CSRF check failed when trying to share files

Ok no oauth2, that narrows it down.
What I wanted to check isn’t included in the logs but you can do that yourself.
You have to include the http requests in your log. To do that open the ownCloud Client and press F12. Then check the option Log Http traffic.

Then do the sharing stuff again and check the logs.
There should be logs from sync.httplogger. Check if your requests contain basic auth headers.
Example:
01-13 13:54:17:185 [ info sync.httplogger ]: “d47353e0-8dc4-408a-974d-8e6c8093f1cd: Request: POST http://localhost:8
080/ocs/v1.php/apps/files_sharing/api/v1/shares?format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x
-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Linux) mirall/2.7.4 (ownCloud, arch-5.1
0.6-arch1-1 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: /, X-Request-ID: d47353e0-8dc4-408a-974d-8e6c
8093f1cd, Content-Length: 83, Cookie: oc_sessionPassphrase=redacted ocmokzbj5kw4=redacted, } Da
ta: [path=%2F2020-10-23-100802_672x191_scrot.png&shareType=3&name=Context%20menu%20share]”

1 Like

This is the log with http traffic:

01-13 17:33:59:643 [ info gui.folder ]:	Trying to check "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" for changes via ETag check. (time since last sync: 173 s)
01-13 17:33:59:643 [ debug gui.folder.manager ]	[ OCC::FolderMan::slotRunOneEtagJob ]:	Scheduling "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" to check remote ETag
01-13 17:33:59:643 [ info sync.accessmanager ]:	6 "PROPFIND" "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/" has X-Request-ID "89cfad4d-87d6-4f49-a35a-c2ef5a22c954"
01-13 17:33:59:643 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:33:59:643 [ info sync.httplogger ]:	"89cfad4d-87d6-4f49-a35a-c2ef5a22c954: Request: PROPFIND https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/ Header: { Depth: 0, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Content-Type: text/xml; charset=utf-8, X-Request-ID: 89cfad4d-87d6-4f49-a35a-c2ef5a22c954, Content-Length: 105, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: [<?xml version=\"1.0\" ?>\n<d:propfind xmlns:d=\"DAV:\">\n  <d:prop>\n    <d:getetag/>\n  </d:prop>\n</d:propfind>\n]"
01-13 17:33:59:644 [ info sync.networkjob ]:	OCC::RequestEtagJob created for "https://REMOVED-URL-FOR-PRIVACY" + "/" "OCC::Folder"
01-13 17:34:00:132 [ info sync.httplogger ]:	"89cfad4d-87d6-4f49-a35a-c2ef5a22c954: Response: PROPFIND 207 https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/ Header: { Content-Type: application/xml; charset=utf-8, Transfer-Encoding: chunked, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:33:59 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Content-Security-Policy: default-src 'none';, Vary: Brief,Prefer, DAV: 1, 3, extended-mkcol, 2, } Data: [<?xml version=\"1.0\"?>\n<d:multistatus xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\" xmlns:oc=\"http://owncloud.org/ns\"><d:response><d:href>/remote.php/dav/files/martin.privat/</d:href><d:propstat><d:prop><d:getetag>&quot;9cae2c6972489b9cc67f42a06b48d3d5&quot;</d:getetag></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>\n]"
01-13 17:34:00:132 [ info sync.networkjob.etag ]:	Request Etag of QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/") FINISHED WITH STATUS "OK"
01-13 17:34:00:133 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::RequestEtagJob finished for "/"
01-13 17:34:00:618 [ info gui.socketapi ]:	Received SocketAPI message <-- "GET_MENU_ITEMS:/Users/martin/ownCloud/file-to-be-shared.png" from SocketApiSocket(0x600002650bc0)
01-13 17:34:00:618 [ info gui.socketapi ]:	Sending SocketAPI message --> "GET_MENU_ITEMS:BEGIN" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:00:618 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:00:618 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:SHARE::Teilen…" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:619 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:COPY_PUBLIC_LINK::Öffentlichen Link in die Zwischenablage kopieren" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:619 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:COPY_PRIVATE_LINK::Privater Link in die Zwischenablage kopiert" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:OPEN_PRIVATE_LINK::Im Browser öffnen" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "MENU_ITEM:OPEN_PRIVATE_LINK_VERSIONS::Zeige Dateiversionen im Browser" to SocketApiSocket(0x600002650bc0)
01-13 17:34:00:620 [ info gui.socketapi ]:	Sending SocketAPI message --> "GET_MENU_ITEMS:END" to SocketApiSocket(0x600002650bc0)
01-13 17:34:02:143 [ warning default ]:	QString::arg: 2 argument(s) missing in <p>Version %1. Weitere Informationen unter <a href="%3">https://%4</a></p><p>Für bekannte Fehler und die Hilfe, besuchen Sie bitte: <a href="https://central.owncloud.org/c/desktop-client">https://central.owncloud.org</a></p><p><small>Von Klaas Freitag, Daniel Molkentin, Olivier Goffart, Markus Götz, Jan-Christoph Borchardt,  Thomas Müller, Dominik Schmidt, Michael Stingl, Hannah von Reth und anderen.</small></p><p>Copyright ownCloud GmbH</p><p>Lizenziert unter den Bedingungen der GNU General Public License (GPL) Version 2.0.<br/>%5 und das %5 Logo sind eingetragene Warenzeichen von %4 in den USA, anderen Ländern, oder beidem.</p>
01-13 17:34:04:742 [ info gui.socketapi ]:	Received SocketAPI message <-- "COPY_PUBLIC_LINK:/Users/martin/ownCloud/file-to-be-shared.png" from SocketApiSocket(0x600002650bc0)
01-13 17:34:04:742 [ debug gui.socketapi.publiclink ]	[ OCC::GetOrCreatePublicLinkShare::run ]:	Fetching shares
01-13 17:34:04:742 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "89b35df2-b44e-4627-84fa-dc3a9f02ee14"
01-13 17:34:04:742 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:04:742 [ info sync.httplogger ]:	"89b35df2-b44e-4627-84fa-dc3a9f02ee14: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 89b35df2-b44e-4627-84fa-dc3a9f02ee14, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:04:743 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:05:151 [ info sync.httplogger ]:	"89b35df2-b44e-4627-84fa-dc3a9f02ee14: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:04 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:05:151 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:05:151 [ warning gui.socketapi.publiclink ]:	Share fetch/create error 996 "CSRF check failed"
01-13 17:34:05:151 [ debug sync.database.sql ]	[ OCC::SqlQuery::bindValue ]:	SQL bind 1 4733511307310152863
01-13 17:34:05:151 [ debug sync.database.sql ]	[ OCC::SqlQuery::exec ]:	SQL exec "SELECT path, inode, modtime, type, md5, fileid, remotePerm, filesize,  ignoredChildrenRemote, contentchecksumtype.name || ':' || contentChecksum FROM metadata  LEFT JOIN checksumtype as contentchecksumtype ON metadata.contentChecksumTypeId == contentchecksumtype.id WHERE phash=?1"
01-13 17:34:05:151 [ info gui.application ]:	Opening share dialog "/file-to-be-shared.png" "/Users/martin/ownCloud/file-to-be-shared.png" QFlags(0x1|0x2|0x4|0x8|0x10)
01-13 17:34:05:152 [ info sync.accessmanager ]:	2 "" "https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png" has X-Request-ID "12a1a895-95f1-4bec-998a-97d9d6051bce"
01-13 17:34:05:152 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:05:152 [ info sync.httplogger ]:	"12a1a895-95f1-4bec-998a-97d9d6051bce: Request: GET https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png Header: { Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 12a1a895-95f1-4bec-998a-97d9d6051bce, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:05:152 [ info sync.networkjob ]:	OCC::ThumbnailJob created for "https://REMOVED-URL-FOR-PRIVACY" + "index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png" "OCC::ShareDialog"
01-13 17:34:05:152 [ info sync.accessmanager ]:	6 "PROPFIND" "https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png" has X-Request-ID "df4b6da1-3171-471c-919c-04933a056366"
01-13 17:34:05:152 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:05:152 [ info sync.httplogger ]:	"df4b6da1-3171-471c-919c-04933a056366: Request: PROPFIND https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png Header: { Depth: 0, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Content-Type: text/xml; charset=utf-8, X-Request-ID: df4b6da1-3171-471c-919c-04933a056366, Content-Length: 261, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: [<?xml version=\"1.0\" ?>\n<d:propfind xmlns:d=\"DAV:\">\n  <d:prop>\n    <share-permissions xmlns=\"http://open-collaboration-services.org/ns\" />\n    <fileid xmlns=\"http://owncloud.org/ns\" />\n    <privatelink xmlns=\"http://owncloud.org/ns\" />\n  </d:prop>\n</d:propfind>\n]"
01-13 17:34:05:153 [ info sync.networkjob ]:	OCC::PropfindJob created for "https://REMOVED-URL-FOR-PRIVACY" + "/file-to-be-shared.png" ""
01-13 17:34:05:566 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"
01-13 17:34:05:705 [ info sync.httplogger ]:	"12a1a895-95f1-4bec-998a-97d9d6051bce: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png Header: { Content-Type: image/png, Content-Length: 16667, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:05 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', Content-Disposition: inline; filename=\"\", } Data: [16667 bytes of image/png data]"
01-13 17:34:05:707 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::ThumbnailJob finished for "index.php/apps/files/api/v1/thumbnail/150/150//file-to-be-shared.png"
01-13 17:34:06:173 [ info sync.httplogger ]:	"df4b6da1-3171-471c-919c-04933a056366: Response: PROPFIND 207 https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png Header: { Content-Type: application/xml; charset=utf-8, Transfer-Encoding: chunked, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:05 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Cache-Control: no-store, no-cache, must-revalidate, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Content-Security-Policy: default-src 'none';, Vary: Brief,Prefer, DAV: 1, 3, extended-mkcol, 2, } Data: [<?xml version=\"1.0\"?>\n<d:multistatus xmlns:d=\"DAV:\" xmlns:s=\"http://sabredav.org/ns\" xmlns:oc=\"http://owncloud.org/ns\"><d:response><d:href>/remote.php/dav/files/martin.privat/file-to-be-shared.png</d:href><d:propstat><d:prop><x1:share-permissions xmlns:x1=\"http://open-collaboration-services.org/ns\">19</x1:share-permissions><oc:fileid>112033</oc:fileid><oc:privatelink>https://REMOVED-URL-FOR-PRIVACY/index.php/f/112033</oc:privatelink></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>\n]"
01-13 17:34:06:173 [ info sync.networkjob.propfind ]:	PROPFIND of QUrl("https://REMOVED-URL-FOR-PRIVACY/remote.php/dav/files/martin.privat/file-to-be-shared.png") FINISHED WITH STATUS "OK"
01-13 17:34:06:174 [ info gui.sharing ]:	Received sharing permissions for "/file-to-be-shared.png" QFlags(0x1|0x2|0x10)
01-13 17:34:06:174 [ info gui.sharing ]:	Received private link url for "/file-to-be-shared.png" "https://REMOVED-URL-FOR-PRIVACY/index.php/f/112033"
01-13 17:34:06:177 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "21370bf6-88cf-4a70-aa85-76b163fe20d2"
01-13 17:34:06:177 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:06:177 [ info sync.httplogger ]:	"21370bf6-88cf-4a70-aa85-76b163fe20d2: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: 21370bf6-88cf-4a70-aa85-76b163fe20d2, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:06:177 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:06:181 [ info sync.accessmanager ]:	6 "GET" "https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json" has X-Request-ID "dc9f5b80-adaa-462d-a773-459bd6d72fe0"
01-13 17:34:06:181 [ debug sync.cookiejar ]	[ OCC::CookieJar::cookiesForUrl ]:	QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json") requests: (QNetworkCookie("oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"), QNetworkCookie("oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb; secure; HttpOnly; domain=REMOVED-URL-FOR-PRIVACY; path=/"))
01-13 17:34:06:181 [ info sync.httplogger ]:	"dc9f5b80-adaa-462d-a773-459bd6d72fe0: Request: GET https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Ocs-APIREQUEST: true, Content-Type: application/x-www-form-urlencoded, Authorization: Basic [redacted], User-Agent: Mozilla/5.0 (Macintosh) mirall/2.7.4 (build 2934) (ownCloud, osx-18.7.0 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, X-Request-ID: dc9f5b80-adaa-462d-a773-459bd6d72fe0, Content-Length: 0, Cookie: oc_sessionPassphrase=o6rFY2MFzIpScIZNDyj%2FEvYy0zLW16SI1xeO%2B%2Fb8qkFg6BALYf3e0xmGxFS8ntkDDotuwNoVDwjuK3GxaENqMvdvQXwhKbv6BjkMqoRjwgIRJYFR3uAjbMt5UJ1nwrgM; oc26woi8wlh2=2f20e0e9968c27437485bfe65ea692eb, } Data: []"
01-13 17:34:06:181 [ info sync.networkjob ]:	OCC::OcsShareJob created for "https://REMOVED-URL-FOR-PRIVACY" + "ocs/v1.php/apps/files_sharing/api/v1/shares" ""
01-13 17:34:06:183 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::PropfindJob finished for "/file-to-be-shared.png"
01-13 17:34:06:515 [ info sync.httplogger ]:	"dc9f5b80-adaa-462d-a773-459bd6d72fe0: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:06 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:06:515 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:06:515 [ warning gui.sharing ]:	Error from server 996 "CSRF check failed"
01-13 17:34:06:516 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"
01-13 17:34:06:642 [ debug gui.account.state ]	[ OCC::AccountState::checkConnectivity ]:	"martin.privat@REMOVED-URL-FOR-PRIVACY" The last ETag check succeeded within the last  30  secs. No connection check needed!
01-13 17:34:06:675 [ info sync.httplogger ]:	"21370bf6-88cf-4a70-aa85-76b163fe20d2: Response: GET 200 https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares?path=%2Ffile-to-be-shared.png&reshares=true&format=json Header: { Content-Type: application/json; charset=utf-8, Content-Length: 128, Connection: keep-alive, Keep-Alive: timeout=15, Date: Wed, 13 Jan 2021 16:34:06 GMT, Server: Apache, X-Powered-By: PHP/7.4.14, Expires: Thu, 19 Nov 1981 08:52:00 GMT, Pragma: no-cache, X-XSS-Protection: 1; mode=block, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, X-Robots-Tag: none, X-Download-Options: noopen, X-Permitted-Cross-Domain-Policies: none, Cache-Control: no-cache, no-store, must-revalidate, Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self', } Data: [{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}]"
01-13 17:34:06:675 [ warning gui.sharing.ocs ]:	Reply to "GET" QUrl("https://REMOVED-URL-FOR-PRIVACY/ocs/v1.php/apps/files_sharing/api/v1/shares") (QPair("path","/file-to-be-shared.png"), QPair("reshares","true")) has unexpected status code: 996 "{\"ocs\":{\"meta\":{\"status\":\"failure\",\"statuscode\":996,\"message\":\"CSRF check failed\",\"totalitems\":\"\",\"itemsperpage\":\"\"},\"data\":[]}}"
01-13 17:34:06:675 [ warning gui.sharing ]:	Sharing error from server 996 "CSRF check failed"
01-13 17:34:06:675 [ debug sync.networkjob ]	[ OCC::AbstractNetworkJob::slotFinished ]:	Network job OCC::OcsShareJob finished for "ocs/v1.php/apps/files_sharing/api/v1/shares"
1 Like

it does

01-13 17:34:06:177 [ info sync.httplogger ]:	
"21370bf6-88cf-4a70-aa85-76b163fe20d2: 
Request: GET https://REMOVED-URL-FOR-PRIVACY/
ocs/v1.php/apps/files_sharing/api/v1/
shares?path=%2Ffile-to-be-shared.png&r
eshares=true&format=json 
Header: { Ocs-APIREQUEST: true, 
Content-Type: application/x-www-form-urlencoded, 
Authorization: Basic [redacted]
1 Like

this is wrong imho. Copy public link should do exactly that, copy the link so you can paste it and get to the file. It does it for me on my installation.

The sharing window is opened only when I click on share.

1 Like

The sharing window is opened only when I click on share.

I don’t know why I didn’t try that yesterday but this did it for me…
Now, I can reproduce the issue and will dig into the code! Thanks! :slight_smile:

2 Likes

Thank you! FYI I also posted this on GitHub: https://github.com/owncloud/core/issues/38287

3 Likes

Solution here so you don’t have to switch to GitHub.
If you are using Apache then look if the mod_rewrite module is enabled and your virtual host has AllowOverride All configured.

this is also documented in our installation guide.

My hosting support ensured me that mod_rewrite ist enabled and AllowOverride All is configured.

Still I get the CSRF error - on a brand new clean install.

Could you please take another look into the changes in 10.6 that trigger this error?
Would be much appreciated.

I’m experiencing this same issue, just started recently. Also on 10.6. I can confirm mod_rewrite is enabled.

Hello,
I just upgraded to v10.6.0.5 of owncloud. Desktop sync is 2.7.5 on Big Sur 11.2.2. I did not have this CRC check fail when sharing on 10.4.x.

I just had the same issue in 10.7.0-beta2 - mod rewrite was missing in my setup.
a2enmod rewrite
and then
service apache2 restart
fixed it for me.

Mod_rewrite is enabled on my server.

root [/]# httpd -M|grep rewrite
rewrite_module (shared)

Hey,

i have searched a little bit if this had been reported to the ownCloud team and found the issue which i’m linking below. There i have found various posts about wrong server configurations or e.g. something called mod_security which could be responsible for your problem.

Hello,

Thanks I checked my server and Mod_security is disabled.

Info: ModSecurity is not enabled on your server.

Not sure what to look at next.

  • Mike

Hey,

i would check the whole linked issue as i think that not only mod_security was mentioned there as a reason.

Hello,

After much googling and much testing. I determined that my configuration has all of the correct Apache settings. I check required modules and PHP extensions etc.

I was still stuck with CSRF check failed on desktop clients when trying to share folders or files.

I read here that it seems like Apache was not passing the headers correctly. However, all of the setting were in place to allow for headers to pass so why would they not pass??

They were not passing due to how the .htaccess files was using if statements to logically apply specific header setting based on available modules. This is fine for base installations. However, on cPanel many of these module while installed and functioning do not present correctly in the .htaccess logic.

in htaccess file after the last /IfModule
“#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####”

I copied the this:
SetEnvIfNoCase ^Authorization$ “(.+)” XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION

from the IfModule mod_fcgid.c section and pasted it into to the area below the “#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####” line.

Now it works. I’m no longer receiving the CSRF check failure.

I’m thinking this fix is unique to cPanel servers and may even be unique to my cpanel server.

Hope this helps some else here.

3 Likes

I can confirm, this solves the problem! Thank you! :clap:
Maybe the developers can fix this in the next release.

1 Like

Yes, or at least run this down to see why its related to the htaccess file and above changes to it.

1 Like

Are there any other ideas what could cause this? I’ve also been experiencing since the update to 10.6. I have no header changing going on in the .htaccess file. I can also confirm mod rewrite is enabled. I’m not sure what else could be causing this. No cPanel either in my case, dedicated owncloud server.