autocompletion leaks data in different components even if autocompletion is deactivated

[jankowa]

Several components and third party apps do no honor the setting in sharing "Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered."

While this works for the file sharing dialog it doesn't for several (if not the majority) of other applications. This means that running a public nextcloud with more then the core apps i impossible.

While I could file a bug report for every app where I discover this problem, I think the nexcloud core should be responsible for not leaking data. There are several similar problems reported in the past for different applications and circumstances: #6530, #5107, #8392, #7428

Not reported is this so far for e.g. calendar app or polls (as long as I can see).

Expected behaviour

If autocompletion feature is deactivated users should not see each other in any sharing dialog as long as they don't know the complete username / email-adress, regardless of the authentication backend (database, ldap, ...). This feature should be honored in every app.

Actual behaviour

Some apps (file sharing, contacts) honor the settings, some not.

Server configuration

Nextcloud version: (see Nextcloud admin page)

Nextcloud 13.0.6 and earlier versions

[nextcloud-bot]

GitMate.io thinks possibly related issues are #3991 (memory leak), #5333 (Search contacts feature is leaking data), #6609 (Contacts with a different display name than the user name are not found when autocompletion is disabled), #7428 (NC12.0.4 - Sharing dialog leaks data with LDAP backend), and #9005 (c).

[juliusknorr]

This is more an issue of the individual apps, that probably don't use the sharing endpoint for fetching the list of users. Please open an issue in the apps issue trackers.

[raimund-schluessler]

This is a server issue, precisely the DAV app. Even when turning off the setting Allow username autocompletion in share dialog. If this is disabled the full username or email address needs to be entered. the DAV app still provides a list of all users matchin a given query. Doing a REPORT against nextcloud/remote.php/dav/ with

<x0:principal-property-search xmlns:x0="DAV:"><x0:property-search><x0:prop><x0:displayname/></x0:prop><x0:match>a</x0:match></x0:property-search><x0:prop><x0:displayname/><x1:calendar-user-type xmlns:x1="urn:ietf:params:xml:ns:caldav"/><x1:calendar-user-address-set xmlns:x1="urn:ietf:params:xml:ns:caldav"/><x0:principal-URL/><x0:alternate-URI-set/><x2:email-address xmlns:x2="http://sabredav.org/ns"/><x3:resource-type xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-type xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-make xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-model xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-is-electric xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-range xmlns:x3="http://nextcloud.com/ns"/><x3:resource-vehicle-seating-capacity xmlns:x3="http://nextcloud.com/ns"/><x3:resource-contact-person xmlns:x3="http://nextcloud.com/ns"/><x3:resource-contact-person-vcard xmlns:x3="http://nextcloud.com/ns"/><x3:room-type xmlns:x3="http://nextcloud.com/ns"/><x3:room-seating-capacity xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-address xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-story xmlns:x3="http://nextcloud.com/ns"/><x3:room-building-room-number xmlns:x3="http://nextcloud.com/ns"/><x3:room-features xmlns:x3="http://nextcloud.com/ns"/></x0:prop><x0:apply-to-principal-collection-set/></x0:principal-property-search>

returns a response with all users and groups containing the letter a. As you can see here we simply run a request against the DAV app: https://github.com/nextcloud/tasks/blob/master/src/components/CalendarShare.vue#L117, there is not app-specific endpoint in place.

We have this reported in nextcloud/tasks#660, #17481. Every app querying the DAV endpoint will have this problem, and of course you can query this endpoint without any app enabled.

[raimund-schluessler]

And btw, this is still valid with NC 17.0.0.

[raimund-schluessler]

@georgehrke and @skjnldsv here as well 😉