Security problem / sharing options #8028
Description
I'm not a developer and absolutely new here. I'm admin and user, never worked with github. Sorry if I do anything wrong or at the wrong place.
In my opinion, the following seems to be a security problem:
Combining the options
"Restrict users to share only with users in their group"
and
"Allow username autocompletion in share dialog." If this is disabled
the full username or email address needs to be entered "
If I enter the username with autocomplete when sharing, all hits for all users over all groups are displayed. Also the users of groups with whom I may not allowed to share. With it I can find out all users (with email) about all groups.
I would expect autocomplete to show me only the users I'm allowed to share.
Is this a security bug or how can I prevent it?
Steps to reproduce
- enable "Restrict users to share only with users in their group"
- enable "Allow username autocompletion in share dialog..."
- share
Expected behaviour
I would expect autocomplete to show me only the users I'm allowed to share.
Actual behaviour
all hits for all users over all groups are displayed. Also the users of groups with whom I may not allowed to share.
Server configuration
Operating system: ? web-hosting
Web server: ?? web-hosting
Database: MYSQL 5.7.20
PHP version: 7.2.1
Nextcloud version: 12.0.4
Updated from an older Nextcloud/ownCloud or fresh install: Updeted from Nextcloud
Where did you install Nextcloud from: web-hosting
Signing status:
Signing status
Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
List of activated apps:
App list
If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Nextcloud configuration:
Config report
If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder
or
Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
Are you using external storage, if yes which one: local/smb/sftp/...
Are you using encryption: yes/no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
LDAP configuration (delete this part if not used)
LDAP config
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder
Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';
Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.
Client configuration
Browser:
Operating system:
Logs
Web server error log
Web server error log
Insert your webserver log here
Nextcloud log (data/nextcloud.log)
Nextcloud log
Insert your Nextcloud log here
Browser log
Browser log
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...