[Bug]: Security & setup warnings when Nextcloud is in subdirectory

[adrhc]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

My nextcloud instance is running without issues; I use Nextcloud in a subdir of the NGINX webroot setup with a slight variation:
I add the nginx root declaration (e.g. root /var/www) inside location ^~ /nextcloud declaration because I want to have another root for my nginx global configuration.

When I run occ setupchecks -vv and use echo to check the URLGenerator->getAbsoluteURL(...) internal workings I notice that if (\OC::$CLI && !\defined('PHPUNIT_RUN')) doesn't take into account the possibility for $url parameter to already contain the Nextcloud subdir (e.g. /nextcloud). This breaks the url for "JavaScript source map support" and "JavaScript modules support" tests. Nextcloud instance on nginx works fine though; that's, I guess, because if (\OC::$WEBROOT !== '' && str_starts_with($url, \OC::$WEBROOT)) is used for web which takes into account the Nextcloud subdir.

Steps to reproduce

1. occ setupchecks -vv
2. JavaScript source map support test fails because behind scenes a bad URL is used
3. JavaScript modules support test fails because behind scenes a bad URL is used

Expected behavior

"JavaScript source map support" and "JavaScript modules support" tests should pass

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 28 to 29)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "default_phone_region": "RO",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "adrhc.go.ro"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Bucharest",
        "debug": false,
        "logfile": "\/home\/gigi\/apps\/log\/nextcloud.log",
        "loglevel": 2,
        "dbtype": "mysql",
        "version": "29.0.6.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "theme": "",
        "maintenance": false,
        "trashbin_retention_obligation": "auto",
        "overwriteprotocol": "https",
        "overwritehost": "adrhc.go.ro",
        "overwritewebroot": "\/nextcloud",
        "overwrite.cli.url": "https:\/\/adrhc.go.ro\/nextcloud",
        "preview_max_memory": 409600,
        "preview_max_filesize_image": 10240,
        "enabledPreviewProviders": [
            "OC\\Preview\\Illustrator",
            "OC\\Preview\\HEIC",
            "OC\\Preview\\Movie",
            "OC\\Preview\\MSOffice2003",
            "OC\\Preview\\MSOffice2007",
            "OC\\Preview\\MSOfficeDoc",
            "OC\\Preview\\PDF",
            "OC\\Preview\\Photoshop",
            "OC\\Preview\\Postscript",
            "OC\\Preview\\StarOffice",
            "OC\\Preview\\SVG",
            "OC\\Preview\\TIFF",
            "OC\\Preview\\Font",
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown",
            "OC\\Preview\\OpenDocument",
            "OC\\Preview\\Krita"
        ]
    }
}

List of activated Apps

php apps/opt/php-pages/nextcloud/occ app:list
Enabled:
  - activity: 2.21.1
  - camerarawpreviews: 0.8.5
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notes: 4.10.1
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - previewgenerator: 5.6.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - survey_client: 1.17.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - encryption: 2.17.0
  - suspicious_login: 7.0.0 (installed 6.0.0)
  - twofactor_totp: 11.0.0-dev
  - user_ldap: 1.20.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

no logs are creating when running occ setupchecks -vv

Additional info

Nextcloud Signing status was generated by this URL: https://adrhc.go.ro/nextcloud/index.php/settings/integrity/failed

[c-prompt]

I just upgraded to Nextcloud Hub 9 (30.0.0) and #47950 was not fixed. I'm commenting here as #47950 was closed as duplicate. All the errors are the same.

[susnux]

just upgraded to Nextcloud Hub 9 (30.0.0)

You can see in the PR that the 30 and 29 version has not yet merged. It is only fixed on master. 30 and 29 will be fixed with the next maintenance release

[r2evans]

just upgraded to Nextcloud Hub 9 (30.0.0)

You can see in the PR that the 30 and 29 version has not yet merged. It is only fixed on master. 30 and 29 will be fixed with the next maintenance release

... the dupe issue was merged into 29 and 30, and the problem appears to persist in both.

[susnux]

the dupe issue was merged into 29 and 30, and the problem appears to persist in both.

That issue was set as a duplicate and some other PR was linked, but this does not matter as this issue here was linked to #47883 which fixes the issue and was merged, as you can see in the backports, for 29.0.9 and 30.0.1.

If you, after upgrading to one of those versions still encounter this issue, then please open a new issue about that.