[Bug]: Undefined array key "filesystem" at LockdownManager.php#80

[biredel]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Unhandled exception (in conjunction with silently incorrect file listing): Undefined array key "filesystem" at /nc/lib/private/Lockdown/LockdownManager.php#80

Steps to reproduce

1. do not use / clear cookies of sessions created in nextcloud versions before v28.0.7rc3
2. login via user_saml backend (read: no password)
3. try to access file
4. observe incorrectly empty file listing, observe warning in logs

Expected behavior

Expected to see all my files (which are still there, according to occ files:scan)
If that is impossible, I expect nextcloud to deal with whatever is wrong with my session, possibly resetting authentication.
If that is also impossible, I expect to see the internal server error page and find something in the logs that spells out what is wrong.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 22.1 to 22.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "version": "28.0.7.2",
        "config_is_read_only": true,
        "has_internet_connection": false,
        "connectivity_check_domains": [],
        "check_for_working_wellknown_setup": false,
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance_window_start": 21,
        "debug": false,
        "default_phone_region": "DE",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "updatechecker": false,
        "upgrade.disable-web": true,
        "updater.server.url": "***REMOVED SENSITIVE VALUE***",
        "updater.release.channel": "stable",
        "skeletondirectory": "",
        "default_language": "de",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "allow_local_remote_servers": true,
        "loglevel": 2,
        "log_type": "syslog",
        "syslog_tag": "nextcloud",
        "logfile": "",
        "logdateformat": "Y-m-d H:i:s",
        "logtimezone": "UTC",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "log_type_audit": "syslog",
        "syslog_tag_audit": "nextcloud",
        "logfile_audit": "",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcached_servers": [],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "maintenance": false,
        "knowledgebaseenabled": false,
        "enable_previews": true,
        "allow_user_to_change_display_name": false,
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "trashbin_retention_obligation": "14, 60",
        "mail_send_plaintext_only": true,
        "theme": ""
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - admin_audit: 1.18.0
  - calendar: 4.7.6
  - circles: 28.0.0
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dav: 1.29.2
  - federatedfilesharing: 1.18.0
  - files: 2.0.0
  - files_accesscontrol: 1.18.1
  - files_automatedtagging: 1.18.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_retention: 1.17.2
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - related_resources: 1.3.0
  - richdocuments: 8.3.8
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - systemtags: 1.18.0
  - tasks: 0.16.0
  - text: 3.9.2
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - user_saml: 6.1.3
  - viewer: 2.2.0
  - workflowengine: 2.10.0
Disabled:
  - bruteforcesettings: 2.8.0 (installed 1.0.3)
  - dashboard: 7.8.0 (installed 7.0.0)
  - encryption: 2.16.0
  - federation: 1.18.0 (installed 1.2.0)
  - files_external: 1.20.0
  - nextcloud_announcements: 1.17.0 (installed 1.1)
  - password_policy: 1.18.0 (installed 1.3.0)
  - photos: 2.4.0 (installed 1.0.0)
  - recommendations: 2.0.0 (installed 0.8.0)
  - support: 1.11.1 (installed 1.1.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - updatenotification: 1.18.0 (installed 1.2.0)
  - user_ldap: 1.19.0
  - user_status: 1.8.1 (installed 1.8.1)
  - weather_status: 1.8.0 (installed 1.7.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

2024-06-20T18:32:33+0000 nextcloud[7523]: {"reqId":"WqwOG0lpHyDlNxVGOkoB","level":1,"time":"2024-06-20 18:32:33","remoteAddr":"2001:db8::8","user":"bot-sample","app":"admin_audit","method":"MKCOL","url":"//remote.php/dav/files/bot-sample/Scan/KD/","message":"Login attempt: \"bot-sample\"","userAgent":"python-requests/2.25.1","version":"28.0.7.2","data":{"app":"admin_audit"}}
2024-06-20T18:32:33+0000 nextcloud[7523]: {"reqId":"WqwOG0lpHyDlNxVGOkoB","level":3,"time":"2024-06-20 18:32:33","remoteAddr":"2001:db8::8","user":"bot-sample","app":"PHP","method":"MKCOL","url":"//remote.php/dav/files/bot-sample/Scan/KD/","message":"Undefined array key \"filesystem\" at /nc/lib/private/Lockdown/LockdownManager.php#80","userAgent":"python-requests/2.25.1","version":"28.0.7.2","data":{"app":"PHP"}}

Additional info

accessing /settings/admin/richdocuments with an admin user does produce the internal server error page and slightly more verbose traceback:

2024-06-20T18:48:52+0000 nextcloud[7526]: {"reqId":"b33o2gNsLVvtkMeCrSZH","level":3,"time":"2024-06-20 18:48:52","remoteAddr":"2001:db8::4","user":"redacted","app":"index","method":"GET","url":"/settings/admin/richdocuments","message":"{"Exception":"OC\\ForbiddenException","Message":"This request is not allowed to access the filesystem","Code":0,"Trace":[{"file":"/nc/lib/private/Files/View.php","line":1167,"function":"mkdir","class":"OC\\Lockdown\\Filesystem\\NullStorage","type":"->"},{"file":"/nc/lib/private/Files/View.php","line":245,"function":"basicOperation","class":"OC\\Files\\View","type":"->"},{"file":"/nc/lib/private/Cache/File.php","line":58,"function":"mkdir","class":"OC\\Files\\View","type":"->"},{"file":"/nc/lib/private/Cache/File.php","line":132,"function":"getStorage","class":"OC\\Cache\\File","type":"->"},{"file":"/nc/lib/private/Cache/File.php","line":75,"function":"hasKey","class":"OC\\Cache\\File","type":"->"},{"file":"/nc/apps/richdocuments/lib/Service/DemoService.php","line":45,"function":"get","class":"OC\\Cache\\File","type":"->"},{"file":"/nc/apps/richdocuments/lib/Settings/Admin.php","line":68,"function":"fetchDemoServers","class":"OCA\\Richdocuments\\Service\\DemoService","type":"->"},{"file":"/nc/apps/settings/lib/Controller/CommonSettingsTrait.php","line":129,"function":"getForm","class":"OCA\\Richdocuments\\Settings\\Admin","type":"->"},{"file":"/nc/apps/settings/lib/Controller/AdminSettingsController.php","line":86,"function":"formatSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/nc/apps/settings/lib/Controller/CommonSettingsTrait.php","line":149,"function":"getSettings","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/nc/apps/settings/lib/Controller/AdminSettingsController.php","line":71,"function":"getIndexResponse","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/nc/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"index","class":"OCA\\Settings\\Controller\\AdminSettingsController","type":"->"},{"file":"/nc/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/nc/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/nc/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/nc/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/nc/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/nc/lib/private/Lockdown/Filesystem/NullStorage.php","Line":41,"message":"This request is not allowed to access the filesystem","exception":{},"CustomMessage":"This request is not allowed to access the filesystem"}","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0","version":"28.0.7.2"}

• The change in the meaning of the scope column comes from fix(Session): avoid password confirmation on SSO #43942 - that is why the auth backend user_saml matters.
• The scope column of the authtoken table is NULL without [stable28] fix(Session): avoid password confirmation on SSO #45704 (resulting behavior: looks good) and is {"password-unconfirmable":true} with that patchset (resulting behavior: missing files).
• To properly validate the upgrade path, one needs to verify both old and new tokens - versions past the rc1 could appear to work.. until one clears cookies!

[blizzz]

It was fixed with #46071 - this is included in the latest release