[Bug]:Password protected external shared folder links generates error entries in nextcloud.log

[grandgeorg]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

There is an error in the current verion 31.0.2.1 when downloading the zipped contents of a password protected external shared folder link. It only occurs, when the link is password protected. The download works but I get two new error entries in nextcloud.log (sensitive data anonymized):

{
  "reqId": "***REMOVED SENSITIVE VALUE***",
  "level": 3,
  "time": "2025-03-23T17:14:58+00:00",
  "remoteAddr": "***REMOVED SENSITIVE VALUE***",
  "user": false,
  "app": "PHP",
  "method": "GET",
  "url": "/public.php/dav/files/***ShareString**/?accept=zip",
  "message": "Cannot modify header information - headers already sent by (output started at /var/www/html/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php:325) at /var/www/html/3rdparty/sabre/http/lib/Sapi.php#68",
  "userAgent": "***REMOVED SENSITIVE VALUE***",
  "version": "31.0.2.1",
  "data": {
    "app": "PHP"
  },
  "id": "***REMOVED SENSITIVE VALUE***"
},
{
  "reqId": "***REMOVED SENSITIVE VALUE***",
  "level": 3,
  "time": "2025-03-23T17:14:58+00:00",
  "remoteAddr": "***REMOVED SENSITIVE VALUE***",
  "user": false,
  "app": "PHP",
  "method": "GET",
  "url": "/public.php/dav/files/***ShareString**/?accept=zip",
  "message": "Cannot modify header information - headers already sent by (output started at /var/www/html/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php:325) at /var/www/html/3rdparty/sabre/http/lib/Sapi.php#64",
  "userAgent": "***REMOVED SENSITIVE VALUE***",
  "version": "31.0.2.1",
  "data": {
    "app": "PHP"
  },
  "id": "***REMOVED SENSITIVE VALUE***"
}

Steps to reproduce

1. Make a password protected share link
2. Open the link, login and click download.
3. See new entries in nextcloud.log protocol.

Expected behavior

No PHP error entries in protocol.

Nextcloud Server version

31

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 32.0.1 to 32.0.2)

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.2.1",
        "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "loglevel": 3,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "default_phone_region": "DE",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0,
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "debug": false,
        "maintenance_window_start": 1,
        "app_install_overwrite": [
            "spreed"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 4.0.0
  - app_api: 5.0.2
  - bookmarks: 15.1.0
  - bruteforcesettings: 4.0.0
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - theming_customcss: 1.18.0
  - twofactor_backupcodes: 1.20.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - admin_audit: 1.21.0
  - encryption: 2.19.0
  - files_external: 1.23.0
  - spreed: 21.0.1 (installed 21.0.1)
  - suspicious_login: 9.0.1
  - twofactor_nextcloud_notification: 5.0.0
  - twofactor_totp: 13.0.0-dev.0
  - user_ldap: 1.22.0
  - whiteboard: 1.0.2 (installed 1.0.2)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{
  "reqId": "***REMOVED SENSITIVE VALUE***",
  "level": 3,
  "time": "2025-03-23T17:14:58+00:00",
  "remoteAddr": "***REMOVED SENSITIVE VALUE***",
  "user": false,
  "app": "PHP",
  "method": "GET",
  "url": "/public.php/dav/files/***ShareString**/?accept=zip",
  "message": "Cannot modify header information - headers already sent by (output started at /var/www/html/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php:325) at /var/www/html/3rdparty/sabre/http/lib/Sapi.php#68",
  "userAgent": "***REMOVED SENSITIVE VALUE***",
  "version": "31.0.2.1",
  "data": {
    "app": "PHP"
  },
  "id": "***REMOVED SENSITIVE VALUE***"
},
{
  "reqId": "***REMOVED SENSITIVE VALUE***",
  "level": 3,
  "time": "2025-03-23T17:14:58+00:00",
  "remoteAddr": "***REMOVED SENSITIVE VALUE***",
  "user": false,
  "app": "PHP",
  "method": "GET",
  "url": "/public.php/dav/files/***ShareString**/?accept=zip",
  "message": "Cannot modify header information - headers already sent by (output started at /var/www/html/3rdparty/deepdiver/zipstreamer/src/ZipStreamer.php:325) at /var/www/html/3rdparty/sabre/http/lib/Sapi.php#64",
  "userAgent": "***REMOVED SENSITIVE VALUE***",
  "version": "31.0.2.1",
  "data": {
    "app": "PHP"
  },
  "id": "***REMOVED SENSITIVE VALUE***"
}

Additional info

No response

[LM-vb]

NC 31.0.2
PHP 8.4

I get these error messages always when downloading several files compressed into a zip. The folder does not need to be password protected. The downloaded zip file is fine, can be opened and the contents can be extracted.