Bug 505118

Summary: kioworker accessing nextcloud CalDAV without credentials triggers bruteforce detection
Product: [Frameworks and Libraries] frameworks-kio Reporter: Paul <stack-kde>
Component: WebDAVAssignee: KIO Bugs <kio-bugs-null>
Status: CONFIRMED ---    
Severity: grave CC: kdedev, kdelibs-bugs-null, nate
Priority: NOR    
Version First Reported In: 6.14.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Paul 2025-06-02 08:01:19 UTC 
SUMMARY
After upgrading my nextcloud instance, which now has bruteforce detection (https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/bruteforce_configuration.html), I noticed that I am constantly hitting the rate limit. After looking at my nginx (reverse proxy) logs, I noticed that kioworker seems to be the culprit. Every request is first attempted without credentials, leading to 401 Unauthorized.

Here a pseudonymized except from the nginx logs:

```
A.B.C.D - - [02/Jun/2025:09:40:03 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:12 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 207 309 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:40:13 +0200] "PROPFIND /remote.php/dav/principals/users/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:17 +0200] "PROPFIND /remote.php/dav/principals/users/peter/ HTTP/1.1" 207 292 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:40:17 +0200] "PROPFIND /remote.php/dav/calendars/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:40:21 +0200] "PROPFIND /remote.php/dav/calendars/peter/ HTTP/1.1" 207 1028 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:42:57 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:01 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 207 309 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:43:01 +0200] "PROPFIND /remote.php/dav/principals/users/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:05 +0200] "PROPFIND /remote.php/dav/principals/users/peter/ HTTP/1.1" 207 292 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - - [02/Jun/2025:09:43:05 +0200] "PROPFIND /remote.php/dav/calendars/peter/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
A.B.C.D - peter [02/Jun/2025:09:43:09 +0200] "PROPFIND /remote.php/dav/calendars/peter/ HTTP/1.1" 207 1028 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.14 kioworker/6.14.0"
```

I added my nextcloud account in the "Online Accounts" settings option and am synchronizing my calendars with caldav.

I suppose the correct behavior of kioworker should be to use the credentials by default and not as a fallback.


SOFTWARE/OS VERSIONS
Linux/KDE Plasma: KDE Neon based on Ubuntu 24.04
KDE Plasma Version: 6.3.5
KDE Frameworks Version: 6.14.0
Qt Version: 6.9.0
Comment 1 TraceyC 2025-06-02 23:30:13 UTC 
I also have a Nextcloud instance set up with nginx and confirmed the problem with git-master

In Plasma, I don't have the NC account set up via "Online Accounts". The software accessing my Nextcloud instance is Thunderbird, the NC client, and apparently the plasma-browser-integration@kde.org process

I notice that both in your logs and mine, "Mozilla" is in the lines. This isn't Thunderbird, so on my machine this is from the Nextcloud client.

As a test, I closed Thunderbird, re-started, and initiated a sync.
I saw similar log lines with the 401 error, but with the client identifier
(X11; Linux x86_64; rv:139.0) Gecko/20100101 Thunderbird/139.0"
Sync attempts after the first do not produce a 401 error, they show 207 as expected

After exiting the NC client and re-starting, that didn't produce any 401s
I made sure no browser tabs were open to the NC instance, the only processes open referencing Mozilla are
- KeepassXC (which doesn't call out to NC)
- plasma-browser-integration@kde.org

So it seems that no matter which client uses kioworker to communicate with Nextcloud, except the NC client itself, the behavior is the same.

Log lines from my server:

/var/log/nginx ❯ rg -A 1 "PROPFIND.*401" | tail -6
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:31 +0000] "PROPFIND /remote.php/dav/principals/users/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log-A.B.C.D - tclark [02/Jun/2025:22:32:31 +0000] "PROPFIND /remote.php/dav/principals/users/tclark/ HTTP/1.1" 207 296 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
--
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:32 +0000] "PROPFIND /remote.php/dav/addressbooks/users/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log:A.B.C.D - - [02/Jun/2025:22:32:32 +0000] "PROPFIND /remote.php/dav/calendars/tclark/ HTTP/1.1" 401 596 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
nextcloud_https_access.log-A.B.C.D - tclark [02/Jun/2025:22:32:33 +0000] "PROPFIND /remote.php/dav/addressbooks/users/tclark/ HTTP/1.1" 207 451 "-" "Mozilla/5.0 (X11; Linux x86_64) KIO/6.15 kioworker/6.15.0"
Comment 2 Paul 2025-06-04 05:49:19 UTC 
I am also using Thunderbird to synchronize calendars. And I am using "Nextcloud Desktop Client Version 3.16.0daily (KDE)" to synchronize a folder. I initially didn't assume this was relevant.