If not logged in -> 401 and bye-bye #27640
Conversation
|
Nope: this is the wrong case. This will break public pages which need the config values. The correct fix as discussed a bit later on was to hide the OC version from the config values if "version.hide" is set. Basically return all config values as before except the version. Or return the version only if logged in. |
I did test public link sharing page - works. |
|
Did you logout before testing the public page ? (incognito mode thing...)
|
|
JS code of the UI need access to config values. Some config values are related to theme, product name, etc. We can't remove them completely, that's why I suggest to only remove the version ones (if version.hide is true), which I think we can afford. In the event that we are unlucky that some third party apps is checking the version string, then bad luck. |
okay - i did not test sharing a folder publicly .... |
| @@ -202,6 +193,17 @@ | |||
| ) | |||
| ]; | |||
|
|
|||
| if (\OC::$server->getUserSession() !== null && \OC::$server->getUserSession()->isLoggedIn()) { | |||
There was a problem hiding this comment.
No "version.hide" config check here ?
If the version is not hidden in status.php then it's also pointless to hide it here.
There was a problem hiding this comment.
well - status.php is configurable in order not to break the clients.
here it simply hide if anonymous
|
👍 |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
In case of an unauthorized request no config values are exposed.
Related Issue
#27473
Motivation and Context
Disallow information disclosure
How Has This Been Tested?
Types of changes
Checklist: