NC12.0.4 - Sharing dialog leaks data with LDAP backend

[BornToBeRoot]

Sharing dialog leaks data with LDAP backend.

Steps to reproduce

1. Create some test users (local and in active directory)

2. Logon with "Test321"-User

3. Open share dialog and type "test"

Expected behaviour

test2 (LDAP/AD User) should not be listet, because he is not in the same group...

Sharing options

Actual behaviour

See "Steps to reproduce/3."

Server configuration

Operating system: CentOS 7

Web server: Apache

Database: MariaDB

PHP version: 7.0

Nextcloud version: 12.0.4 Build:2017-12-06T01:01:26+00:00 e04dd40

Updated from an older Nextcloud/ownCloud or fresh install: Owncloud --> [..] --> Update NC 11

Where did you install Nextcloud from: Nextcloud website / download

List of activated apps:

App list

 - activity: 2.5.2
  - admin_audit: 1.2.0
  - bruteforcesettings: 1.0.2
  - comments: 1.2.0
  - dav: 1.3.0
  - federatedfilesharing: 1.2.0
  - files: 1.7.2
  - files_antivirus: 1.1.0
  - files_downloadactivity: 1.1.1
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_videoplayer: 1.1.0
  - gallery: 17.0.0
  - groupfolders: 1.1.0
  - impersonate: 1.0.1
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - music: 0.5.4
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - quota_warning: 1.1.1
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - user_ldap: 1.2.1
  - workflowengine: 1.2.0
Disabled:
  - encryption
  - federation
  - files_external
  - files_versions
  - firstrunwizard
  - nextcloud_announcements
  - survey_client
  - systemtags
  - user_external

Are you using external storage, if yes which one: -/-

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

If you need ldap:show-config... just ask, i need to clean it before posting...

[BornToBeRoot]

Privacy enhancements for contacts menu #5107

@jimbowarrior you have the same behavior?

[MorrisJobke]

cc @nextcloud/ldap @nextcloud/sharing

[jimbowarrior]

I have the same issue, into search contacts field privacy is respected. I can show only users in my group.
Into shared section, when I click on "sharing" I can see all users and share with users not in my group.
And yes, I marked "Restrict users to only share with users in their groups"
But ! in a nextcloud 12 fresh install upgraded to 12.0.3 and 12.0.4 I have no issue.
I have this issue in another nextcloud migrate from owncloud 10 > nextcloud 10 > nextcloud 12
Regarding nextcloud server with this issues, there is another strange things, some users can see only users in their groups, but some others users can see every body. These others users belong to only one and same group.
I re created new users and new groups, same issue

[blizzz]

Privacy issues with the contactsmenu were fixed in 12.0.4 with #6554

[rullzer]

@blizzz yes the contacts menu seems to play nice but the sharee auto completion not...

[jimbowarrior]

exactly !!!

[BornToBeRoot]

I would say it leaks only ldap users in share dialog. But i can check this tomorrow at work...

[blizzz]

@rullzer why, that sounds something broke in file_sharing's sharee endpoint. Which is surprising, since sharing actually brought in those settings. I refactored it, but only for 13. Best guess without looking deeper: side effect of #5428?

[rullzer]

I don't know why... but maybe... aaah or... it is a side effect of #7456 not being in yet.

I'll try to spin up my ldap instance tomorrow again.

[biva]

I'm not using LDAP (just standard users created in the Nextcloud UI) and I'm facing the same issue.

[jimbowarrior]

me too

[biva]

Can some admin mention this current issue in #5107 so that we can find it? Thanks!

[blizzz]

I don't know why... but maybe... aaah or... it is a side effect of #7456 not being in yet.

I really really really hope not so :D and heavily doubt it.

I can confirm it happens with LDAP users, but not with local ones. On master. Neet to continue debugging later.

[LEDfan]

@blizzz if the LDAP users are having an e-mail address and the locals not it may be solved by #7490

[jimbowarrior]

I'm facing to this bug with out LDAP users

[blizzz]

@LEDfan that's a good hint! It might be, because the user fetcher filtered properly.

[blizzz]

@LEDfan somehow I missed your PR previously, but that's fixing it! Thanks! :)

[MorrisJobke]

Fixed in #7490

[muppeth]

Just updated my instance to nextcloud 13 and the Contact menu still leaks LDAP users. Very weird as my other instance does not do that. Both of them have autocompletion off. No matter if shareapi_allow_share_dialog_user_enumeration is set to yes or no. I noticed the same behaviour with nc 12.05 but thought updating to nc13 will solve it.

Could someone point me in the direction to debug it? @MorrisJobke sorry for calling, but wanted to be sure I'm heard. It's quite crutial issue for me atm.

[MorrisJobke]

Please open a new ticket and only refer to this one

[ostasevych]

Is it fixed somehow?..