-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
autocompletion leaks data in different components even if autocompletion is deactivated #11087
Comments
GitMate.io thinks possibly related issues are #3991 (memory leak), #5333 (Search contacts feature is leaking data), #6609 (Contacts with a different display name than the user name are not found when autocompletion is disabled), #7428 (NC12.0.4 - Sharing dialog leaks data with LDAP backend), and #9005 (c). |
This is more an issue of the individual apps, that probably don't use the sharing endpoint for fetching the list of users. Please open an issue in the apps issue trackers. |
This is a server issue, precisely the DAV app. Even when turning off the setting
returns a response with all users and groups containing the letter We have this reported in nextcloud/tasks#660, #17481. Every app querying the DAV endpoint will have this problem, and of course you can query this endpoint without any app enabled. |
And btw, this is still valid with NC 17.0.0. |
@georgehrke and @skjnldsv here as well 😉 |
Thanks for giving this issue priority and aiming to fix it in Nextcloud 17.0.1! |
sorry, but i still can see some leaks in the following situation : in our instance, we use this main global sharing setting "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered." disabled, so as stated in the checkbox description, the full username or email address is needed. but the suggestion shows up many things, not considering this option example : some users havethe following combinaison of usernames / display names / email addresses like :
as per the global sharing setting above disabling compression, when I search "John" i should not see any suggestion until i write either john.doe or [email protected] but actually (latest 19.0.8) as users did change their display name to a simple "John" all of them show up, even if the option says full username or email address |
@diroots please open a new issue |
Several components and third party apps do no honor the setting in sharing "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered."
While this works for the file sharing dialog it doesn't for several (if not the majority) of other applications. This means that running a public nextcloud with more then the core apps i impossible.
While I could file a bug report for every app where I discover this problem, I think the nexcloud core should be responsible for not leaking data. There are several similar problems reported in the past for different applications and circumstances: #6530, #5107, #8392, #7428
Not reported is this so far for e.g. calendar app or polls (as long as I can see).
Expected behaviour
If autocompletion feature is deactivated users should not see each other in any sharing dialog as long as they don't know the complete username / email-adress, regardless of the authentication backend (database, ldap, ...). This feature should be honored in every app.
Actual behaviour
Some apps (file sharing, contacts) honor the settings, some not.
Server configuration
Nextcloud version: (see Nextcloud admin page)
Nextcloud 13.0.6 and earlier versions
The text was updated successfully, but these errors were encountered: