: chunked, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:05 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Content-Security-Policy: default-src 'none';, Vary: Brief,Prefer, DAV: 1, 3, extended-mkcol, 2, } Data: [<?xml version=\"1.0\"?>\n<d:multistatus xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\" xmlns:oc=\"http://owncloud.org/ns\"><d:response><d:href>/remote.php/dav/files/martin.privat/file-to-be-shared.png</d:href><d:propstat><d:prop><x1:share-permissions xmlns:x1=\"http://open-collaboration-services.org/ns\">19</x1:share-permissions><oc:fileid>112033</oc:fileid><oc:privatelink>https://REMOVED-URL-FOR-PRIVACY/index.php/f/112033</oc:privatelink></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>\n]"
01-13 17:34:06:173 [ info sync.networkjob.propfind ]:	PROPFIND of QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png") FINISHED WITH STATUS "OK"
01-13 17:34:06:174 [ info gui.sharing ]:	Received sharing permissions for "/file-to-be-shared.png" QFlags(0x1|0x2|0x10)
01-13 17:34:06:174 [ info gui.sharing ]:	Received private link url for "/file-to-be-shared.png" "https://REMOVED-URL-FOR-PRIVACY/index.php/f/112033"
01-13 17:34:06:177 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "21370bf6-88cf-4a70-aa85-76b163fe20d2"
01-13 17:34:06:177 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:06:177 [ info sync.httplogger ]:	"21370bf6-88cf-4a70-aa85-76b163fe20d2: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 21370bf6-88cf-4a70-aa85-76b163fe20d2, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:06:177 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:06:181 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "dc9f5b80-adaa-462d-a773-459bd6d72fe0"
01-13 17:34:06:181 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:06:181 [ info sync.httplogger ]:	"dc9f5b80-adaa-462d-a773-459bd6d72fe0: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: dc9f5b80-adaa-462d-a773-459bd6d72fe0, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:06:181 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:06:183 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::PropfindJob finished for "/file-to-be-shared.png"
01-13 17:34:06:515 [ info sync.httplogger ]:	"dc9f5b80-adaa-462d-a773-459bd6d72fe0: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:06 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:06:515 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:06:515 [ warning gui.sharing ]:	Error from server 996 "CSRF check failed"
01-13 17:34:06:516 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"
01-13 17:34:06:642 [ debug gui.account.state ]	[ OCC::AccountState::checkConnectivity ]:	"martin.privat@REMOVED-URL-FOR-PRIVACY" The last ETag check succeeded within the last  30  secs. No connection check needed!
01-13 17:34:06:675 [ info sync.httplogger ]:	"21370bf6-88cf-4a70-aa85-76b163fe20d2: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:06 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:06:675 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:06:675 [ warning gui.sharing ]:	Sharing error from server 996 "CSRF check failed"
01-13 17:34:06:675 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"

dmitry · January 13, 2021, 11:51pm

it does

01-13 17:34:06:177 [ info sync.httplogger ]:	
"21370bf6-88cf-4a70-aa85-76b163fe20d2: 
Request: GET https://REMOVED-URL-FOR-PRIVACY/
ocs/v1.php/apps/files_sharing/api/v1/
shares?path=%2Ffile-to-be-shared.png&r
eshares=true&format=json 
Header: { Ocs-APIREQUEST: true, 
Content-Type: application/x-www-form-urlencoded, 
Authorization: Basic [redacted]

dmitry · January 14, 2021, 12:02am

this is wrong imho. Copy public link should do exactly that, copy the link so you can paste it and get to the file. It does it for me on my installation.

The sharing window is opened only when I click on share.

corby · January 14, 2021, 8:39am

The sharing window is opened only when I click on share.

I don’t know why I didn’t try that yesterday but this did it for me…
Now, I can reproduce the issue and will dig into the code! Thanks!

mackerl · January 14, 2021, 9:44am

Thank you! FYI I also posted this on GitHub: https://github.com/owncloud/core/issues/38287

corby · January 15, 2021, 2:24pm

Solution here so you don’t have to switch to GitHub.
If you are using Apache then look if the mod_rewrite module is enabled and your virtual host has AllowOverride All configured.

dmitry · January 17, 2021, 11:21pm

this is also documented in our installation guide.

mackerl · January 29, 2021, 8:37am

My hosting support ensured me that mod_rewrite ist enabled and AllowOverride All is configured.

Still I get the CSRF error - on a brand new clean install.

Could you please take another look into the changes in 10.6 that trigger this error?
Would be much appreciated.

degol · January 29, 2021, 1:46pm

I’m experiencing this same issue, just started recently. Also on 10.6. I can confirm mod_rewrite is enabled.

mbrando · March 3, 2021, 10:19pm

Hello,
I just upgraded to v10.6.0.5 of owncloud. Desktop sync is 2.7.5 on Big Sur 11.2.2. I did not have this CRC check fail when sharing on 10.4.x.

jnweiger · March 11, 2021, 12:05pm

I just had the same issue in 10.7.0-beta2 - mod rewrite was missing in my setup.
a2enmod rewrite
and then
service apache2 restart
fixed it for me.

mbrando · March 12, 2021, 1:04pm

Mod_rewrite is enabled on my server.

root [/]# httpd -M|grep rewrite
rewrite_module (shared)

tom42 · March 12, 2021, 7:35pm

Hey,

i have searched a little bit if this had been reported to the ownCloud team and found the issue which i’m linking below. There i have found various posts about wrong server configurations or e.g. something called mod_security which could be responsible for your problem.

mbrando · March 12, 2021, 8:41pm

Hello,

Thanks I checked my server and Mod_security is disabled.

Info: ModSecurity is not enabled on your server.

Not sure what to look at next.

Mike

tom42 · March 12, 2021, 9:32pm

Hey,

i would check the whole linked issue as i think that not only mod_security was mentioned there as a reason.

mbrando · July 4, 2021, 12:50am

Hello,

After much googling and much testing. I determined that my configuration has all of the correct Apache settings. I check required modules and PHP extensions etc.

I was still stuck with CSRF check failed on desktop clients when trying to share folders or files.

I read here that it seems like Apache was not passing the headers correctly. However, all of the setting were in place to allow for headers to pass so why would they not pass??

They were not passing due to how the .htaccess files was using if statements to logically apply specific header setting based on available modules. This is fine for base installations. However, on cPanel many of these module while installed and functioning do not present correctly in the .htaccess logic.

in htaccess file after the last /IfModule
“#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####”

I copied the this:
SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION

from the IfModule mod_fcgid.c section and pasted it into to the area below the “#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####” line.

Now it works. I’m no longer receiving the CSRF check failure.

I’m thinking this fix is unique to cPanel servers and may even be unique to my cpanel server.

Hope this helps some else here.

mackerl · July 28, 2021, 11:39am

I can confirm, this solves the problem! Thank you!
Maybe the developers can fix this in the next release.

mbrando · July 28, 2021, 11:57am

Yes, or at least run this down to see why its related to the htaccess file and above changes to it.

degol · September 13, 2021, 2:33pm

Are there any other ideas what could cause this? I’ve also been experiencing since the update to 10.6. I have no header changing going on in the .htaccess file. I can also confirm mod rewrite is enabled. I’m not sure what else could be causing this. No cPanel either in my case, dedicated owncloud server.