-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If not logged in -> 401 and bye-bye #27640
Conversation
Nope: this is the wrong case. This will break public pages which need the config values. The correct fix as discussed a bit later on was to hide the OC version from the config values if "version.hide" is set. Basically return all config values as before except the version. Or return the version only if logged in. |
I did test public link sharing page - works. |
JS code of the UI need access to config values. Some config values are related to theme, product name, etc. We can't remove them completely, that's why I suggest to only remove the version ones (if version.hide is true), which I think we can afford. In the event that we are unlucky that some third party apps is checking the version string, then bad luck. |
okay - i did not test sharing a folder publicly .... |
@@ -202,6 +193,17 @@ | |||
) | |||
]; | |||
|
|||
if (\OC::$server->getUserSession() !== null && \OC::$server->getUserSession()->isLoggedIn()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No "version.hide" config check here ?
If the version is not hidden in status.php then it's also pointless to hide it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well - status.php is configurable in order not to break the clients.
here it simply hide if anonymous
👍 |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
In case of an unauthorized request no config values are exposed.
Related Issue
#27473
Motivation and Context
Disallow information disclosure
How Has This Been Tested?
Types of changes
Checklist: