Server: NC12.0.4 - Sharing dialog leaks data with LDAP backend
Sharing dialog leaks data with LDAP backend.
Steps to reproduce
- Create some test users (local and in active directory)
- Logon with "Test321"-User
- Open share dialog and type "test"
Expected behaviour
test2 (LDAP/AD User) should not be listet, because he is not in the same group...
Sharing options
Actual behaviour
See "Steps to reproduce/3."
Server configuration
Operating system: CentOS 7
Web server: Apache
Database: MariaDB
PHP version: 7.0
Nextcloud version: 12.0.4 Build:2017-12-06T01:01:26+00:00 e04dd405161271cccebe922ac53522d1c19914e6
Updated from an older Nextcloud/ownCloud or fresh install: Owncloud --> [..] --> Update NC 11
Where did you install Nextcloud from: Nextcloud website / download
List of activated apps:
App list
- activity: 2.5.2
- admin_audit: 1.2.0
- bruteforcesettings: 1.0.2
- comments: 1.2.0
- dav: 1.3.0
- federatedfilesharing: 1.2.0
- files: 1.7.2
- files_antivirus: 1.1.0
- files_downloadactivity: 1.1.1
- files_pdfviewer: 1.1.1
- files_sharing: 1.4.0
- files_texteditor: 2.4.1
- files_trashbin: 1.2.0
- files_videoplayer: 1.1.0
- gallery: 17.0.0
- groupfolders: 1.1.0
- impersonate: 1.0.1
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- music: 0.5.4
- notifications: 2.0.0
- oauth2: 1.0.5
- password_policy: 1.2.2
- provisioning_api: 1.2.0
- quota_warning: 1.1.1
- serverinfo: 1.2.0
- sharebymail: 1.2.0
- theming: 1.3.0
- twofactor_backupcodes: 1.1.1
- updatenotification: 1.2.0
- user_ldap: 1.2.1
- workflowengine: 1.2.0
Disabled:
- encryption
- federation
- files_external
- files_versions
- firstrunwizard
- nextcloud_announcements
- survey_client
- systemtags
- user_external
Are you using external storage, if yes which one: -/-
Are you using encryption: no
Are you using an external user-backend, if yes which one: LDAP
If you need ldap:show-config... just ask, i need to clean it before posting...
BornToBeRoot
All 21 comments
Privacy enhancements for contacts menu #5107
@jimbowarrior you have the same behavior?
BornToBeRoot
on 8 Dec 2017
cc @nextcloud/ldap @nextcloud/sharing
MorrisJobke
on 8 Dec 2017
I have the same issue, into search contacts field privacy is respected. I can show only users in my group.
Into shared section, when I click on "sharing" I can see all users and share with users not in my group.
And yes, I marked "Restrict users to only share with users in their groups"
But ! in a nextcloud 12 fresh install upgraded to 12.0.3 and 12.0.4 I have no issue.
I have this issue in another nextcloud migrate from owncloud 10 > nextcloud 10 > nextcloud 12
Regarding nextcloud server with this issues, there is another strange things, some users can see only users in their groups, but some others users can see every body. These others users belong to only one and same group.
I re created new users and new groups, same issue
jimbowarrior
on 8 Dec 2017
Privacy issues with the contactsmenu were fixed in 12.0.4 with https://github.com/nextcloud/server/pull/6554
blizzz
on 11 Dec 2017
@blizzz yes the contacts menu seems to play nice but the sharee auto completion not...
rullzer
on 11 Dec 2017
exactly !!!
jimbowarrior
on 11 Dec 2017
I would say it leaks only ldap users in share dialog. But i can check this tomorrow at work...
BornToBeRoot
on 11 Dec 2017
@rullzer why, that sounds something broke in file_sharing's sharee endpoint. Which is surprising, since sharing actually brought in those settings. I refactored it, but only for 13. Best guess without looking deeper: side effect of #5428?
blizzz
on 12 Dec 2017
I don't know why... but maybe... aaah or... it is a side effect of https://github.com/nextcloud/server/pull/7456 not being in yet.
I'll try to spin up my ldap instance tomorrow again.
rullzer
on 12 Dec 2017
I'm not using LDAP (just standard users created in the Nextcloud UI) and I'm facing the same issue.
biva
on 13 Dec 2017
me too
jimbowarrior
on 13 Dec 2017
Can some admin mention this current issue in https://github.com/nextcloud/server/issues/5107 so that we can find it? Thanks!
biva
on 13 Dec 2017
I don't know why... but maybe... aaah or... it is a side effect of #7456 not being in yet.
I really really really hope not so :D and heavily doubt it.
I can confirm it happens with LDAP users, but not with local ones. On master. Neet to continue debugging later.
blizzz
on 15 Dec 2017
@blizzz if the LDAP users are having an e-mail address and the locals not it may be solved by #7490
LEDfan
on 15 Dec 2017
I'm facing to this bug with out LDAP users
jimbowarrior
on 15 Dec 2017
@LEDfan that's a good hint! It might be, because the user fetcher filtered properly.
blizzz
on 15 Dec 2017
@LEDfan somehow I missed your PR previously, but that's fixing it! Thanks! :)
blizzz
on 15 Dec 2017
Fixed in #7490
MorrisJobke
on 18 Dec 2017
Just updated my instance to nextcloud 13 and the Contact menu still leaks LDAP users. Very weird as my other instance does not do that. Both of them have autocompletion off. No matter if shareapi_allow_share_dialog_user_enumeration is set to yes or no. I noticed the same behaviour with nc 12.05 but thought updating to nc13 will solve it.
Could someone point me in the direction to debug it? @MorrisJobke sorry for calling, but wanted to be sure I'm heard. It's quite crutial issue for me atm.
muppeth
on 5 Mar 2018
Please open a new ticket and only refer to this one
MorrisJobke
on 5 Mar 2018
Is it fixed somehow?..
ostasevych
on 15 Apr 2020
Related issues
ghost
路
3Comments
georgehrke
路
3Comments
Django-BOfH
路
3Comments
williambargent
路
3Comments
mama21mama
路
3Comments
Most helpful comment
@blizzz yes the contacts menu seems to play nice but the sharee auto completion not...