Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encryption module "Default encryption module" is not able to read [...] #3751

Closed
rapITler opened this issue Mar 7, 2017 · 1 comment · Fixed by #3843
Closed

Encryption module "Default encryption module" is not able to read [...] #3751

rapITler opened this issue Mar 7, 2017 · 1 comment · Fixed by #3843
Labels
feature: encryption (server-side)

Comments

@rapITler
Copy link

rapITler commented Mar 7, 2017

Steps to reproduce

  1. Enforce password protection and enable default encryption
  2. Upload and share file per mail.
  3. Visit link in mail and click on download -> error will raised

How it works (but without a password!!!):

  1. Enforce password protection and enable default encryption
  2. Upload and share link with password protection
  3. Share file per mail
  4. Visit link in mail and click on download -> works without an password

Expected behaviour

Sharing per mail shouldn't work without a password.
Beside that fact may an error message should appear with the message "the download isn't possible without a password".

Actual behaviour

User which visit the link and click on download receive:
"Can't read file
Can not read this file, probably this is a shared file. Please ask the file owner to reshare the file with you."

or with shared link and mail:
User can download the file without a password.

Server configuration

Operating system:
CentOS 7.2
Web server:
Apache
Database:
mariadb

PHP version:
PHP 7.0.16
Nextcloud version: (see Nextcloud admin page)
11.0.1

Updated from an older Nextcloud/ownCloud or fresh install:
10.0.0

Where did you install Nextcloud from:
official page

Signing status:

Signing status 
Integrity checker has been disabled. Integrity cannot be verified.

List of activated apps:

App list 
Enabled:
  - activity: 2.4.1
  - admin_audit: 1.1.0
  - announcementcenter: 3.0.1
  - comments: 1.1.0
  - dav: 1.1.1
  - encryption: 1.4.1
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_antivirus: 1.0.0.0
  - files_automatedtagging: 1.1.1
  - files_downloadactivity: 1.0.0
  - files_pdfviewer: 1.0.1
  - files_retention: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - systemtags: 1.1.3
  - tasks: 0.9.4
  - templateeditor: 0.2
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_ldap: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - external
  - files_accesscontrol
  - files_external
  - firstrunwizard
  - piwik
  - survey_client
  - user_external
  - user_saml

The content of config/config.php:

Config report 
{
    "system": {
        "instanceid": "",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "",
            ""
        ],
        "datadirectory": "\/data",
        "overwrite.cli.url": "",
        "dbtype": "mysql",
        "version": "11.0.1.2",
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "",
        "installed": true,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "ldapusercleanupinterval": 15,
        "loglevel": 2,
        "cron_log": true,
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "log_rotate_size": 104857600,
        "mail_from_address": "",
        "mail_smtpmode": "smtp",
        "mail_domain": "",
        "mail_smtphost": "",
        "mail_smtpport": "25",
        "mail_smtpsecure": "tls",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "auth.bruteforce.protection.enabled": true,
        "remember_login_cookie_lifetime": 86400,
        "session_lifetime": 28800,
        "session_keepalive": true,
        "updater.release.channel": "production",
        "maintenance": false,
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
SAN
Are you using encryption: yes/no
YES
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
AD

LDAP configuration (delete this part if not used)

LDAP config 
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                                                             |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                                                                           |
| hasPagedResultSupport         |                                                                                                                                                             |
| homeFolderNamingRule          |                                                                                                                                                             |
| lastJpegPhotoLookup           | 0                                                                                                                                                           |
| ldapAgentName                 | CN=,OU=ServiceAccount,OU=Users,OU=_Global,dc=,dc=|
| ldapAgentPassword             | ***                                                                                                                                                         |
| ldapAttributesForGroupSearch  |                                                                                                                                                             |
| ldapAttributesForUserSearch   |                                                                                                                                                             |
| ldapBackupHost                |                                                                                                                                                             |
| ldapBackupPort                |                                                                                                                                                             |
| ldapBase                      | dc=,dc=|
| ldapBaseGroups                | dc=,=|
| ldapBaseUsers                 | dc=,dc=|
| ldapCacheTTL                  | 600                                                                                                                                                         |
| ldapConfigurationActive       | 1                                                                                                                                                           |
| ldapDynamicGroupMemberURL     |                                                                                                                                                             |
| ldapEmailAttribute            | mail                                                                                                                                                        |
| ldapExperiencedAdmin          | 1                                                                                                                                                           |
| ldapExpertUUIDGroupAttr       |                                                                                                                                                             |
| ldapExpertUUIDUserAttr        |                                                                                                                                                             |
| ldapExpertUsernameAttr        | cn                                                                                                                                                          |
| ldapGroupDisplayName          | cn                                                                                                                                                          |
| ldapGroupFilter               | (&(|(objectclass=group))(|(memberof:1.2.840.113556.1.4.1941:=cn=,OU=,OU=Groups,OU=Admin,DC=,DC=)))                         |
| ldapGroupFilterGroups         |                                                                                                          |
| ldapGroupFilterMode           | 0                                                                                                                                                           |
| ldapGroupFilterObjectclass    | group                                                                                                                                                       |
| ldapGroupMemberAssocAttr      | member                                                                                                                                                      |
| ldapHost                      |                                                                                                                                          |
| ldapIgnoreNamingRules         |                                                                                                                                                             |
| ldapLoginFilter               | (&(&(|(objectclass=user)))(samaccountname=%uid))                                                                                                            |
| ldapLoginFilterAttributes     |                                                                                                                                                             |
| ldapLoginFilterEmail          | 0                                                                                                                                                           |
| ldapLoginFilterMode           | 0                                                                                                                                                           |
| ldapLoginFilterUsername       | 1                                                                                                                                                           |
| ldapNestedGroups              | 0                                                                                                                                                           |
| ldapOverrideMainServer        |                                                                                                                                                             |
| ldapPagingSize                | 500                                                                                                                                                         |
| ldapPort                      | 389                                                                                                                                                         |
| ldapQuotaAttribute            |                                                                                                                                                             |
| ldapQuotaDefault              |                                                                                                                                                             |
| ldapTLS                       | 0                                                                                                                                                           |
| ldapUserDisplayName           | displayname                                                                                                                                                 |
| ldapUserDisplayName2          |                                                                                                                                                             |
| ldapUserFilter                | (&(|(objectclass=user))(|(|(memberof:1.2.840.113556.1.4.1941:=CN=,OU=,OU=Groups,OU=Admin,DC=,DC=)(primaryGroupID=97011)))) |
| ldapUserFilterGroups          |                                                                                                                                 |
| ldapUserFilterMode            | 0                                                                                                                                                           |
| ldapUserFilterObjectclass     | user                                                                                                                                                        |
| ldapUuidGroupAttribute        | auto                                                                                                                                                        |
| ldapUuidUserAttribute         | auto                                                                                                                                                        |
| turnOffCertCheck              | 0                                                                                                                                                           |
| turnOnPasswordChange          | 0                                                                                                                                                           |
| useMemberOfToDetectMembership | 1                                                                                                                                                           |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:
Chrome
Operating system:
Windows 7

Logs

Web server error log

Web server error log 
Insert your webserver log here

Nextcloud log (data/nextcloud.log)

nextcloud log 
{"reqId":"WL6q3C0xlD4Y8papSsgRZgAAAAM","remoteAddr":"","app":"no app in context","message":"Encryption module \"Default encryption module\" is not able to read \/\/files\/bla.JPG","level":2,"time":"2017-03-07T13:43:09+01:00","method":"GET","url":"\/index.php\/s\/dEV8muxaWcmRIVo\/download","user":"--","version":"11.0.1.2"}
{"reqId":"WL6q3C0xlD4Y8papSsgRZgAAAAM","remoteAddr":"","app":"no app in context","message":"Exception: {\"Exception\":\"OC\\\\Encryption\\\\Exceptions\\\\DecryptionFailedException\",\"Message\":\"Encryption module \\\"Default encryption module\\\" is not able to read \\\\\\/files\\\/bla.JPG\",\"Code\":0,\"Trace\":\"#0 \\\/www\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Encryption.php(328): OCA\\\\Encryption\\\\Crypto\\\\Encryption->isReadable('\\\..', NULL)\\n#1 \\\/www\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(169): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Encryption->isReadable('files\\\/disk_132_...')\\n#2 \\\/www\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(169): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->isReadable('files\\\/disk_132_...')\\n#3 \\\/www\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(169): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->isReadable('files\\\/disk_132_...')\\n#4 \\\/www\\\/lib\\\/private\\\/Files\\\/View.php(1124): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->isReadable('files\\\/.')\\n#5 \\\/www\\\/lib\\\/private\\\/Files\\\/View.php(489): OC\\\\Files\\\\View->basicOperation('isReadable', '\\\/disk_132_too_h...')\\n#6 \\\/www\\\/lib\\\/private\\\/Files\\\/Filesystem.php(688): OC\\\\Files\\\\View->isReadable('\\\/\\\/disk_132_too_...')\\n#7 \\\/www\\\/lib\\\/private\\\/legacy\\\/files.php(261): OC\\\\Files\\\\Filesystem::isReadable('\\\/\\\/...')\\n#8 \\\/www\\\/lib\\\/private\\\/legacy\\\/files.php(120): OC_Files::getSingleFile(Object(OC\\\\Files\\\\View), '\\\/', '', Array)\\n#9 \\\/www\\\/apps\\\/files_sharing\\\/lib\\\/Controller\\\/ShareController.php(534): OC_Files::get('\\\/', '', Array)\\n#10 [internal function]: OCA\\\\Files_Sharing\\\\Controller\\\\ShareController->downloadShare('dEV8muxaWcmRIVo', NULL, '', '')\\n#11 \\\/www\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(160): call_user_func_array(Array, Array)\\n#12 \\\/www\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(90): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Files_Sharing\\\\Controller\\\\ShareController), 'downloadShare')\\n#13 \\\/www\\\/lib\\\/private\\\/AppFramework\\\/App.php(114): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Files_Sharing\\\\Controller\\\\ShareController), 'downloadShare')\\n#14 \\\/www\\\/lib\\\/public\\\/AppFramework\\\/App.php(136): OC\\\\AppFramework\\\\App::main('ShareController', 'downloadShare', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer))\\n#15 \\\/www\\\/core\\\/routes.php(100): OCP\\\\AppFramework\\\\App->dispatch('ShareController', 'downloadShare')\\n#16 [internal function]: OC\\\\Route\\\\Router->{closure}(Array)\\n#17 \\\/www\\\/lib\\\/private\\\/Route\\\/Router.php(299): call_user_func(Object(Closure), Array)\\n#18 \\\/www\\\/lib\\\/base.php(1010): OC\\\\Route\\\\Router->match('\\\/s\\\/dEV8muxaWcmR...')\\n#19 \\\/www\\\/index.php(40): OC::handleRequest()\\n#20 {main}\",\"File\":\"\\\/www\\\/apps\\\/encryption\\\/lib\\\/Crypto\\\/Encryption.php\",\"Line\":496}","level":3,"time":"2017-03-07T13:43:09+01:00","method":"GET","url":"\/index.php\/s\/dEV8muxaWcmRIVo\/download","user":"--","version":"11.0.1.2"}
@schiessle schiessle mentioned this issue Mar 14, 2017
Merged
@schiessle
Copy link
Member

schiessle commented Mar 14, 2017
edited
Loading

Fix to allow you to access mail shares if the files are encrypted is here: #3751

Sharing per mail shouldn't work without a password.

The "enforce password" setting only applies to public links, as the setting indicates. We consider files shared by mail as something different, more "internal" (even if it is almost the same from a technical point of view). Maybe like a federated share for people who don't have a own Nextcloud. The link shared by mail is never shown in the web interface, in contrast to a public link which you can access on your web ui, post on social media, etc.

Discussions on how we could protect link shares with a additional password can be followed here: #2357

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature: encryption (server-side)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

take share by mail into consideration if we calculate the access list nextcloud/server
3 participants
@nickvergessen @schiessle @rapITler