Nextcloud exposes internal configuration/setup information

[rg-ac]

Steps to reproduce

1. Load the NextCloud main page of your installation, e.g. nextcloud.example.com
2. View the HTML source in your browser
3. Look at the header part at the 'oc_*' variables

Expected behaviour

Don't expose internal configuration to the web - also no version numbers, etc.

Actual behaviour

Some oc_* variables contain internal configuration setup while not enabling any kind of federation and not being logged in.

Server configuration

Operating system: Ubuntu 16.04
Web server: Apache
Database: MySQL
PHP version:?
Nextcloud version: 13.0.7.2
Updated from an older Nextcloud/ownCloud or fresh install: Updated

[nextcloud-bot]

GitMate.io thinks possibly related issues are #11205 ([Nextcloud 14] Internal Server Error), #10941 (Nextcloud customiztion), #104 (NextCloud / OwnCloud), #5405 (Nextcloud / direct_menu), and #3911 (Slow Nextcloud).

[MorrisJobke]

Some oc_* variables contain internal configuration setup while not enabling any kind of federation and not being logged in.

What details are you referring to specifically? Because the version number is something that doesn't really matter. If you want to know the version, then look into the JS code and it's pretty easy to say which Nextcloud version it is. It's basically obfuscation.

Also this version number is used by clients to identify the server.

[tspr]

Similar Issue: #12274

nc leaks internal IP address to public.

[skjnldsv]

I fail to see how that would be an issue, but again, I'm no security expert 🙈

Anyway, see two last comments on #12274