⚠️ This issue respects the following points: ⚠️
Bug description
Apparently, when using RewriteRule . index.php [PT,E=PATH_INFO:$1] (installed by maintenance:update:htaccess) the <If "%{REQUEST_URI} =~ m#/login$#"> in the default .htaccess is no longer matching, as %{REQUEST_URI} now only contains index.php.
This leads to the wrong Referrer-Policy being set in the <If ...>...<Else> part.
Steps to reproduce
- Install nextcloud on apache2
- Set
overwrite.cli.url and htaccess.RewriteBase and run occ maintenance:update:htaccess
- curl -D - -o /dev/null .../login
- Notice that Referrer-Policy is set to
no-referrer
Expected behavior
Referrer-Policy should be same-origin as stated in .htaccess.
Nextcloud Server version
33
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.4
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"cloud.prauscher.de"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "33.0.3.2",
"overwrite.cli.url": "https:\/\/cloud.prauscher.de",
"htaccess.RewriteBase": "\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"maintenance": false,
"theme": "",
"loglevel": 1,
"default_phone_region": "de",
"maintenance_window_start": 5,
"memcache.local": "\\OC\\Memcache\\Memcached",
"memcache.locking": "\\OC\\Memcache\\Memcached",
"memcache.distributed": "\\OC\\Memcache\\Memcached",
"memcached_servers": [
[
"localhost",
11211
]
],
"mail_smtpmode": "sendmail",
"mail_sendmailmode": "smtp",
"memories.db.triggers.fcu": true,
"memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-amd64-glibc",
"memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-amd64"
}
}List of activated Apps
Enabled:
- activity: 6.0.0
- audioplayer: 3.8.0
- calendar: 6.4.0
- calendar_resource_management: 0.12.0
- circles: 33.0.0
- cloud_federation_api: 1.17.0
- comments: 1.23.0
- contacts: 8.4.5
- contactsinteraction: 1.14.1
- dashboard: 7.13.0
- dav: 1.36.0
- federatedfilesharing: 1.23.0
- federation: 1.23.0
- files: 2.5.0
- files_downloadlimit: 5.1.0
- files_pdfviewer: 6.0.0
- files_reminders: 1.6.0
- files_sharing: 1.25.2
- files_trashbin: 1.23.0
- files_versions: 1.26.0
- firstrunwizard: 6.0.0
- logreader: 6.0.0
- lookup_server_connector: 1.21.0
- mail: 5.7.15
- memories: 8.0.1
- nextcloud_announcements: 5.0.0
- notifications: 6.0.0
- oauth2: 1.21.0
- password_policy: 5.0.0
- photos: 6.0.0
- privacy: 5.0.0
- profile: 1.2.0
- provisioning_api: 1.23.0
- recommendations: 6.0.0
- related_resources: 4.0.0
- richdocuments: 10.1.3
- serverinfo: 5.0.0
- settings: 1.16.0
- sharebymail: 1.23.0
- support: 5.0.0
- survey_client: 5.0.0
- systemtags: 1.23.0
- text: 7.0.1
- theming: 2.8.0
- twofactor_backupcodes: 1.22.0
- twofactor_totp: 15.0.0
- updatenotification: 1.23.0
- user_status: 1.13.0
- viewer: 6.0.0
- weather_status: 1.13.0
- webhook_listeners: 1.5.0
- workflowengine: 2.15.0
Disabled:
- admin_audit: 1.23.0
- app_api: 33.0.0 (installed 32.0.0)
- bruteforcesettings: 6.0.0 (installed 2.4.0)
- encryption: 2.21.0
- files_external: 1.25.1
- files_rightclick: 0.15.1 (installed 1.6.0)
- suspicious_login: 11.0.0
- testing: 1.23.0
- twofactor_nextcloud_notification: 7.0.0
- user_ldap: 1.24.0
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
Additional info
No response
Bug description
Apparently, when using
RewriteRule . index.php [PT,E=PATH_INFO:$1](installed bymaintenance:update:htaccess) the<If "%{REQUEST_URI} =~ m#/login$#">in the default.htaccessis no longer matching, as%{REQUEST_URI}now only containsindex.php.This leads to the wrong
Referrer-Policybeing set in the<If ...>...<Else>part.Steps to reproduce
overwrite.cli.urlandhtaccess.RewriteBaseand runocc maintenance:update:htaccessno-referrerExpected behavior
Referrer-Policy should be
same-originas stated in.htaccess.Nextcloud Server version
33
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.4
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "cloud.prauscher.de" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "33.0.3.2", "overwrite.cli.url": "https:\/\/cloud.prauscher.de", "htaccess.RewriteBase": "\/", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "maintenance": false, "theme": "", "loglevel": 1, "default_phone_region": "de", "maintenance_window_start": 5, "memcache.local": "\\OC\\Memcache\\Memcached", "memcache.locking": "\\OC\\Memcache\\Memcached", "memcache.distributed": "\\OC\\Memcache\\Memcached", "memcached_servers": [ [ "localhost", 11211 ] ], "mail_smtpmode": "sendmail", "mail_sendmailmode": "smtp", "memories.db.triggers.fcu": true, "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-amd64-glibc", "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-amd64" } }List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response