Steps to reproduce
1.Create a public share link that uses a browser and password
2.Login to public share link in browser window or private browser window
3. Drag and drop file larger 1.7GB
Expected behaviour
Should upload file in about 10 minutes depending on internet speed
Actual behaviour
User sees generic error “problem with upload”
Server configuration
Operating system: Alma Linux 8
Web server: Apache 2.4
Database: mysql 8
PHP version: 7.4
ownCloud version: (see ownCloud admin page) 10.15.0.2
Updated from an older ownCloud or fresh install: updated
Where did you install ownCloud from: Download Server Packages - ownCloud
Signing status (ownCloud 9.0 and above):
The owncloud 10.27.43 AM.log shows:
{“reqId”:“05aaGZr9CXwwFthSSzUC”,“level”:2,“time”:“2025-04-07T10:17:35-05:00”,“remoteAddr”:“[removed this address]”,“user”:“–”,“app”:“core”,“method”:“PROPFIND”,“url”:“/remote.php/dav/uploads/null/web-file-upload-51c038f4be50aa2bfed9a4205dc420b6-1744038956181”,“message”:"Login failed: ‘tX0ALa2CCIP6QNP’ (Remote IP: “[removed this address]')”}
the public Share link upload seems to be triggering brute-force protections due to false “Login failed” trigger. In the DB I then see 3 entired in the “oc_bfp_failed_logins” table.
This not not occur with Sessions that use a complete username and password. It only happens with public share links given to client to upload files.
I was hoping to keep the bruteforce protections installed but there seems to be a bug with bruteforce protections and publbic share link uploads associated with failed logins during upload. Maybe it a faileled auth check, but it is not clear.
I’ve tried these things, but they did not correct the issue:
1. Extend PHP and Session Timeouts
Modify config/config.php to prevent token expiration:
php
'session_lifetime' => 86400, // 24 hours
'session_keepalive' => true,
'upload_chunking' => 'true',
2. Exclude WebDAV Routes from Brute-Force Checks
Add WebDAV routes to the brute-force exclusion list:
php
'bruteforce.protection.excluded_routes' => [
'dav.upload',
'files.upload',
'files.webdav'
],
3. Force Resumable Uploads for Public Links
Ensure chunked uploads are enforced:
php
'chunking.keep_alive' => true,
'min_chunk_size' => 1048576, // 1MB chunks
Advanced Configuration
1. Adjust WebDAV Authentication Handling
Add to .htaccess (Apache) or server block (Nginx):
text
# Apache
SetEnvIf Request_URI "^/remote.php/dav" DAVAuth
RequestHeader unset Authorization env=DAVAuth
2. Disable Session-Based Auth for WebDAV Uploads
Modify config/config.php:
php
'dav.auth_type' => 'none',