HTTP Error 503 in Chrome when accessing a nextcloud-file by a link

[rgl1234]

Steps to reproduce

1. use Chrome-Browser (tested in Windows 10, Linux)
2. log in to the nextcloud-server (for example: demo12.nextcloud.bayton.org)
3. press right mouse-button on a file in nextcloud and choose "Copy link address". As example I tried this with the following file (link): https://demo12.nextcloud.bayton.org/remote.php/webdav/Documents/About.odt
4. Embed this link somewhere on an external Web-Page outside of nextcloud
5. On this external web-page press this link with the idea to download the file, while you are still logged in on the nextcloud-server inside chrome

Expected behaviour

The linked file should be downloaded/opened directly what works normal in Firefox, Edge, ....

Actual behaviour

The file does not download directly. Instead, the following error-message is displayed in the new browser-window:

This page isn’t working
demo12.nextcloud.bayton.org is currently unable to handle this request.
HTTP ERROR 503

By pressing the reload-button on this error-page, the file is downloaded correctly.....

[tflidd]

@jasonbayton do you have the logs?

[jasonbayton]

@tflidd no, I can't replicate this on Mac via Chrome, Safari or Firefox and I'd have needed to grab the logs for that particular session (:00 to :59 of any hour).

@reneglauser if you'd like to replicate your issue and ping me; preferably as close to the beginning of the hour as possible so I'll have time to stop whatever I'm doing and log in before the logs are wiped, I'll output what I see here.

[rgl1234]

Hi Jason Thanks for your message. I just tried to download the file in Chrome (Windows) linked in the thread and got again the 503 error approx at 10.32 am. (see attachement…) Best regards, René

[rgl1234]

@jasonbayton I just accessed the link again this morning at 08.05 and got again the 503 error...

[gerritduits]

I can confirm what @reneglauser has posted. I've got the same issue here.

[jasonbayton]

Hi folks,

If one of you again test at the top of the hour and ping me here or @jasonbayton on twitter before the hour is up I'll grab the logs. I missed it..

[rgl1234]

@jasonbayton Hi Jason, I just pressed the link and got the error again.....can you have a look at the logs?

[jasonbayton]

Unfortunately there are no error logs registered against any action you may have taken, neither on the proxy nor the demo server.

[rgl1234]

@jasonbayton ok, I clicked again and got again the 503 error.....

[jasonbayton]

The closest I can see is this:

Fri Dec 15 10:13:16.656478 2017] [authz_core:error] [pid 442] [client 10.252.174.1:56218] AH01630: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata
(END)

I'll look into it but not sure it'll change anything.

[MorrisJobke]

@jasonbayton Any news here?

[MorrisJobke]

Closing as there was no further feedback.

[Dagefoerde]

I can reproduce this issue. It seems to be happening if a Referer: header is present that exhibits a domain other than that of the Nextcloud installation. I also don't see any error logs, however, the request appears in access.log with code 503. The request goes through if there is no Referer or if the Referer URL is from the same domain.

HOWEVER, I cannot reproduce this with curl, i.e. this works fine:

curl -i -H "Referer: http://localhost/" "https://***@***/nextcloud/remote.php/webdav/Moodlefiles/About.txt"                  

Could be some weird interpretation of client-side security policies?

Tested with Chrome 67.0.3396.99 and Firefox 61.0 on Ubuntu. Nextcloud 13.0.4 (2018-06-11T08:24:28+00:00 5c97dc3).

[Dagefoerde]

Oh, in fact it is reproducible with curl as well. Chrome allows me to copy the request that resulted in
503 in curl format. If I paste that into command line, I get the following

curl -i 'https://***/nextcloud/remote.php/webdav/Moodlefiles/About.txt' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: http://localhost/' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7' -H 'Cookie: oc_sessionPassphrase=[...]; nc_sameSiteCookielax=true; ocs8ty53neew=[...]' --compressed
HTTP/1.1 503 Service Unavailable
Date: Thu, 12 Jul 2018 15:22:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-[...]'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
X-Frame-Options: SAMEORIGIN
Set-Cookie: nc_sameSiteCookielax=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: nc_sameSiteCookiestrict=true; path=/nextcloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

[Dagefoerde]

Tracked it down: The 503 comes from here

server/lib/base.php

Lines 554 to 563 in 09d5b61

	// All other endpoints require the lax and the strict cookie
	if(!$request->passesStrictCookieCheck()) {
	self::sendSameSiteCookies();
	// Debug mode gets access to the resources without strict cookie
	// due to the fact that the SabreDAV browser also lives there.
	if(!\OC::$server->getConfig()->getSystemValue('debug', false)) {
	http_response_code(\OCP\AppFramework\Http::STATUS_SERVICE_UNAVAILABLE);
	exit();
	}
	}

(if i add arbitrary output right before exit it becomes part of the response.)

How can I proceed if I want to access files this way? (In my particular case Moodle knows exactly where the file is located and wants to point the user there. More precisely, Moodle needs to point the browser to that particular file.)

[rgl1234]

I now upgraded to 13.0.5 but the problem still remains...

[MistaGreenJeans]

I installed 13.07 and something improved.

In our case we are putting copy/pasted links in Asana.

Previous behavior:
If you have a copy/pasted link to a folder or file in Nextcloud embedded in any part of Asana (Description, comments), you will receive a 503 error. If you refresh that link on the 503 error page it will ask for your credentials if you not logged in and the file or folder is accessible.

Current Behavior after 13.07 upgrade:
If you have a copy/pasted link to a folder or file in Nextcloud embedded in the Description part of an Asana task you will receive a 503 error. If you have a copy/pasted link to a folder or file in Nextcloud embedded in the Comments section of an Asana task, the link opens up the file or folder with no issues.

Very odd that a link in a description area of Asana cannot direct correctly but if the same link is in the comments is able to direct with no issues.

[XANi]

From what I see:

initial request that gets 503-ed sets cookies:

Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict

After this cookie is set, request passes fine.

After I manually delete the cookie from store, request returns 503 again

Seems like some half-assed attempt at security misfiring to be honest.

[skjnldsv]

Can't reproduce on latest versions. Anyone else can?

[ghost]

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

[sbernhard]

Is this really fixed? I recognized similar with NX 22.2.
Would be nice to have something like a setting, a setting of hosts which are allowed to be the Referer. What do you think @skjnldsv / @Dagefoerde ?

[cdekok]

This bug seems still present, if it's not allowed then 503 is the wrong response code something in the 4xx range would be more suitable.