[Bug]: the complete server installation path is visible in cloud/user endpoint #33883
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- Nextcloud Server is running on 64bit capable CPU, PHP and OS.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
When doing a GET request on /ocs/v1.php/cloud/user?format=json the server returns user data, including one containing the full local server path:
"storageLocation": "/home/bohwaz/www/tmp/nextcloud/data/bohwaz",
This is not a big security issue (as you need to be logged-in to get that response), but this is data that an attacker shouldn't be able to know easily.
This happens on a brand new install after using the web installer.
Steps to reproduce
- Do a GET request on
/ocs/v1.php/cloud/user?format=json
Expected behavior
No sensitive information being sent to the client.
Installation method
Community Web installer on a VPS or web space
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.1
Web server
Other
Database engine version
SQlite
Is this bug present after an update or on a fresh install?
No response
Are you using the Nextcloud Server Encryption module?
No response
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
No response
List of activated Apps
not importantNextcloud Signing status
No response
Nextcloud Logs
No response
Additional info
No response