[OC 9.0.2.2] Infinite loop in admin backend due to server setup / integrity check

[xshadow]

Expected behaviour

Admin backup should work without any problems if lib/imap.php is customized. Only report that the integrity check failed.

Actual behaviour

The admin page is unuseable because it's reloaded every three seconds.

Server setup and security check function is called again and again.

In the logs there could be found:
"{core} User backend OC_User_IMAP already initialized."

Server configuration

Operating system: Debian 8

Web server: Apache 2.4

Database: mysql Ver 14.14 Distrib 5.6.31,

PHP version: PHP 7.0.7-1~dotdeb+8.1 (cli) ( NTS ),

ownCloud version: 9.0.2.2

Updated from an older ownCloud or fresh install: Updated from an older version

Where did you install ownCloud from: gz-package from download page

Signing status (ownCloud 9.0 and above): failed

Modifications in lib/imap.php are valid. Not yet merged owncloud-archive/apps#2093

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- imap
    - EXCEPTION
        - Exception
        - App not found
- user_external
    - INVALID_HASH
        - lib/imap.php
- Application to check
    - EXCEPTION
        - Exception
        - App not found

Raw output
==========
Array
(
    [imap] => Array
        (
            [EXCEPTION] => Array
                (
                    [class] => Exception
                    [message] => App not found
                )

        )

    [user_external] => Array
        (
            [INVALID_HASH] => Array
                (
                    [lib/imap.php] => Array
                        (
                            [expected] => d4ebccdc4a2f2a97456c666ef6f6608ed631ceaee3f605e270df88be08a1c3e2c3b6944f07a271612bc6fa79b708c0d9a2ee54b310e68255c415f46904665efa
                            [current] => 2b57473d0fb8855b1c4d9d24eb033efb8bf4f62cfaabbcfedf7319f282b79b76bca77664d0847b2bd43964b67db3c51c2dfc5291638931e4cc815fc88f4a3a57
                        )

                )

        )

    [Application to check] => Array
        (
            [EXCEPTION] => Array
                (
                    [class] => Exception
                    [message] => App not found
                )

        )

)

List of activated apps:

Enabled:
  - activity: 2.2.1
  - calendar: 1.2.2
  - comments: 0.2
  - contacts: 1.2.0.0
  - dav: 0.1.6
  - documents: 0.12.0
  - encryption: 1.2.0
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_pdfviewer: 0.8.1
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - galleryplus: 15.0.0
  - news: 8.8.0
  - notes: 2.0.1
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
  - user_external: 0.4
Disabled:
  - external
  - files_external
  - gallery
  - user_ldap

The content of config/config.php:

<?php
$CONFIG = array (
  'forcessl' => true,
  'logdateformat' => 'Y-m-d H:i:s.u',
  'log_type' => 'syslog',
  'syslog_tag' => 'ownCloud',
  'loglevel' => 0,
  'mail_domain' => 'foobar.com',
  'mail_from_address' => 'foobar-owncloud',
  'mail_smtpmode' => 'php',
  'remember_login_cookie_lifetime' => '1296000',
  'session_keepalive' => true,
  'session_lifetime' => '86400',
  'trashbin_retention_obligation' => 'auto, 15',
  'trusted_proxies' => 
  array (
    0 => '192.168.2.4',
  ),
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => 'cloud.foobar.com',
  ),
  'datadirectory' => '/var/www/cloud.foobar.com/www/data',
  'overwrite.cli.url' => 'https://cloud.foobar.com',
  'dbtype' => 'mysql',
  'version' => '9.0.2.2',
  'dbname' => 'syscloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => '',
  'dbuser' => 'syscloud',
  'dbpassword' => 'XXX',
  'logtimezone' => 'UTC',
  'installed' => true,
  'default_language' => 'de',
  'mail_smtpsecure' => 'ssl',
  'user_backends' => 
  array (
    0 => 
    array (
      'class' => 'OC_User_IMAP',
      'arguments' => 
      array (
        0 => '{mail.foobar.com:993/imap/ssl}',
        1 => 'foobar.com',
      ),
    ),
  ),
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'mail_smtphost' => 'mail.foobar.com',
  'mail_smtpport' => '587',
  'theme' => '',
  'maintenance' => false,
  'appstore.experimental.enabled' => false,
);

Are you using external storage, if yes which one: local/smb/sftp/...
No

Are you using encryption: yes/no
No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
Yes , Imap

Client configuration

Browser: FF46.0.1

Operating system: Debian 8

[PVince81]

@xshadow try with this: #25035

It will add a delay before reloading.

[xshadow]

There is still an infinite loop, but the imap exception above is gone.

Owncloud Log:

Jun 10 14:30:05 cloud ownCloud[17498]: {core} User backend OC_User_IMAP already initialized 

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
    - INVALID_HASH
        - core/js/js.js
        - core/js/tests/specs/coreSpec.js
- user_external
    - INVALID_HASH
        - lib/imap.php

Raw output
==========
Array
(
    [core] => Array
        (
            [INVALID_HASH] => Array
                (
                    [core/js/js.js] => Array
                        (
                            [expected] => 5271cd028eb4c232cc2d535f65f2597207f71708b67318c5251006297b858387aa90f8deb23a565f81e7c77737353d1f84229d70a983deafb25861b47d7f5baf
                            [current] => 22d66716221968912d2a116c1bb9bb8cff5cc3a415b8ba9608987b4998a32853b84882da45331dac6a2308711033049f03f6acab80485abb839ebbcd3fa9668f
                        )

                    [core/js/tests/specs/coreSpec.js] => Array
                        (
                            [expected] => d6e0f0af26fe8513951f394750933bc87ec3bfc564c2cc4fd0a5e0c3c05a78a290856d9b35008547636954738fe068a45b41ee304e0fa369412e5603465abfb8
                            [current] => c0ae140e5ee1a26395aec94b765eea3bdd6898c29369256959cb1550e69dc9e80b5e25a99aa14d157a6b7ff873ec8b9855f3b6516384e2ed478ea60b687a3423
                        )

                )

        )

    [user_external] => Array
        (
            [INVALID_HASH] => Array
                (
                    [lib/imap.php] => Array
                        (
                            [expected] => d4ebccdc4a2f2a97456c666ef6f6608ed631ceaee3f605e270df88be08a1c3e2c3b6944f07a271612bc6fa79b708c0d9a2ee54b310e68255c415f46904665efa
                            [current] => 2b57473d0fb8855b1c4d9d24eb033efb8bf4f62cfaabbcfedf7319f282b79b76bca77664d0847b2bd43964b67db3c51c2dfc5291638931e4cc815fc88f4a3a57
                        )

                )

        )

)

[PVince81]

The PR doesn't fix the exception, it only adds a delay before the page reload.

Where are you seeing an infinite loop ?

[xshadow]

The '/settings/admin' page is reloaded every five seconds and the Security and setup warnings test runs again

[xshadow]

But now there is something in the apache error.log

"[Fri Jun 10 14:46:16.401646 2016] [authz_core:error] [pid 24596:tid 140336152102656] [client 192.168.2.4:40017] AH01630: client denied by server configuration: /var/www/cloud.foobar.com/www/data/.ocdata"

[PVince81]

Do you have any other setup warnings ? Usually the page reload only happens if one of the ajax calls is having trouble connecting to the server (redirects or insecure connections).

You could check the network tab

[xshadow]

In the backend there is also:

Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root

But that seems to be a false positiv, because the apache log message:

[Fri Jun 10 14:46:16.401646 2016] [authz_core:error] [pid 24596:tid 140336152102656] [client 192.168.2.4:40017] AH01630: client denied by server configuration: /var/www/cloud.foobar.com/www/data/.ocdata

is generated due to this .htaccess I assume and AllowOverride in the vhost configuration is set to "All" .

[PVince81]

@xshadow can you check the network console in the admin page. There is a call to ".ocdata" and check what the response code is. The warning would show if the response is neither 403, 301 or 307. Maybe the response was something different ?

[PVince81]

this is the code in question: https://github.com/owncloud/core/blob/v9.0.2/core/js/setupchecks.js#L200

[xshadow]

The loop occured and warn message after an upgrade from 9.0.0 --> 9.0.1

Response Code for GET on .ocdata is 302

[PVince81]

Hmmm okay... so that's also some kind of redirect.
What's in the "Location" header of that response ?

[xshadow]

Response Code 302 - Found

Location: "http://cloud.foobar.com/apps/files/"

But should be https and it gets blocked due to mixed content policy. Output from firebug security tab

Blocked loading mixed active content "http://cloud.foobar.com/apps/files/

Additional Info:

SSL - termination is done on a frontend server and all requests from there get proxied to the owncloud instance on another server

[PVince81]

@xshadow had a conversation with someone on IRC who also had a strange redirect, maybe your situation is similar ?

<Jay2k1> PVince81: got it! the ssl vhost includes a generic SSL config from Let's Encrypt (where i got my cert from)
<PVince81> ah, great
<Jay2k1> in that config there's a line 'AcceptPathInfo Off'
<Jay2k1> when i uncomment that, it works

[xshadow]

Thank you @PVince81 to stick to the error.

In my opinion, fixing this error by reconfiguring apache [1] is not the proper way. No additional apache configuration should be necessary.

Owncloud should honor the 'overwrite.cli.url' url which is set in the content and set the Location Header accordingly.

1: https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo

[PVince81]

No additional apache configuration should be necessary

It depends what you mean by that. By default when installing ownCloud the documentation already states that you need to configure Apache properly: https://doc.owncloud.org/server/9.0/admin_manual/installation/source_installation.html#apache-web-server-configuration

So I'm not sure whether this falls under that category.
I'm no expert in that regards so I'm not sure whether Apache/PHP would provide a different/correct way of working with paths when the value of "acceptpathinfo" is different. Maybe something can be tweaked there, not sure.

[PVince81]

Also note that "overwrite.cli.url" is only used for the command line side and doesn't affect web UI requests. Maybe a similar setting would be required for web requests ?

[xshadow]

The problem is that the Location header is sets the protocol to http instead of https and that should done on owncloud software side and not fixed via apache configuration

[PVince81]

I'm not sure whether that "Location: " header in this specific case is really set by ownCloud.
I thought it was set by something else.

If it is set by ownCloud, then it should use the values from "overwritehost" and "overwriteprotocol". If "overwriteprotocol" is set to "https" then it should already work. I don't see these in your config.php, can you try setting them ?

[xshadow]

Awesome :) - That does the trick, no more errors. And webinterface responds correct

[ownclouders]

Hey, this issue has been closed because the label needs info is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.