Nextcloud External Share Bug With URL Rewriters

by TheNnagam 48 views

Nextcloud External Share Issues with URL Rewriters: A Bug Report

Hey guys, have you ever run into a situation where sharing files on Nextcloud with external users just doesn't work, especially when those users are using security features like URL rewriters in their email? Well, we've got a bug report to share, detailing exactly this problem. It's a real head-scratcher and a bit of a pain, especially as more and more people use these URL-rewriting services.

The Heart of the Problem: Nextcloud External Shares and URL Rewriters

So, the core issue here revolves around Nextcloud users trying to share files externally via email. When the recipient's email system uses an URL rewriter (a security feature that changes the original link for security reasons), the shared links often break. This leads to a frustrating experience for the recipients. They might not be able to access the files at all or, if they do, they could run into issues uploading files, receiving messages like "Process blocked by access control," even though it's not the case. We've seen this happen with services like Proofpoint's urldefense.com and Libraesva srl's urlsand.esvalabs.com, but the problem could affect other URL rewriters too. We've done some testing and confirmed that if we share with a simple, standard email address without a URL rewriter, everything works perfectly. This inconsistency is the crux of the issue.

Steps to Reproduce the Issue: Sharing Files and External Access

To see this bug in action, here's what you can do:

  1. File Sharing Setup: Start in your Nextcloud interface, go to "Files." Select the folder you wish to share and click on the user icon with the plus sign (the share icon). Then choose “external shares,” enter an email address, and set custom permissions (without delete access for the recipient). Hit “Save share."
  2. Email Delivery: Nextcloud will send an email with a link to the shared folder.
  3. URL Rewriting: The problem arises when the recipient's email provider uses a URL rewriter. The original link from Nextcloud is modified, for example, transformed into something like a link from urldefense.com or urlsand.esvalabs.com. These rewritten links are where the trouble begins.
  4. Access Issues: When the recipient clicks on the rewritten link, they might encounter different issues. Sometimes, the link might not work at all, leading to a dead end in the browser. In other cases, they can access the files but can't upload anything, receiving an error message about access control. These errors are misleading because, in the absence of a URL rewriter, the file upload would work.

Unfortunately, we can't provide screenshots as the issue is on the receiver's end and not easily replicated on the sender's side. The issue lies with how the URL rewriter changes the link, which then causes problems with Nextcloud's security checks and file handling.

Expected Behavior: Seamless File Sharing

What we expect is pretty simple, the contacts should open the link and be able to upload files without any issues. The goal here is a smooth experience. If an email user receives a Nextcloud share, they should access and be able to interact with the shared files without any "Process blocked by access control" errors. This includes uploading files or downloading files. If you can upload the same file without a problem when a URL rewriting program isn't involved, this indicates the problem.

The Impact of the Bug on Users

This bug impacts our ability to seamlessly share files, especially with clients and contacts who use email security services. Since more and more organizations use these services, the issue limits Nextcloud's usefulness. It forces users to find workarounds, like using Google Drive, which defeats the purpose of using a self-hosted cloud solution. This bug, therefore, has real implications for user experience, and it affects Nextcloud's ability to compete in the file-sharing market.

Technical Details and Configuration

For those of you into the nitty-gritty, here’s a quick rundown of the environment:

  • Nextcloud Server Version: 31
  • Operating System: Debian/Ubuntu
  • PHP Engine Version: PHP 8.3
  • Web Server: Apache (supported)
  • Database Engine Version: MySQL
  • Encryption: Disabled
  • User Backend: Default database.

Here’s a snapshot of the configuration report and a list of enabled apps:

{
    "system": {
        "apps_paths": [
            {
                "path": "/snap/nextcloud/current/htdocs/apps",
                "url": "/apps",
                "writable": false
            },
            {
                "path": "/var/snap/nextcloud/current/nextcloud/extra-apps",
                "url": "/extra-apps",
                "writable": true
            }
        ],
        "supportedDatabases": [
            "mysql"
        ],
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "log_type": "file",
        "logfile": "/var/snap/nextcloud/current/logs/nextcloud.log",
        "logfilemode": 416,
        "maintenance_window_start": 1,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xx.xxx.xxx.xxx",
            "xxx.xxx.xx.xxx",
            "xx.xx.xxx.xxx",
            "xxxx.xxxxx",
            "xxxx.xxxx.xxxx"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.8.1",
        "overwrite.cli.url": "https://xxx.xxxx.xxxx",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "overwritehost": "xxx.xxxxx.xxxx",
        "maintenance": false,
        "mail_smtpmode": "smtp",
        "overwirtecondaddr": "^XX.X.XXX.XXX{{content}}quot;,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "XX",
        "default_phone_region": "DE",
        "default_language": "en",
        "loglevel": 2,
        "skeletondirectory": "",
        "theme": "",
        "simpleSignUpLink.shown": false,
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        }
    }
}
Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.3.1
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.2
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_antivirus: 6.0.4
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_versions: 1.24.0
  - groupfolders: 19.1.3
  - guests: 4.5.1
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - photos: 4.0.0
  - previewgenerator: 5.10.0
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - richdocuments: 8.7.4
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - side_menu: 5.1.1
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - theming_customcss: 1.18.0
  - twofactor_backupcodes: 1.20.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - whiteboard: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  - files_external: 1.23.0
  - files_trashbin: 1.21.0 (installed 1.20.1)
  - firstrunwizard: 4.0.0 (installed 3.0.0)
  - nextcloud_announcements: 3.0.0 (installed 2.0.0)
  - onlyoffice: 9.10.0 (installed 9.10.0)
  - password_policy: 3.0.0 (installed 2.0.0)
  - support: 3.0.0 (installed 2.0.0)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_ldap: 1.22.0

The URL Rewriting Bug: A Roadblock for Nextcloud External Sharing

In our experience, we've found that Nextcloud's external share functionality experiences difficulties when email recipients use URL rewriting services. This happens when the service changes the original Nextcloud sharing link, which leads to access problems. The main concern is that the altered URLs are not correctly processed by Nextcloud's security features, resulting in various problems like access failures and upload restrictions. This issue emphasizes the need for Nextcloud to improve compatibility with URL rewriting services, especially as these services become more common in email security practices.

Why This Matters for Nextcloud Users

The ability to share files with external users smoothly is critical for the success of any cloud storage solution. As more companies and individuals integrate these email security features, this bug significantly diminishes the value of the Nextcloud service. This incompatibility not only frustrates users but also prevents Nextcloud from competing with solutions that handle these situations seamlessly. To stay competitive, Nextcloud must focus on addressing the compatibility issue with URL rewriting services to make sure its file-sharing capabilities are robust and reliable for all users.

What Can Be Done to Fix the Problem?

To resolve this issue, Nextcloud should carefully examine how it handles rewritten URLs. This could involve modifying the system to acknowledge the changes made by URL rewriting services. Additionally, thorough testing is needed to identify all cases where URL rewriting causes problems and make the necessary changes to fix these problems. We think that by tackling this issue directly, Nextcloud can significantly improve the user experience and ensure smooth and reliable file sharing, even when working with email systems that use URL rewriting.

Next Steps and Conclusion

We hope this report provides a clear picture of the problem and its effect on our ability to share files. We're open to any help or additional testing that may be required. We're confident that Nextcloud developers will be able to solve this issue and boost the efficiency and usability of external sharing.