"CSRF check failed" upon pressing the "Update" button (21.0.2 RC1)

[mistersixt]

Hi all,

I am currently on NC version 21.0.2 RC1 (Debian Buster, manual installation). Under "Settings" --> "Overwiew" I see the notifcation that I could upgrade to stable version Nextcloud 21.0.2. But when pressing the "Update" button nothing happens... while in the nextcloud.log logfile I see at the very same time an "CrossSiteRequestForgeryException" (please see below), tried with two different browers (Firefox and Chromium) in case this information is relevant.

Any help is welcome,

Kind regards, mistersixt

PS: Sometimes I also get an "CSRF" error when logging out of NC by the way.

{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"carnet","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"contacts","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"documentserver_community","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"encryption","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"files_external","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"files_sharing","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"maps","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":"/appinfo/app.php is deprecated, use \OCP\AppFramework\Bootstrap\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}
{"reqId":"lHbWPWUi419NdUMJFWn6","level":0,"time":"2021-05-21T09:43:46+00:00","remoteAddr":"127.0.0.1","user":"jomo","app":"core","method":"GET","url":"/nextcloud/index.php/apps/updatenotification/credentials","message":{"Exception":"OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException","Message":"CSRF check failed","Code":412,"Trace":[{"file":"/var/www/whatever.de/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":98,"function":"beforeController","class":"OC\AppFramework\Middleware\Security\Securi
tyMiddleware","type":"->","args":[{"class":"OCA\UpdateNotification\Controller\AdminController"},"createCredentials"]},{"file":"/var/www/whatever.de/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":119,"function":"beforeController","class":"OC\AppFramework\Middleware\MiddlewareDispatcher","type":"->","args":[{"class":"OCA\UpdateNotification\Controller\AdminController"},"createCredentials"]},{"file":"/var/www/whatever.de/nextcloud/lib/private/AppFramework/App.php","line":157,"function":"dispatch","class":"OC\AppFramework\Http\Di
spatcher","type":"->","args":[{"class":"OCA\UpdateNotification\Controller\AdminController"},"createCredentials"]},{"file":"/var/www/whatever.de/nextcloud/lib/private/Route/Router.php","line":302,"function":"main","class":"OC\AppFramework\App","type":"::","args":["OCA\UpdateNotification\Controller\AdminController","createCredentials",{"class":"OC\AppFramework\DependencyInjection\DIContainer"},{"_route":"updatenotification.Admin.createCredentials"}]},{"file":"/var/www/whatever.de/nextcloud/lib/base.php","line":993,"function":"match","class":"O
C\Route\Router","type":"->","args":["/apps/updatenotification/credentials"]},{"file":"/var/www/whatever.de/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/whatever.de/nextcloud/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":181,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0","version":"21.0.2.0"}

_

[kesselb]

Thank you for reporting this issue 👍

I will need your browser console log to investigate this issue. Open your console, reload your page and/or do the action leading to this issue and copy/paste the log in this thread.

How to access your browser console (Click to expand)

Chrome

• Press either CTRL + SHIFT + J to open the “console” tab of the Developer Tools.
• Alternative method:
  1. Press either CTRL + SHIFT + I or F12 to open the Developer Tools.
  2. Click the “console” tab.

Safari

• Press CMD + ALT + I to open the Web Inspector.
• See Chrome’s step 2. (Chrome and Safari have pretty much identical dev tools.)

IE9

1. Press F12 to open the developer tools.
2. Click the “console” tab.

Firefox

• Press CTRL + SHIFT + K to open the Web console (COMMAND + SHIFT + K on Macs).
• or, if Firebug is installed (recommended):
  1. Press F12 to open Firebug.
  2. Click on the “console” tab.

Opera

1. Press CTRL + SHIFT + I to open Dragonfly.
2. Click on the “console” tab.

[mistersixt]

Chromium shows two entries in the console:

1. Warning:

globals.js:60 $ is deprecated: The global jQuery is deprecated. It will be updated to v3.x in Nextcloud 21. In later versions of Nextcloud it might be removed completely. Please ship your own.
pe @ globals.js:60
get @ globals.js:91
clickUpdaterButton @ UpdateNotification.vue:372
$t @ vue.runtime.esm.js:1854
n @ vue.runtime.esm.js:2179
i._wrapper @ vue.runtime.esm.js:6917

2. Error:

jquery.js:9600 GET https://www.whatever.de/nextcloud/index.php/apps/updatenotification/credentials 412 (Precondition failed)
send @ jquery.js:9600
ajax @ jquery.js:9206
e.ajax.e.ajax @ jquery-migrate.min.js:2
clickUpdaterButton @ UpdateNotification.vue:372
$t @ vue.runtime.esm.js:1854
n @ vue.runtime.esm.js:2179
i._wrapper @ vue.runtime.esm.js:6917

[mistersixt]

And Firefox shows (raw message):

HTTP/1.1 412 Precondition failed
Date: Tue, 25 May 2021 14:49:21 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=15552000; includeSubdomains;
Referrer-Policy: no-referrer
Public-Key-Pins: pin-sha256="1ZRqPPAdGRCc2lpXwUNxbgeyC0/a74GPD90Y7Bs7n3c="; pin-sha256="h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU="; max-age=5184000; includeSubDomains
Permissions-Policy: interest-cohort=(); accelerometer=(); camera=(self 'https://www.whatever.de'); geolocation=(); gyroscope=(); magnetometer=(); microphone=(self 'https://www.whatever.de'); payment=(); usb=()
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Upgrade: h2
Connection: Upgrade, Keep-Alive
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Content-Length: 31
Keep-Alive: timeout=5, max=100
Content-Type: application/json; charset=utf-8

Mmmh, where does this date value from 1981 might come from??

[irzyxel]

same problem here on 21.0.1

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[oliver-breuer]

Same problem here on 21.0.1.

For others who have the same problem: As a workaround I was able to update by directly going to the /updater/ URL and then following the instructions shown on that page.

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[peterthomassen]

Same issue here, on 21.0.1, but now also on 21.0.3.

[ubi15]

I have the same issue. Could be related to read/write permissions, be sure to add to the PHP fpm config file like /etc/systemd/system/php-fpm.service.d/override.conf the following directives:

[Service]
ReadWritePaths = /usr/share/webapps/owncloud/data
ReadWritePaths = /usr/share/webapps/owncloud/apps
ReadWritePaths = /usr/share/webapps/owncloud/config
ReadWritePaths = /usr/share/webapps/owncloud
BindPaths = /usr/share/webapps/owncloud

and restart php-fpm.

where /usr/share/webapps/owncloud/ is your nextcloud installation path (I have owncloud for historical reasons).
Be sure to change the data folder root if you keep the data outside of the installation path.

[Brianetta]

Same problem here on 21.0.1.

For others who have the same problem: As a workaround I was able to update by directly going to the /updater/ URL and then following the instructions shown on that page.

This is how I have been working around this problem for the past year. I'd rather not have to shell in to my server at all.

[oliver-breuer]

at my site, the root problem were wrong RewriteRule entries in .htaccess:

RewriteRule ^\.well-known/host-meta  ...
RewriteRule ^\.well-known/webfinger ...
...

After I removed those rules, the "CSRF check failed" error was gone.

Somehow NextCloud created a new CSRF token on server side each time such URL was accessed (these URLs are accessed via ajax when opening the settings page) and didn't update it on client side.

Verifying if that is the problem (before removing/fixing the wrong RewriteRules):

• open settings page
• wait 20-30 minutes (for the locally cached token to time out)
• click on the update button (should now work, because a new token is fetched before calling the update function)

[Raymo111]

at my site, the root problem were wrong RewriteRule entries in .htaccess:

RewriteRule ^\.well-known/host-meta  ...
RewriteRule ^\.well-known/webfinger ...
...

After I removed those rules, the "CSRF check failed" error was gone.

Somehow NextCloud created a new CSRF token on server side each time such URL was accessed (these URLs are accessed via ajax when opening the settings page) and didn't update it on client side.

Verifying if that is the problem (before removing/fixing the wrong RewriteRules):

• open settings page
• wait 20-30 minutes (for the locally cached token to time out)
• click on the update button (should now work, because a new token is fetched before calling the update function)

Fixed for me as well, thanks!