[Bug]: Regression in User-Based Server-Side Encryption Breaks WebDAV Clients #55466
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
Since updating to NC 32, I have been experiencing an issue with WebDAV clients accessing files on my server, which is using server-side encryption with user passwords.
See the following curl request:
root@argus:/home/terra# curl -u terra:[CENSORED] http://localhost:8082/remote.php/dav/files/terra/paintr-comm.txt
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>OC\Encryption\Exceptions\DecryptionFailedException</s:exception>
<s:message>Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.</s:message>
</d:error>
curl: (18) end of response with 2207 bytes missing
Note that the server sends the content length of the file, but then cuts off the request prematurely with this error message.
I get the same response when using my actual password or app passwords.
However, WebDAV clients that support cookies do not seem to have this problem; if a valid session cookie is provided, the download succeeds.
There are no issues with Nextcloud Desktop or Android apps.
I get this error in the Nextcloud logs:
{
"reqId": "XC7yUgVyjR5g4Uv5ZusQ",
"level": 3,
"time": "2025-10-01T11:40:12+00:00",
"remoteAddr": "::1",
"user": "terra",
"app": "webdav",
"method": "GET",
"url": "/remote.php/dav/files/terra/paintr-comm.txt",
"message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
"userAgent": "curl/8.14.1",
"version": "32.0.0.13",
"exception": {
"Exception": "OC\\Encryption\\Exceptions\\DecryptionFailedException",
"Message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
"Code": 0,
"Trace": [
{
"file": "/var/www/nextcloud/lib/private/Files/Stream/Encryption.php",
"line": 461,
"function": "decrypt",
"class": "OCA\\Encryption\\Crypto\\Encryption",
"type": "->",
"args": [
"*** sensitive parameters replaced ***"
]
},
{
"file": "/var/www/nextcloud/lib/private/Files/Stream/Encryption.php",
"line": 260,
"function": "readCache",
"class": "OC\\Files\\Stream\\Encryption",
"type": "->"
},
{
"function": "stream_read",
"class": "OC\\Files\\Stream\\Encryption",
"type": "->"
},
{
"file": "/var/www/nextcloud/3rdparty/icewind/streams/src/Wrapper.php",
"line": 54,
"function": "fread"
},
{
"file": "/var/www/nextcloud/3rdparty/icewind/streams/src/CallbackWrapper.php",
"line": 94,
"function": "stream_read",
"class": "Icewind\\Streams\\Wrapper",
"type": "->"
},
{
"function": "stream_read",
"class": "Icewind\\Streams\\CallbackWrapper",
"type": "->"
},
{
"file": "/var/www/nextcloud/3rdparty/sabre/http/lib/Sapi.php",
"line": 108,
"function": "stream_copy_to_stream"
},
{
"file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
"line": 490,
"function": "sendResponse",
"class": "Sabre\\HTTP\\Sapi",
"type": "::"
},
{
"file": "/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php",
"line": 211,
"function": "invokeMethod",
"class": "Sabre\\DAV\\Server",
"type": "->"
},
{
"file": "/var/www/nextcloud/apps/dav/lib/Server.php",
"line": 424,
"function": "start",
"class": "OCA\\DAV\\Connector\\Sabre\\Server",
"type": "->"
},
{
"file": "/var/www/nextcloud/apps/dav/appinfo/v2/remote.php",
"line": 22,
"function": "exec",
"class": "OCA\\DAV\\Server",
"type": "->"
},
{
"file": "/var/www/nextcloud/remote.php",
"line": 151,
"args": [
"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"
],
"function": "require_once"
}
],
"File": "/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php",
"Line": 315,
"Hint": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
"message": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.",
"exception": [],
"CustomMessage": "Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you."
},
"id": "68dd15340e429"
}
Steps to reproduce
- Update to NC 32
- Enable server-side encryption with user passwords
- Attempt to download file via WebDAV with basic auth
- Observe the error.
Expected behavior
File should download successfully when the correct credentials are provided.
Nextcloud Server version
32
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.4
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 31 to 32)
Are you using the Nextcloud Server Encryption module?
Encryption is Enabled
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"argus.lan.austation.net",
"nextcloud.mcterra.id.au",
"uzsb7vyrol4gffhseeei25rofur7k4uznilyvp4qhdm2mrvzeszddqyd.onion"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "32.0.0.13",
"overwrite.cli.url": "http:\/\/localhost",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "3306",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0,
"timeout": 0
},
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"theme": "",
"loglevel": 2,
"default_phone_region": "AU",
"maintenance_window_start": 3,
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "25",
"app_install_overwrite": [
"end_to_end_encryption"
],
"updater.release.channel": "stable",
"preview_max_filesize_image": 200
}
}List of activated Apps
nabled:
- activity: 5.0.0-dev.0
- announcementcenter: 7.2.1
- app_api: 32.0.0
- bruteforcesettings: 5.0.0-dev.0
- cloud_federation_api: 1.16.0
- dashboard: 7.12.0
- dav: 1.34.2
- encryption: 2.20.0
- federatedfilesharing: 1.22.0
- files: 2.4.0
- files_downloadlimit: 5.0.0-dev.0
- files_pdfviewer: 5.0.0-dev.0
- files_reminders: 1.5.0
- files_sharing: 1.24.0
- files_trashbin: 1.22.0
- files_versions: 1.25.0
- firstrunwizard: 5.0.0-dev.0
- logreader: 5.0.0-dev.0
- lookup_server_connector: 1.20.0
- nextcloud_announcements: 4.0.0-dev.0
- notifications: 5.0.0-dev.0
- oauth2: 1.20.0
- password_policy: 4.0.0-dev.0
- photos: 5.0.0-dev.1
- privacy: 4.0.0-dev.0
- profile: 1.1.0
- provisioning_api: 1.22.0
- recommendations: 5.0.0-dev.0
- related_resources: 3.0.0-dev.0
- serverinfo: 4.0.0-dev.0
- settings: 1.15.1
- sharebymail: 1.22.0
- survey_client: 4.0.0-dev.0
- terms_of_service: 4.6.0
- text: 6.0.0-dev.0
- theming: 2.7.0
- twofactor_backupcodes: 1.21.0
- updatenotification: 1.22.0
- viewer: 5.0.0-dev.0
- webhook_listeners: 1.3.0
- workflowengine: 2.14.0
Disabled:
- admin_audit: 1.22.0
- circles: 32.0.0 (installed 27.0.1)
- comments: 1.22.0 (installed 1.17.0)
- contactsinteraction: 1.13.1 (installed 1.8.0)
- federation: 1.22.0 (installed 1.17.0)
- files_external: 1.24.0
- support: 4.0.0-dev.0 (installed 1.10.0)
- suspicious_login: 10.0.0-dev.0
- systemtags: 1.22.0 (installed 1.17.0)
- twofactor_nextcloud_notification: 6.0.0-dev.0
- twofactor_totp: 14.0.0
- user_ldap: 1.23.0
- user_status: 1.12.0 (installed 1.7.0)
- weather_status: 1.12.0 (installed 1.7.0)Nextcloud Signing status
No errors have been found.Nextcloud Logs
{"reqId":"XC7yUgVyjR5g4Uv5ZusQ","level":3,"time":"2025-10-01T11:40:12+00:00","remoteAddr":"::1","user":"terra","app":"webdav","method":"GET","url":"/remote.php/dav/files/terra/paintr-comm.txt","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","userAgent":"curl/8.14.1","version":"32.0.0.13","exception":{"Exception":"OC\\Encryption\\Exceptions\\DecryptionFailedException","Message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":461,"function":"decrypt","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":260,"function":"readCache","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"function":"stream_read","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"file":"/var/www/nextcloud/3rdparty/icewind/streams/src/Wrapper.php","line":54,"function":"fread"},{"file":"/var/www/nextcloud/3rdparty/icewind/streams/src/CallbackWrapper.php","line":94,"function":"stream_read","class":"Icewind\\Streams\\Wrapper","type":"->"},{"function":"stream_read","class":"Icewind\\Streams\\CallbackWrapper","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/http/lib/Sapi.php","line":108,"function":"stream_copy_to_stream"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":490,"function":"sendResponse","class":"Sabre\\HTTP\\Sapi","type":"::"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":211,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":424,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":22,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":151,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php","Line":315,"Hint":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","exception":[],"CustomMessage":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you."},"id":"68dd16f8cd7b4"}
{"reqId":"XC7yUgVyjR5g4Uv5ZusQ","level":3,"time":"2025-10-01T11:40:12+00:00","remoteAddr":"::1","user":"terra","app":"no app in context","method":"GET","url":"/remote.php/dav/files/terra/paintr-comm.txt","message":"Uncaught exception","userAgent":"curl/8.14.1","version":"32.0.0.13","exception":{"Exception":"OC\\Encryption\\Exceptions\\DecryptionFailedException","Message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":461,"function":"decrypt","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":260,"function":"readCache","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"function":"stream_read","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"file":"/var/www/nextcloud/3rdparty/icewind/streams/src/Wrapper.php","line":54,"function":"fread"},{"file":"/var/www/nextcloud/3rdparty/icewind/streams/src/CallbackWrapper.php","line":94,"function":"stream_read","class":"Icewind\\Streams\\Wrapper","type":"->"},{"function":"stream_read","class":"Icewind\\Streams\\CallbackWrapper","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/http/lib/Sapi.php","line":108,"function":"stream_copy_to_stream"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":490,"function":"sendResponse","class":"Sabre\\HTTP\\Sapi","type":"::"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/Server.php","line":211,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Server.php","line":424,"function":"start","class":"OCA\\DAV\\Connector\\Sabre\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v2/remote.php","line":22,"function":"exec","class":"OCA\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":151,"args":["/var/www/nextcloud/apps/dav/appinfo/v2/remote.php"],"function":"require_once"}],"File":"/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php","Line":315,"Hint":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","message":"Uncaught exception","exception":[],"CustomMessage":"Uncaught exception"},"id":"68dd16f8cd7a5"}Additional info
Tested broken using cURL, KeePass2Android, and Bruno API dev tool, working using FX File Explorer (Android) - latter uses cookies as mentioned above (verified with wireshark).