Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Name collision of shared folders #34015

Closed
6 of 9 tasks
aslfv opened this issue Sep 11, 2022 · 12 comments
Closed
6 of 9 tasks

[Bug]: Name collision of shared folders #34015

aslfv opened this issue Sep 11, 2022 · 12 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug

Comments

@aslfv
Copy link

aslfv commented Sep 11, 2022

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

When two or more (sending) users share a folder with the same (receiving) user, that receiving user will only see the folder of the latest (sending) user under the "shared" folder, without necessarily being aware of it. The other folders will only reappear if the receiving user renames the folder seen.

The issue was originally raised at https://help.nextcloud.com/t/shared-folder-with-same-name-starts-override-each-other-at-recipient-view/142574/3.

IMHO this is a critical bug, which could pose a major digital security risk that could be exploited to inject malicious files in another user's folder.

But irrespective of this, users that share their (default) folders should not have to worry about name collisions.

Steps to reproduce

1.Alice shares her "Document" folder with Charly => Charly sees Alice's "Document" folder
2.Bob shares his "Document" folder with Charly => Charly only sees Bob's "Document" folder.
3.Mallory shares his "Document" folder, which contains malware with Charly => Charly only sees Mallory's "Document" folder and may believe this is still Alice's Document folder.

Expected behavior

Charly should see all three folders: Alice's, Bob's and Mallory's "Document" folders, which may be renamed as "Document (Alice)", "Document (Bob)" and "Document (Mallory)" respectively.

Installation method

Community Docker image

Operating system

Fedora 36

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "***REMOVED SENSITIVE VALUE***",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "24.0.4.1",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "loglevel": "2",
        "log_type": "file",
        "logfile": "\/var\/www\/html\/data\/nextcloud.log",
        "log_rotate_size": "10485760",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "jpeg_quality": "60",
        "enabledPreviewProviders": {
            "1": "OC\\Preview\\Image",
            "2": "OC\\Preview\\MarkDown",
            "3": "OC\\Preview\\MP3",
            "4": "OC\\Preview\\TXT",
            "5": "OC\\Preview\\OpenDocument",
            "6": "OC\\Preview\\Movie"
        },
        "enable_previews": true,
        "upgrade.disable-web": true,
        "mail_smtpmode": "smtp",
        "trashbin_retention_obligation": "auto, 30",
        "versions_retention_obligation": "auto, 30",
        "activity_expire_days": "30",
        "simpleSignUpLink.shown": false,
        "share_folder": "\/Shared",
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "htaccess.RewriteBase": "\/",
        "files_external_allow_create_new_local": false,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - apporder: 0.15.0
  - bruteforcesettings: 2.4.0
  - calendar: 3.5.0
  - circles: 24.0.1
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.2.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - deck: 1.7.1
  - encryption: 2.12.0
  - event_update_notification: 1.5.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud-aio: 0.2.0
  - nextcloud_announcements: 1.13.0
  - notes: 4.5.1
  - notifications: 2.12.0
  - notify_push: 0.4.0
  - oauth2: 1.12.0
  - password_policy: 1.14.0
  - phonetrack: 0.7.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - socialsharing_email: 2.5.0
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - twofactor_totp: 6.4.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - cookbook: 0.9.14
  - grauphel
  - socialsharing_diaspora: 2.5.0
  - user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

@aslfv aslfv added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Sep 11, 2022
@aslfv aslfv changed the title [Bug]: [Bug]: Name collision of shared folders Sep 11, 2022
@aslfv aslfv changed the title [Bug]: Name collision of shared folders [Bug]: Name collision of shared folders and potential security exploit Sep 11, 2022
@kesselb
Copy link
Contributor

kesselb commented Sep 11, 2022

If you believe, that something is a "major digital security risk", please report it to https://hackerone.com/nextcloud.

@yahesh
Copy link
Member

yahesh commented Sep 20, 2022

Currently running into the same problem. This needs to be fixed.

@kesselb
Copy link
Contributor

kesselb commented Sep 20, 2022

Hi,

thanks @aslfv for reporting the issue to h1 👍

image

On my test instance a suffix is automatically appended when a share with the same name already exist.

@yahesh do you have any idea why it's different on your instance?

@yahesh
Copy link
Member

yahesh commented Sep 20, 2022

@kesselb Could you try what happens when one sending user shares a subfolder with the same name to the same receiving user (e.g foldera/shared/ and folderb/shared/)? That's what's happening in our case.

@kesselb
Copy link
Contributor

kesselb commented Sep 20, 2022

I shared admin/TestA/Contracts and bob/TestB/Contracts to alice and see both folders. bob's with a suffix.

@vitrex
Copy link

vitrex commented Oct 29, 2022

I can confirm the issue:

An external folder named Photos, which is accessible by Alice and Bob. The structure is:

Photos
├── Holiday_1
│   └── Best
└── Holiday_2
    └── Best
  1. Alice shares Holiday_1/Best with Charly.
  2. Charly can see Best
  3. Bob shares Holiday_2/Best with Charly.
  4. Charly can no longer see (Holiday_1/)Best, it gets overwritten with (Holiday_2/)Best

My workaround was, that Charly renames the first shared folder to Best-Holiday_1. Afterwards he can get the next share.

I would also call it a possible security issue. Maybe it only happens on external shares?

@kesselb
Copy link
Contributor

kesselb commented Oct 29, 2022

Hi,

Current status is that we don't know how to reproduce. If you observed something helpful, please let us know.

@stefanvi
Copy link

I can reproduce this as well. My installation is running the Nextcloud AIO (24.0.7) image with standard configurations, with the only exception being that the 'Shared' folder has a different default name. When one account shares a folder with a certain group, and another account shares a folder with the same name to the same group, the entire group will only see the new folder. That is to say, there are no suffixes added to either folder, it simply shows the most recent share.

@stefanvi
Copy link

stefanvi commented Nov 28, 2022

I ran some tests to see when exactly a collision occurs that replaces an existing share. In the table below, the left column indicates that there is an existing shared folder with user Alice, by user Bob. This share can be personal, meaning Alice is the only recipient, it can be a share with a group that Alice is in, or both. The middle column indicates that Eve, a malicious user, shares a folder with the same name to Alice personally, or to a group that contains Alice. The right column shows when a collision occurs.

Alice is in a shared folder Eve shares to Collision
personal personal yes
personal group yes
group personal no
group group yes
personal, group personal yes
personal, group group yes

In the case where there is no collision, Alice does get an email notification about a new shared folder. Clicking the "Open >>Folder<<" button, opens Nextcloud, but fails to open the Folder itself.
File could not be found

Edit: I completely reinstalled Nextcloud-aio via docker and the issue still occurs.

Edit 2: It also happens on a fresh install of the latest docker image (v25). I really don't understand what's going on anymore, but at this point I don't think I can trust this software.

@PanieriLorenzo
Copy link

Having the same issue here, on a new Docker deployment of nextcloud-apache 25 sharing SMB mounts.

@kesselb
Copy link
Contributor

kesselb commented Jan 5, 2023

Thanks for your input 👍

I will forward it accordingly.

@nickvergessen nickvergessen changed the title [Bug]: Name collision of shared folders and potential security exploit [Bug]: Name collision of shared folders Mar 1, 2023
@nickvergessen
Copy link
Member

This was solved in 25.0.3 and the matching 24 version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap 25-feedback bug
Projects
None yet
Development

No branches or pull requests

8 participants