OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied

[Delvin127562]

Steps to reproduce

1. Make a filter to block everything except mentioned in mime-type.
2. You should use mime-type for x-rar-compressed.
   Mine filter looks like
   /^application\/(msexcel|msword|vnd.ms-excel|vnd.ms-powerpoint|vnd.openxmlformats-officedocument.wordprocessingml.document|vnd.openxmlformats-officedocument.spreadsheetml.sheet|vnd.openxmlformats-officedocument.presentationml.presentation|pdf|zip|x-zip-compressed|x-rar-compressed|x-7z-compressed)$|text\/(plain|csv)$|image\/(jpeg|heic|png)|httpd\/unix-directory/I
   In this mime-type filter mentioned xls, xlsx, doc,docx... and so on including "rar" archive
3. The problem will appear, when you try to upload rar archive file.
   You will see in browser - "Access Denied". In logs you will see fatal error

OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied

For full error text go to "Nextcloud log" section

Expected behaviour

rar files should not be blocked as they are allowed by mime-type filter

Actual behaviour

I'm getting the error in browser - "Access Denied".

Server configuration detail

Operating system: Linux 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64

Webserver: Apache/2.4.41 (Ubuntu) (apache2handler)

Database: mysql 10.3.25

PHP version:

7.4.3
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 20.0.2 - 20.0.2.2

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.6.0
 - admin_audit: 1.10.0
 - cloud_federation_api: 1.3.0
 - comments: 1.10.0
 - contactsinteraction: 1.1.0
 - dav: 1.16.1
 - federatedfilesharing: 1.10.1
 - federation: 1.10.1
 - files: 1.15.0
 - files_accesscontrol: 1.10.1
 - files_automatedtagging: 1.10.1
 - files_downloadactivity: 1.9.0
 - files_external: 1.11.1
 - files_retention: 1.9.0
 - files_rightclick: 0.17.0
 - files_sharing: 1.12.0
 - files_trackdownloads: 1.9.0
 - files_trashbin: 1.10.1
 - files_versions: 1.13.0
 - impersonate: 1.7.0
 - issuetemplate: 0.7.0
 - logreader: 2.5.0
 - lookup_server_connector: 1.8.0
 - nextcloud_announcements: 1.9.0
 - notifications: 2.8.0
 - oauth2: 1.8.0
 - password_policy: 1.10.1
 - privacy: 1.4.0
 - provisioning_api: 1.10.0
 - sendent: 1.0.17
 - serverinfo: 1.10.0
 - settings: 1.2.0
 - sharebymail: 1.10.0
 - support: 1.3.0
 - survey_client: 1.8.0
 - systemtags: 1.10.0
 - text: 3.1.0
 - twofactor_backupcodes: 1.9.0
 - updatenotification: 1.10.0
 - user_saml: 3.3.1
 - viewer: 1.4.0
 - workflowengine: 2.2.0
Disabled:
 - activity
 - dashboard
 - deck
 - encryption
 - files_pdfviewer
 - files_videoplayer
 - firstrunwizard
 - photos
 - recommendations
 - richdocuments
 - richdocumentscode
 - theming
 - user_ldap
 - user_status
 - weather_status

Configuration (config/config.php)

{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "goa-nc.int.domain.com",
        "cloud.domain.com"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "20.0.2.2",
    "overwrite.cli.url": "https:\/\/cloud.domain.com",
    "htaccess.RewriteBase": "\/",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "app_install_overwrite": [
        "files_retention"
    ],
    "log_type": "logfile",
    "logfile": "nextcloud.log",
    "loglevel": 2,
    "logdateformat": "F d, Y H:i:s",
    "log.condition": {
        "apps": [
            "admin_audit"
        ]
    },
    "log_rotate_size": 104857600,
    "trashbin_retention_obligation": "30, 35",
    "logtimezone": "Europe\/Moscow",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_sendmailmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "25",
    "twofactor_enforced": "false",
    "twofactor_enforced_groups": [],
    "twofactor_enforced_excluded_groups": [],
    "maintenance": false
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Operating system:

Logs

Web server error log

Insert your web server log here 

Nextcloud log

OCA\DAV\Connector\Sabre\Exception\Forbidden: Access denied
/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1104:

OCA\DAV\Connector\Sabre\Directory->createFile()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 527:

Sabre\DAV\Server->createFile()

/var/www/html/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:

Sabre\DAV\CorePlugin->httpPut()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 474:

Sabre\DAV\Server->emit()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 251:

Sabre\DAV\Server->invokeMethod()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 319:

Sabre\DAV\Server->start()

/var/www/html/nextcloud/apps/dav/appinfo/v1/publicwebdav.php - line 113:

Sabre\DAV\Server->exec()

/var/www/html/nextcloud/public.php - line 81:

require_once("/var/www/ht ... p")

Caused by OCP\Files\ForbiddenException: Access denied
/var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 59:

OCA\FilesAccessControl\Operation->checkFileAccess()

/var/www/html/nextcloud/apps/files_accesscontrol/lib/StorageWrapper.php - line 286:

OCA\FilesAccessControl\StorageWrapper->checkFileAccess()

/var/www/html/nextcloud/apps/dav/lib/Connector/Sabre/File.php - line 300:

OCA\FilesAccessControl\StorageWrapper->unlink()

/var/www/html/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php - line 155:

OCA\DAV\Connector\Sabre\File->put()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 1104:

OCA\DAV\Connector\Sabre\Directory->createFile()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 527:

Sabre\DAV\Server->createFile()

/var/www/html/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php - line 89:

Sabre\DAV\CorePlugin->httpPut()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 474:

Sabre\DAV\Server->emit()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 251:

Sabre\DAV\Server->invokeMethod()

/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 319:

Sabre\DAV\Server->start()

/var/www/html/nextcloud/apps/dav/appinfo/v1/publicwebdav.php - line 113:

Sabre\DAV\Server->exec()

/var/www/html/nextcloud/public.php - line 81:

require_once("/var/www/ht ... p")

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[Delvin127562]

Anyone?

[Delvin127562]

I understand, that this soft is free, but maybe you can point, where can I look for correcting this bug?

[Delvin127562]

Friend of mine helped me a little. He added some strokes in apps/workflowengine/lib/Check/AbstractStringCheck.php to debug the problem.

                file_put_contents('superdebug.log',"pattern: $pattern, subject: $subject \n", FILE_APPEND | LOCK_EX);
                $this->matches[$patternHash][$subjectHash] = preg_match($pattern, $subject);
                return $this->matches[$patternHash][$subjectHash];

As a result he got that if you try to upload zip file, system will recognise it as:

httpd/unix-directory
application/zip

This can be logically true as a zip file is a folder in someway.
But, when you try to upload rar file, you can see, that system recognise it as:

httpd/unix-directory
application/x-rar-compressed
application/octet-stream

And yes, if you add application/octet-stream to mime filter string, rar files will become allowed.
Unfortunately, it can not be a solution, only a very bad workaround as application/octet-stream will allow to upload to cloud, for example, vb scripts, that is not unacceptable at all...
My friend suppose. that the problem is in lib/private/Files/Type/Detection.php, but my knowledge is not allowing me to dig deeper and he has no time to help me further...

[Delvin127562]

As another workaround I made some custom mime types for file types like ps1,vbs,ico and so on and added them to /var/www/html/nextcloud/config/mimetypemapping.json
Now I can add application/octet-stream to my filter and use rar files in cloud, but it is not a good way to resolve this problem. That's why I'm still waiting for some answers and that my problem will be resolved at last...

[nickvergessen]

It should end with application/x-rar-compressed
But maybe the bug about .part files interfered which we fixed recently. So maybe you can retry it with the upcoming versions?

[Draecal]

I do also have this issue, mainly while trying to send a file through Talk.

Logs contains all .part files like this one: OCP\Files\ForbiddenException: Access denied to image/jpeg in Folder Talk/IMG-20230606-WA0002.jpg.ocTransferId1815827252.part