⚠️ This issue respects the following points: ⚠️
Bug description
The Kaspersky solution rejects certain REQMOD ICAP requests with a "Bad Request" error. Our analysis indicates that the error occurs when the Nextcloud client sends a request that is missing the Content-Length header for an HTTP request that has a body (a PUT method in this case).
Steps to reproduce
The problematic ICAP request from Nextcloud:
REQMOD icap://ip-address/req ICAP/1.0
Allow: 204
X-Client-IP:
Host: ip-address
User-Agent: NC-ICAP-CLIENT/0.5.0
Connection: close
Encapsulated: req-hdr=0, req-body=82
PUT /appdata_ocie5ud2rhq0/avatar/user_login/generated HTTP/1.0
Host: nextcloud
The encapsulated HTTP PUT request is missing the mandatory Content-Length header, even though the Encapsulated header indicates an HTTP body starts at offset 82.
Expected behavior
The Kaspersky ICAP server should either handle requests with a zero-length body gracefully when the Content-Length header is missing or provide a more descriptive error message. The expected outcome is a successful 204 response from the ICAP server.
Nextcloud Server version
30
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"integrity.check.disabled": false,
"trusted_domains": [
***REMOVED SENSITIVE VALUE***
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "cloud.domain.ru",
"overwriteprotocol": "https",
"overwrite.cli.url": "http:\/\/xx-cloud-app01.domain",
"objectstore": {
"class": "\\OC\\Files\\ObjectStore\\S3",
"arguments": {
"bucket": "cloud02",
"autocreate": true,
"key": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"hostname": "obs1.domain.ru",
"port": 5080,
"use_ssl": false,
"use_path_style": true,
"region": "main"
}
},
"dbtype": "pgsql",
"version": "30.0.10.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"theme": "",
"loglevel": 2,
"maintenance": false,
"filelocking.enabled": true,
"memcache.disributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"memcache.local": "\\OC\\Memcache\\APCu",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379,
"timeout": 0
},
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_smtpport": "25",
"mail_sendmailmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"default_phone_region": "RU",
"maintenance_window_start": 1,
"0": {
"verify_peer_off": true,
"jwt_secret": "***REMOVED SENSITIVE VALUE***",
"jwt_header": "AuthorizationJWT"
},
"enable_previews": false,
"debug": false,
"skeletondirectory": "",
"session_lifetime": 86400,
"allowed_admin_ranges": [
***REMOVED SENSITIVE VALUE***
]
}
}List of activated Apps
Enabled:
- activity: 3.0.0
- admin_audit: 1.20.0
- app_api: 4.0.6
- bruteforcesettings: 3.0.0
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contactsinteraction: 1.11.0
- dav: 1.31.1
- drawio: 3.0.9
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_accesscontrol: 1.20.1
- files_antivirus: 5.6.3
- files_downloadlimit: 3.0.0
- files_external: 1.22.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- files_versions: 1.23.0
- firstrunwizard: 3.0.0
- forms: 5.1.2
- groupfolders: 18.1.3
- impersonate: 1.17.1
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud_announcements: 2.0.0
- notifications: 3.0.0
- oauth2: 1.18.1
- onlyoffice: 9.9.0
- password_policy: 2.0.0
- privacy: 2.0.0
- provisioning_api: 1.20.0
- related_resources: 1.5.0
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- systemtags: 1.20.0
- text: 4.1.0
- theming: 2.6.0
- twofactor_backupcodes: 1.19.0
- updatenotification: 1.20.0
- user_ldap: 1.21.0
- user_saml: 6.6.0
- user_status: 1.10.0
- viewer: 3.0.0
- workflowengine: 2.12.0
Disabled:
- contacts: 7.0.6 (installed 7.0.6)
- dashboard: 7.10.0 (installed 7.0.0)
- encryption: 2.18.0
- files_readmemd: 3.0.2 (installed 3.0.2)
- group_default_quota: 0.1.11 (installed 0.1.11)
- mail: 5.0.2 (installed 5.0.2)
- photos: 3.0.2 (installed 3.0.2)
- recommendations: 3.0.0 (installed 0.5.0)
- sharereview: 1.3.3 (installed 1.3.3)
- support: 2.0.0 (installed 1.10.1)
- survey_client: 2.0.0 (installed 1.13.0)
- suspicious_login: 8.0.0
- twofactor_nextcloud_notification: 4.0.0
- twofactor_totp: 12.0.0-dev
- weather_status: 1.10.0 (installed 1.5.0)
- webhook_listeners: 1.1.0-dev (installed 1.1.0-dev)
Nextcloud Signing status
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- INVALID_HASH
- core/js/mimetypelist.js
- EXTRA_FILE
- core/img/filetypes/drawio.svg
- core/img/filetypes/dwb.svg
Raw output
==========
Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[core/js/mimetypelist.js] => Array
(
[expected] => a57779b4957bedf9bac2a5791b27957ca3e2bfe7b91fd641bb0cc56801588e0778610a26141a1393d83d77bc04be67ae625c70a7ad4afb2a7f14cb64c66ee31b
[current] => c2c5f46c3ca9c2f9350f767c9e3b2bd56ff89460a56cc0de9d5f9391763f8a3657c8f909f7a372d858ca3c210ad77b2ab064c6455b19ef1bce96b92429464556
)
)
[EXTRA_FILE] => Array
(
[core/img/filetypes/drawio.svg] => Array
(
[expected] =>
[current] => 92e0974cf869bf8ab969c3442dc2b80d55fde36441d22924db74916a06b407520aa2a9dc39336f9157195ebede697ffac0e639360879255ab91932d406e1897d
)
[core/img/filetypes/dwb.svg] => Array
(
[expected] =>
[current] => 43731dd5f17a048112ea5109b40b02ec019b3ee2324385a0f448e3bd2264cb13dc160ab018d893f92f8e2f168fd09009b51578c8c6b97a02a1617c67ac087701
)
)
)
)Nextcloud Logs
Additional info
Kaspersky Server: KL ICAP Service v2.1 (KAV SDK v8.9.2.595)
Nextcloud server: v.30.0.10
ICAP Client: Built-in Nextcloud ICAP client (NC-ICAP-CLIENT/0.5.0)
Bug description
The Kaspersky solution rejects certain REQMOD ICAP requests with a "Bad Request" error. Our analysis indicates that the error occurs when the Nextcloud client sends a request that is missing the Content-Length header for an HTTP request that has a body (a PUT method in this case).
Steps to reproduce
The problematic ICAP request from Nextcloud:
The encapsulated HTTP PUT request is missing the mandatory Content-Length header, even though the Encapsulated header indicates an HTTP body starts at offset 82.
Expected behavior
The Kaspersky ICAP server should either handle requests with a zero-length body gracefully when the Content-Length header is missing or provide a more descriptive error message. The expected outcome is a successful 204 response from the ICAP server.
Nextcloud Server version
30
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
PostgreSQL
Is this bug present after an update or on a fresh install?
None
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
{ "system": { "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "integrity.check.disabled": false, "trusted_domains": [ ***REMOVED SENSITIVE VALUE*** ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwritehost": "cloud.domain.ru", "overwriteprotocol": "https", "overwrite.cli.url": "http:\/\/xx-cloud-app01.domain", "objectstore": { "class": "\\OC\\Files\\ObjectStore\\S3", "arguments": { "bucket": "cloud02", "autocreate": true, "key": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "hostname": "obs1.domain.ru", "port": 5080, "use_ssl": false, "use_path_style": true, "region": "main" } }, "dbtype": "pgsql", "version": "30.0.10.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "theme": "", "loglevel": 2, "maintenance": false, "filelocking.enabled": true, "memcache.disributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379, "timeout": 0 }, "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_smtpport": "25", "mail_sendmailmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "default_phone_region": "RU", "maintenance_window_start": 1, "0": { "verify_peer_off": true, "jwt_secret": "***REMOVED SENSITIVE VALUE***", "jwt_header": "AuthorizationJWT" }, "enable_previews": false, "debug": false, "skeletondirectory": "", "session_lifetime": 86400, "allowed_admin_ranges": [ ***REMOVED SENSITIVE VALUE*** ] } }List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
Kaspersky Server: KL ICAP Service v2.1 (KAV SDK v8.9.2.595)
Nextcloud server: v.30.0.10
ICAP Client: Built-in Nextcloud ICAP client (NC-ICAP-CLIENT/0.5.0)