New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sharing dialogue and “search contacts” widget leak contact information from other users #7055

Closed
9662 opened this Issue Nov 3, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@9662
Copy link

9662 commented Nov 3, 2017

Steps to reproduce

  1. As an admin, configure Nextcloud so that users can only share within their groups, and enable username autocompletion when sharing.
  2. Create two groups: Red Group and Blue Group (for example)
  3. Create a user in each of those groups, e.g., Red User and Blue User
  4. Assign Red User to both Red Group and Blue Group, and Blue User only to Blue Group (may not be necessary).
  5. Log in as Red User
  6. Add some contacts to your default address book
  7. Log out
  8. Log in as Blue User
  9. Pick a file or directory and go to Sharing, start typing a name that matches one of Red User's contacts
  10. For kicks, do the same in the “search contacts” box (upper right corner of web page)

Expected behaviour

The typed text should either match Red User or nothing at all, depending on what is entered.

Actual behaviour

The typed text returns matches against contacts in Red User's address book, which is not shared with anyone else.

Server configuration

Operating system: Opensuse Leap 42.2

Web server: Apache 2.4

Database: SQLite3

PHP version: 7.1.6

Nextcloud version: 12.0.3.3
Updated from an older Nextcloud/ownCloud or fresh install: Updated, originally from ownCloud 6 or so.

Where did you install Nextcloud from: Nextcloud.org

Signing status:

Signing status
No errors have been found.

List of activated apps:

App list
Enabled:
  - activity: 2.5.2
  - admin_audit: 1.2.0
  - bookmarks: 0.10.1
  - bruteforcesettings: 1.0.2
  - calendar: 1.5.6
  - comments: 1.2.0
  - contacts: 2.0.1
  - dav: 1.3.0
  - deck: 0.2.4
  - drawio: 0.8.8
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_accesscontrol: 1.2.5
  - files_automatedtagging: 1.2.2
  - files_downloadactivity: 1.1.1
  - files_external: 1.3.0
  - files_markdown: 2.0.1
  - files_pdfviewer: 1.1.1
  - files_retention: 1.1.2
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - gpxpod: 2.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notes: 2.3.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - ocsms: 1.12.1
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - quota_warning: 1.1.1
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - spreed: 2.0.1
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - tasks: 0.9.5
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - twofactor_totp: 1.3.1
  - updatenotification: 1.2.0
  - user_external: 0.4
  - workflowengine: 1.2.0
Disabled:
  - encryption
  - user_ldap

Nextcloud configuration:

Config report
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
        ],
        "auth.bruteforce.protection.enabled": false,
        "dbtype": "sqlite3",
        "version": "12.0.3.3",
        "installed": true,
        "loglevel": 1,
        "theme": "",
        "maintenance": false,
        "share_folder": "\/Shared",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": true,
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "forcessl": true,
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto",
        "updatechecker": false,
        "appstore.experimental.enabled": false,
        "updater.release.channel": "beta"
    },
    "apps": {
        "activity": {
            "installed_version": "2.5.2",
            "types": "filesystem",
            "enabled": "yes"
        },
        "admin_audit": {
            "installed_version": "1.2.0",
            "types": "logging",
            "enabled": "yes"
        },
        "backgroundjob": {
            "lastjob": "1230"
        },
        "bookmarks": {
            "installed_version": "0.10.1",
            "types": "",
            "enabled": "yes"
        },
        "bruteforcesettings": {
            "installed_version": "1.0.2",
            "enabled": "yes",
            "types": ""
        },
        "calendar": {
            "installed_version": "1.5.6",
            "types": "",
            "enabled": "yes",
            "signed": "true"
        },
        "comments": {
            "installed_version": "1.2.0",
            "types": "logging",
            "enabled": "yes"
        },
        "contacts": {
            "installed_version": "2.0.1",
            "types": "",
            "enabled": "yes",
            "ocsid": "168708"
        },
        "core": {
            "installedat": "1397392290.6372",
            "lastupdatedat": "1509720303",
            "remote_core.css": "\/core\/minimizer.php",
            "remote_core.js": "\/core\/minimizer.php",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "remote_calendar": "dav\/appinfo\/v1\/caldav.php",
            "remote_caldav": "dav\/appinfo\/v1\/caldav.php",
            "public_calendar": "calendar\/share.php",
            "public_caldav": "calendar\/share.php",
            "remote_contacts": "dav\/appinfo\/v1\/carddav.php",
            "remote_carddav": "dav\/appinfo\/v1\/carddav.php",
            "public_gallery": "gallery\/public.php",
            "remote_files": "dav\/appinfo\/v1\/webdav.php",
            "remote_webdav": "dav\/appinfo\/v1\/webdav.php",
            "remote_filesync": "files\/appinfo\/filesync.php",
            "public_documents": "documents\/public.php",
            "global_cache_gc_lastrun": "1442016702",
            "lastupdateResult": "[]",
            "remote_mozilla_sync": "mozilla_sync\/appinfo\/remote.php",
            "lastcron": "1509722104",
            "shareapi_default_expire_date": "yes",
            "shareapi_enforce_expire_date": "no",
            "shareapi_allow_mail_notification": "yes",
            "shareapi_only_share_with_group_members": "yes",
            "repairlegacystoragesdone": "yes",
            "shareapi_allow_public_notification": "yes",
            "backgroundjobs_mode": "cron",
            "shareapi_expire_after_n_days": "14",
            "remote_dav": "dav\/appinfo\/v2\/remote.php",
            "shareapi_exclude_groups": "no",
            "shareapi_exclude_groups_list": "[\"\"]",
            "vendor": "nextcloud",
            "updater.secret.created": "1508886371",
            "OC_Channel": "production",
            "moveavatarsdone": "yes",
            "previewsCleanedUp": "1",
            "umgmt_show_last_login": "false",
            "umgmt_show_backend": "false",
            "umgmt_show_email": "false",
            "umgmt_show_storage_location": "false",
            "installed.bundles": "[\"CoreBundle\"]",
            "scss.variables": "e0e261f4f528e2a34df7e31bc842b708",
            "umgmt_send_email": "true",
            "oc.integritycheck.checker": "[]"
        },
        "dav": {
            "installed_version": "1.3.0",
            "types": "filesystem",
            "enabled": "yes",
            "OCA\\DAV\\Migration\\ValueFixInsert_ran": "true",
            "buildCalendarSearchIndex": "yes"
        },
        "deck": {
            "installed_version": "0.2.4",
            "enabled": "yes",
            "types": ""
        },
        "direct_menu": {
            "enabled": "no",
            "installed_version": "0.10.2",
            "types": "",
            "ocsid": "169148"
        },
        "documents": {
            "installed_version": "0.8.2",
            "types": "",
            "enabled": "no",
            "ocsid": "168711"
        },
        "drawio": {
            "installed_version": "0.8.8",
            "enabled": "yes",
            "types": "filesystem"
        },
        "external": {
            "installed_version": "1.2",
            "ocsid": "166046",
            "types": "",
            "enabled": "no"
        },
        "federatedfilesharing": {
            "installed_version": "1.2.0",
            "types": "",
            "enabled": "yes"
        },
        "federation": {
            "installed_version": "1.2.0",
            "types": "authentication",
            "enabled": "yes"
        },
        "files": {
            "installed_version": "1.7.2",
            "types": "filesystem",
            "enabled": "yes",
            "backgroundwatcher_previous_file": "734",
            "backgroundwatcher_previous_folder": "4701",
            "cronjob_scan_files": "500"
        },
        "files_accesscontrol": {
            "installed_version": "1.2.5",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_automatedtagging": {
            "installed_version": "1.2.2",
            "enabled": "yes",
            "types": "filesystem"
        },
        "files_downloadactivity": {
            "installed_version": "1.1.1",
            "enabled": "yes",
            "types": "filesystem"
        },
        "files_external": {
            "installed_version": "1.3.0",
            "ocsid": "166048",
            "types": "filesystem",
            "enabled": "yes",
            "user_mounting_backends": "dav,owncloud,sftp,amazons3,dropbox,googledrive,swift,smb,\\OC\\Files\\Storage\\SFTP_Key,\\OC\\Files\\Storage\\SMB_OC"
        },
        "files_locking": {
            "installed_version": "",
            "types": "filesystem",
            "enabled": "no"
        },
        "files_markdown": {
            "enabled": "yes",
            "installed_version": "2.0.1",
            "types": ""
        },
        "files_pdfviewer": {
            "installed_version": "1.1.1",
            "types": "",
            "enabled": "yes",
            "ocsid": "166049"
        },
        "files_retention": {
            "installed_version": "1.1.2",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_sharing": {
            "installed_version": "1.4.0",
            "types": "filesystem",
            "enabled": "yes",
            "lookupServerUploadEnabled": "no"
        },
        "files_texteditor": {
            "installed_version": "2.4.1",
            "types": "",
            "enabled": "yes",
            "ocsid": "166051"
        },
        "files_trashbin": {
            "installed_version": "1.2.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_versions": {
            "installed_version": "1.5.0",
            "types": "filesystem",
            "enabled": "yes"
        },
        "files_videoplayer": {
            "installed_version": "1.1.0",
            "types": "",
            "enabled": "yes"
        },
        "files_videoviewer": {
            "installed_version": "0.1.3",
            "types": "",
            "enabled": "no",
            "ocsid": "166054"
        },
        "firstrunwizard": {
            "installed_version": "2.1",
            "types": "logging",
            "enabled": "yes"
        },
        "gallery": {
            "installed_version": "17.0.0",
            "types": "",
            "enabled": "yes"
        },
        "gpxpod": {
            "enabled": "yes",
            "installed_version": "2.2.0",
            "types": "",
            "ocsid": "174733"
        },
        "logreader": {
            "installed_version": "2.0.0",
            "ocsid": "170871",
            "types": "",
            "enabled": "yes"
        },
        "lookup_server_connector": {
            "installed_version": "1.0.0",
            "types": "authentication",
            "enabled": "yes"
        },
        "mail": {
            "enabled": "no",
            "installed_version": "0.6.2",
            "types": ""
        },
        "mozilla_sync": {
            "installed_version": "1.4",
            "enabled": "no",
            "types": ""
        },
        "nextcloud_announcements": {
            "installed_version": "1.1",
            "types": "logging",
            "enabled": "yes",
            "pub_date": "Sat, 10 Dec 2016 00:00:00 +0100"
        },
        "notes": {
            "installed_version": "2.3.1",
            "types": "",
            "enabled": "yes",
            "ocsid": "174554"
        },
        "notifications": {
            "installed_version": "2.0.0",
            "types": "logging",
            "enabled": "yes"
        },
        "oauth2": {
            "installed_version": "1.0.5",
            "types": "authentication",
            "enabled": "yes"
        },
        "ocsms": {
            "enabled": "yes",
            "installed_version": "1.12.1",
            "types": "",
            "ocsid": "167289"
        },
        "ojsxc": {
            "enabled": "no",
            "installed_version": "3.1.1",
            "types": "prelogin",
            "serverType": "internal",
            "xmppDomain": "navlost.eu",
            "xmppResource": "nextcloud",
            "xmppOverwrite": "true",
            "xmppStartMinimized": "false",
            "xmppPreferMail": "false",
            "iceUrl": "",
            "iceUsername": "",
            "iceCredential": "",
            "iceSecret": "",
            "iceTtl": "",
            "firefoxExtension": "",
            "chromeExtension": "",
            "externalServices": ""
        },
        "ownnote": {
            "installed_version": "1.07",
            "enabled": "no",
            "types": ""
        },
        "password_policy": {
            "installed_version": "1.2.2",
            "types": "",
            "enabled": "yes",
            "enforceNonCommonPassword": "0",
            "minLength": "3"
        },
        "provisioning_api": {
            "installed_version": "1.2.0",
            "types": "prevent_group_restriction",
            "enabled": "yes"
        },
        "qownnotesapi": {
            "enabled": "no",
            "installed_version": "17.5.0",
            "types": "",
            "ocsid": "173817"
        },
        "quota_warning": {
            "installed_version": "1.1.1",
            "enabled": "yes",
            "types": "filesystem"
        },
        "search_lucene": {
            "installed_version": "0.5.3",
            "types": "filesystem",
            "enabled": "no",
            "ocsid": "168709"
        },
        "serverinfo": {
            "installed_version": "1.2.0",
            "types": "",
            "enabled": "yes"
        },
        "sharebymail": {
            "installed_version": "1.2.0",
            "types": "filesystem",
            "enabled": "yes",
            "sendpasswordmail": "no"
        },
        "spreed": {
            "enabled": "yes",
            "installed_version": "2.0.1",
            "types": "prevent_group_restriction"
        },
        "survey_client": {
            "installed_version": "1.0.0",
            "types": "",
            "enabled": "yes",
            "last_sent": "1508855045",
            "last_report": "{\"id\":\"oc33999c4043\",\"items\":[[\"server\",\"version\",\"12.0.2.0\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"none\"],[\"server\",\"memcache.distributed\",\"none\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"none\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"7.1.6\"],[\"php\",\"memory_limit\",536870912],[\"php\",\"max_execution_time\",3600],[\"php\",\"upload_max_filesize\",535822336],[\"database\",\"type\",\"sqlite3\"],[\"database\",\"version\",\"3.8.10\"],[\"database\",\"size\",131177472],[\"apps\",\"files_videoviewer\",\"disabled\"],[\"apps\",\"updater\",\"disabled\"],[\"apps\",\"search_lucene\",\"disabled\"],[\"apps\",\"documents\",\"disabled\"],[\"apps\",\"mozilla_sync\",\"disabled\"],[\"apps\",\"external\",\"disabled\"],[\"apps\",\"files_locking\",\"disabled\"],[\"apps\",\"ownnote\",\"disabled\"],[\"apps\",\"templateeditor\",\"disabled\"],[\"apps\",\"qownnotesapi\",\"disabled\"],[\"apps\",\"direct_menu\",\"disabled\"],[\"apps\",\"ojsxc\",\"disabled\"],[\"apps\",\"mail\",\"disabled\"],[\"apps\",\"files_sharing\",\"1.4.0\"],[\"apps\",\"files_pdfviewer\",\"1.1.1\"],[\"apps\",\"calendar\",\"1.5.6\"],[\"apps\",\"files_versions\",\"1.5.0\"],[\"apps\",\"contacts\",\"2.0.1\"],[\"apps\",\"activity\",\"2.5.2\"],[\"apps\",\"firstrunwizard\",\"2.1\"],[\"apps\",\"gallery\",\"17.0.0\"],[\"apps\",\"files\",\"1.7.2\"],[\"apps\",\"files_texteditor\",\"2.4.1\"],[\"apps\",\"files_trashbin\",\"1.2.0\"],[\"apps\",\"files_external\",\"1.3.0\"],[\"apps\",\"provisioning_api\",\"1.2.0\"],[\"apps\",\"tasks\",\"0.9.5\"],[\"apps\",\"notes\",\"2.3.1\"],[\"apps\",\"notifications\",\"2.0.0\"],[\"apps\",\"user_external\",\"0.4\"],[\"apps\",\"federation\",\"1.2.0\"],[\"apps\",\"dav\",\"1.3.0\"],[\"apps\",\"systemtags\",\"1.2.0\"],[\"apps\",\"federatedfilesharing\",\"1.2.0\"],[\"apps\",\"comments\",\"1.2.0\"],[\"apps\",\"updatenotification\",\"1.2.0\"],[\"apps\",\"files_videoplayer\",\"1.1.0\"],[\"apps\",\"bookmarks\",\"0.10.1\"],[\"apps\",\"password_policy\",\"1.2.2\"],[\"apps\",\"serverinfo\",\"1.2.0\"],[\"apps\",\"survey_client\",\"1.0.0\"],[\"apps\",\"theming\",\"1.3.0\"],[\"apps\",\"workflowengine\",\"1.2.0\"],[\"apps\",\"admin_audit\",\"1.2.0\"],[\"apps\",\"files_accesscontrol\",\"1.2.5\"],[\"apps\",\"files_retention\",\"1.1.2\"],[\"apps\",\"nextcloud_announcements\",\"1.1\"],[\"apps\",\"logreader\",\"2.0.0\"],[\"apps\",\"lookup_server_connector\",\"1.0.0\"],[\"apps\",\"sharebymail\",\"1.2.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.1.1\"],[\"apps\",\"spreed\",\"2.0.1\"],[\"apps\",\"gpxpod\",\"2.2.0\"],[\"apps\",\"ocsms\",\"1.12.1\"],[\"apps\",\"files_markdown\",\"2.0.1\"],[\"apps\",\"twofactor_totp\",\"1.3.1\"],[\"apps\",\"oauth2\",\"1.0.5\"],[\"apps\",\"bruteforcesettings\",\"1.0.2\"],[\"apps\",\"files_automatedtagging\",\"1.2.2\"],[\"apps\",\"files_downloadactivity\",\"1.1.1\"],[\"apps\",\"quota_warning\",\"1.1.1\"],[\"apps\",\"deck\",\"0.2.4\"],[\"apps\",\"drawio\",\"0.8.8\"],[\"stats\",\"num_files\",281232],[\"stats\",\"num_users\",4],[\"stats\",\"num_storages\",63],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",4],[\"stats\",\"num_storages_other\",58],[\"stats\",\"num_comments\",0],[\"stats\",\"num_comment_markers\",0],[\"stats\",\"num_systemtags\",3],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",53],[\"files_sharing\",\"num_shares_user\",47],[\"files_sharing\",\"num_shares_groups\",3],[\"files_sharing\",\"num_shares_link\",3],[\"files_sharing\",\"num_shares_link_no_password\",3],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",1],[\"files_sharing\",\"permissions_0_1\",\"4\"],[\"files_sharing\",\"permissions_3_1\",\"2\"],[\"files_sharing\",\"permissions_0_9\",\"1\"],[\"files_sharing\",\"permissions_0_15\",\"2\"],[\"files_sharing\",\"permissions_3_15\",\"1\"],[\"files_sharing\",\"permissions_0_17\",\"3\"],[\"files_sharing\",\"permissions_1_17\",\"1\"],[\"files_sharing\",\"permissions_0_19\",\"14\"],[\"files_sharing\",\"permissions_1_19\",\"1\"],[\"files_sharing\",\"permissions_0_31\",\"23\"],[\"files_sharing\",\"permissions_1_31\",\"1\"],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}"
        },
        "systemtags": {
            "installed_version": "1.2.0",
            "types": "logging",
            "enabled": "yes"
        },
        "tasks": {
            "installed_version": "0.9.5",
            "types": "",
            "enabled": "yes",
            "ocsid": "164356",
            "signed": "true"
        },
        "templateeditor": {
            "installed_version": "0.2",
            "types": "",
            "enabled": "no"
        },
        "theming": {
            "installed_version": "1.3.0",
            "types": "logging",
            "enabled": "yes"
        },
        "twofactor_backupcodes": {
            "installed_version": "1.1.1",
            "types": "",
            "enabled": "yes"
        },
        "twofactor_totp": {
            "enabled": "yes",
            "installed_version": "1.3.1",
            "types": ""
        },
        "updatenotification": {
            "installed_version": "1.2.0",
            "types": "",
            "enabled": "yes",
            "contacts": "2.0.1",
            "core": "12.0.3.3",
            "tasks": "0.9.5",
            "calendar": "1.5.6",
            "qownnotesapi": "17.5.0",
            "gpxpod": "2.2.0",
            "direct_menu": "0.10.2",
            "ocsms": "1.12.1",
            "bookmarks": "0.10.1",
            "notes": "2.3.1",
            "update_check_errors": "0",
            "twofactor_totp": "1.3.1",
            "quota_warning": "1.1.1",
            "files_markdown": "2.0.1",
            "files_accesscontrol": "1.2.5"
        },
        "updater": {
            "installed_version": "0.4",
            "types": "",
            "enabled": "no",
            "ocsid": "166059"
        },
        "user_external": {
            "installed_version": "0.4",
            "ocsid": "166060",
            "types": "authentication,prelogin",
            "enabled": "yes"
        },
        "workflowengine": {
            "installed_version": "1.2.0",
            "types": "filesystem",
            "enabled": "yes"
        }
    }
}

Are you using external storage, if yes which one: All bar FTP

Are you using encryption: no

Are you using an external user-backend, if yes which one: Nil

Client configuration

Browser: Firefox

Operating system: Opensuse Tumbleweed

Logs

N/A

@9662

This comment has been minimized.

Copy link
Author

9662 commented Nov 3, 2017

Possibly related or same issue: #5107, #5585, #6912.

@BornToBeRoot

This comment has been minimized.

Copy link

BornToBeRoot commented Nov 10, 2017

Yeah... this needs to be fixed.

Or it is still not usable in a productive environment...

12.0.3 daily (2017-11-10)

@BornToBeRoot

This comment has been minimized.

Copy link

BornToBeRoot commented Nov 21, 2017

@MorrisJobke

This comment has been minimized.

Copy link
Member

MorrisJobke commented Nov 24, 2017

The fix is merged and will be release with 12.0.4 #6554

@MorrisJobke MorrisJobke added this to the Nextcloud 13 milestone Nov 24, 2017

@MorrisJobke

This comment has been minimized.

Copy link
Member

MorrisJobke commented Nov 24, 2017

For master see #5107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment