NC13b3 regression: Reset Password no longer works

[nursoda]

Steps to reproduce

1. call login page, enter an existing user name but a wrong password
2. click on "Forgot password?", receive mail, click on the reset link (https://seyfarth.de/cloud/index.php/lostpassword/set/TOKEN/USER)
3. a windows to enter a new password appears, enter a new password that satisfies the policy you set

Expected behaviour

The new password should be accepted and set, a confirmation should be displayed.

Actual behaviour

In Chrome, I get HTTP ERROR 405. In Firefox I get "Access deniedCSRF check failed". Unsure wether new password is set.

Server configuration

Operating system: Debian Stretch (up to date)
Web server: Apache 2.4.10
Database: MySQL 5.5.58
PHP version: 5.6.30

Nextcloud version: 13.0.0 Beta 3
Updated from an older Nextcloud/ownCloud or fresh install: Upgraded from 12.0.4
Where did you install Nextcloud from: admin page / installer
Signing status: no errors upon signing: http://example.com/index.php/settings/integrity/failed reports "No errors have been found." Warnings upon PGP 5.6 though. (BTW, what will happen to debian users in next debian version isn't released before NC 14?)

List of activated apps:

Enabled: - activity: 2.6.1 - admin_audit: 1.3.0 - apporder: 0.4.1 - bookmarks: 0.10.1 - bruteforcesettings: 1.0.3 - calendar: 1.5.7 - cms_pico: 0.9.6 - comments: 1.3.0 - contacts: 2.0.1 - dav: 1.4.5 - external: 3.0.0 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_markdown: 2.0.1 - files_pdfviewer: 1.2.0 - files_retention: 1.2.0 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - gallery: 18.0.0 - groupfolders: 1.1.0 - impersonate: 1.0.2 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - mail: 0.7.6 - nextcloud_announcements: 1.2.0 - notifications: 2.1.2 - oauth2: 1.1.0 - ownbackup: 17.5.0 - password_policy: 1.3.0 - polls: 0.8.0 - provisioning_api: 1.3.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - spreed: 2.9.0 - systemtags: 1.3.0 - theming: 1.4.1 - twofactor_backupcodes: 1.2.3 - twofactor_totp: 1.4.0 - updatenotification: 1.3.0 - workflowengine: 1.3.0 Disabled: - checksum - encryption - files_external - firstrunwizard - survey_client - tasks - user_external - user_ldap

Nextcloud configuration:

{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "seyfarth.de" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/seyfarth.de\/cloud", "dbtype": "mysql", "version": "13.0.0.8", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "Europe\/Berlin", "installed": true, "trashbin_retention_obligation": "auto,90", "versions_retention_obligation": "90,auto", "memcache.local": "\\OC\\Memcache\\APCu", "memcache.locking": "\\OC\\Memcache\\Redis", "filelocking.enabled": "true", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "timeout": 0 }, "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "php", "mail_domain": "***REMOVED SENSITIVE VALUE***", "defaultapp": "calendar", "maintenance": false, "loglevel": 2, "theme": "", "appstore.experimental.enabled": true, "updater.release.channel": "beta", "mail_smtpauthtype": "PLAIN", "mail_smtpsecure": "tls", "mail_smtpauth": 1 } }

Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 57 / Chrome 63
Operating system: W10

Logs

Web server error log: No entry while doing password reset.

But I see this: [ssl:error] AH02032: Hostname www.seyfarth.de provided via SNI and hostname seyfarth.de provided via HTTP are different Yet, Let's Encrypt seems to be correct: Certificate Name: seyfarth.de Domains: www.seyfarth.de seyfarth.de Expiry Date: 2018-03-07 22:32:14+00:00 (VALID: 78 days) Paths: ...

Nextcloud log (data/nextcloud.log): No entry while doing password reset.

Browser log: seems not relevant, is it?

[rullzer]

Fix in #7576

[nursoda]

Is there some connection to the observations described in the first comment of nextcloud/contacts#453?

Might this (and other issues I encounter) be caused by an over-protective cross-site policy? Reason is the browser JS and the web server error log entries above, possibly caused by not honoring "Alternative DNS names" within the webserver TLS certificate?

Browser console:
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf self blockiert ("script-src 'nonce-NGRPZTRSdW45empjcHF3YUUwK0MwUXE3a1VrS3lWV2Fua3YrRXJOTldLUT06cTc2cTJFM2pyV3l3OVBaVFd6L3ovbWFPL25saG5SYko3VE9mS3Njdkdldz0=' 'unsafe-eval'"). Source: ondrop attribute on INPUT element. contacts

Webserver error log:
[ssl:error] AH02032: Hostname www.seyfarth.de provided via SNI and hostname seyfarth.de provided via HTTP are different
Let's Encrypt seems to be correct: Certificate Name: seyfarth.de, Domains: www.seyfarth.de seyfarth.de