Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

autocompletion leaks data in different components even if autocompletion is deactivated #11087

Closed
jankowa opened this issue Sep 6, 2018 · 8 comments · Fixed by #18120
Closed

Comments

@jankowa
Copy link

jankowa commented Sep 6, 2018

Several components and third party apps do no honor the setting in sharing "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered."

While this works for the file sharing dialog it doesn't for several (if not the majority) of other applications. This means that running a public nextcloud with more then the core apps i impossible.

While I could file a bug report for every app where I discover this problem, I think the nexcloud core should be responsible for not leaking data. There are several similar problems reported in the past for different applications and circumstances: #6530, #5107, #8392, #7428

Not reported is this so far for e.g. calendar app or polls (as long as I can see).

Expected behaviour

If autocompletion feature is deactivated users should not see each other in any sharing dialog as long as they don't know the complete username / email-adress, regardless of the authentication backend (database, ldap, ...). This feature should be honored in every app.

Actual behaviour

Some apps (file sharing, contacts) honor the settings, some not.

Server configuration

Nextcloud version: (see Nextcloud admin page)

Nextcloud 13.0.6 and earlier versions

@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #3991 (memory leak), #5333 (Search contacts feature is leaking data), #6609 (Contacts with a different display name than the user name are not found when autocompletion is disabled), #7428 (NC12.0.4 - Sharing dialog leaks data with LDAP backend), and #9005 (c).

@juliusknorr
Copy link
Member

This is more an issue of the individual apps, that probably don't use the sharing endpoint for fetching the list of users. Please open an issue in the apps issue trackers.

@raimund-schluessler
Copy link
Member

This is a server issue, precisely the DAV app. Even when turning off the setting Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered. the DAV app still provides a list of all users matchin a given query. Doing a REPORT against nextcloud/remote.php/dav/ with

<x0:principal-property-search xmlns:x0="DAV:"><x0:property-search><x0:prop><x0:displayname/></x0:prop><x0:match>a</x0:match></x0:property-search><x0:prop><x0:displayname/><x1:calendar-user-type xmlns:x1="urn:ietf:params:xml:ns:caldav"/><x1:calendar-user-address-set xmlns:x1="urn:ietf:params:xml:ns:caldav"/><x0:principal-URL/><x0:alternate-URI-set/><x2:email-address xmlns:x2="http://sabredav.org/ns"/><x3:resource-type xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-type xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-make xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-model xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-is-electric xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-range xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-seating-capacity xmlns:x3="http://nextcloud.com/ns"/><x3:resource-contact-person xmlns:x3="http://nextcloud.com/ns"/><x3:resource-contact-person-vcard xmlns:x3="http://nextcloud.com/ns"/><x3:room-type xmlns:x3="http://nextcloud.com/ns"/><x3:room-seating-capacity xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-address xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-story xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-room-number xmlns:x3="http://nextcloud.com/ns"/><x3:room-features xmlns:x3="http://nextcloud.com/ns"/></x0:prop><x0:apply-to-principal-collection-set/></x0:principal-property-search>

returns a response with all users and groups containing the letter a. As you can see here we simply run a request against the DAV app: https://github.com/nextcloud/tasks/blob/master/src/components/CalendarShare.vue#L117, there is not app-specific endpoint in place.

We have this reported in nextcloud/tasks#660, #17481. Every app querying the DAV endpoint will have this problem, and of course you can query this endpoint without any app enabled.

@raimund-schluessler
Copy link
Member

And btw, this is still valid with NC 17.0.0.

@raimund-schluessler
Copy link
Member

@georgehrke and @skjnldsv here as well 😉

@georgehrke georgehrke self-assigned this Oct 9, 2019
@georgehrke georgehrke added this to the Nextcloud 17.0.1 milestone Oct 9, 2019
@doobry-systemli
Copy link

Thanks for giving this issue priority and aiming to fix it in Nextcloud 17.0.1!

@diroots
Copy link

diroots commented Feb 10, 2021

sorry, but i still can see some leaks in the following situation :

in our instance, we use this main global sharing setting "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered." disabled, so as stated in the checkbox description, the full username or email address is needed. but the suggestion shows up many things, not considering this option

example :

some users havethe following combinaison of usernames / display names / email addresses like :

john.doe / John / [email protected]
john.a / John / [email protected]
john.b / John / [email protected]

as per the global sharing setting above disabling compression, when I search "John" i should not see any suggestion until i write either john.doe or [email protected]

but actually (latest 19.0.8) as users did change their display name to a simple "John" all of them show up, even if the option says full username or email address

@J0WI
Copy link
Contributor

J0WI commented Feb 11, 2021

@diroots please open a new issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment