Dear,
Since my nextcloud server update i cannot connect anymore to my calendar.
My contacts with syncevolution no problem.
I think i found why, nextcloud reduce the CRSF vulnerability
phablet@ubuntu-phablet:~$ export OAU_LOGGING_LEVEL=2
phablet@ubuntu-phablet:~$ export OAU_DAEMON_TIMEOUT=9999
phablet@ubuntu-phablet:~$ online-accounts-service
service.cpp 42 requestAccess Got request: QMap(("application", QVariant(QString, "system-settings") ) ( "pid" , QVariant(uint, 26947) ) ( "provider" , QVariant(QString, "owncloud") ) ( "windowId" , QVariant(uint, 26947) ) )
App ID: "unconfined"
request-manager.cpp 113 runQueue Head: OnlineAccountsUi::Request(0x1d829d8)
mir-helper.cpp 151 session_event_callback Prompt Session state updated to 1
Loading module: 'libubuntu_application_api_touch_mirclient.so.3.0.0'
ui-server.cpp 103 onDataReady QMap(("code", QVariant(QString, "process") ) ( "data" , QVariant(QVariantMap, QMap(("application", QVariant(QString, "system-settings") ) ( "pid" , QVariant(uint, 26947) ) ( "provider" , QVariant(QString, "owncloud") ) ( "windowId" , QVariant(uint, 26947) ) ) ) ) ( "id" , QVariant(int, 0) ) ( "interface" , QVariant(QString, "com.ubuntu.OnlineAccountsUi") ) ( "profile" , QVariant(QString, "unconfined") ) )
qml: Page_QMLTYPE_24(0x1973a38)"ownCloud": In Ubuntu.Components 1.3, the use of Page.title, Page.flickable and Page.head is deprecated. Use Page.header and the PageHeader component instead.
file:///home/phablet/.local/share/accounts/qml-plugins/owncloud/Main.qml: File not found
virtual void OnlineAccountsPlugin::Plugin::registerTypes(const char*) Ubuntu.OnlineAccounts.Plugin
request.cpp 115 setWindow Requesting window reparenting
QWindow::fromWinId(): platform plugin does not support foreign windows.
APP_ID isn't set, the handler ignored
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
qml: Trying host https://server as login:password
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
file:///usr/share/accounts/qml-plugins/owncloud/Main.qml:4:1: QML Main: Binding loop detected for property "contentHeight"
qml: response: {"message":"CSRF check failed"}
qml: callback called: false
For more info on Nexcloud update : https://nextcloud.com/blog/nextcloud-11-delivers-verified-security-improvements/
Regards
Hi Slash, thanks for reporting this bug. As I understand from your logs, it's not even possible to create a nextcloud account; can you please confirm this?
Anyway, this looks like a bug in the Nextcloud server implementation: CSRF is not something that normally affects REST APIs, which are stateless by definition. When registering the account, we are passing username and password with every function call.
Please file a bug against Nextcloud, and write here the link to the report, so that I can comment in case they ask for more information.
For the record, the API we are using when verifying whether the account is valid is /ocs/v1.
https:/
I think they forced the CSRF check on all API, including the public REST APIs, by mistake.