Sharing dialogue and “search contacts” widget leak contact information from other users #7055
Description
Steps to reproduce
- As an admin, configure Nextcloud so that users can only share within their groups, and enable username autocompletion when sharing.
- Create two groups:
Red GroupandBlue Group(for example) - Create a user in each of those groups, e.g.,
Red UserandBlue User - Assign
Red Userto bothRed GroupandBlue Group, andBlue Useronly toBlue Group(may not be necessary). - Log in as
Red User - Add some contacts to your default address book
- Log out
- Log in as
Blue User - Pick a file or directory and go to
Sharing, start typing a name that matches one ofRed User's contacts - For kicks, do the same in the “search contacts” box (upper right corner of web page)
Expected behaviour
The typed text should either match Red User or nothing at all, depending on what is entered.
Actual behaviour
The typed text returns matches against contacts in Red User's address book, which is not shared with anyone else.
Server configuration
Operating system: Opensuse Leap 42.2
Web server: Apache 2.4
Database: SQLite3
PHP version: 7.1.6
Nextcloud version: 12.0.3.3
Updated from an older Nextcloud/ownCloud or fresh install: Updated, originally from ownCloud 6 or so.
Where did you install Nextcloud from: Nextcloud.org
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.5.2
- admin_audit: 1.2.0
- bookmarks: 0.10.1
- bruteforcesettings: 1.0.2
- calendar: 1.5.6
- comments: 1.2.0
- contacts: 2.0.1
- dav: 1.3.0
- deck: 0.2.4
- drawio: 0.8.8
- federatedfilesharing: 1.2.0
- federation: 1.2.0
- files: 1.7.2
- files_accesscontrol: 1.2.5
- files_automatedtagging: 1.2.2
- files_downloadactivity: 1.1.1
- files_external: 1.3.0
- files_markdown: 2.0.1
- files_pdfviewer: 1.1.1
- files_retention: 1.1.2
- files_sharing: 1.4.0
- files_texteditor: 2.4.1
- files_trashbin: 1.2.0
- files_versions: 1.5.0
- files_videoplayer: 1.1.0
- firstrunwizard: 2.1
- gallery: 17.0.0
- gpxpod: 2.2.0
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.1
- notes: 2.3.1
- notifications: 2.0.0
- oauth2: 1.0.5
- ocsms: 1.12.1
- password_policy: 1.2.2
- provisioning_api: 1.2.0
- quota_warning: 1.1.1
- serverinfo: 1.2.0
- sharebymail: 1.2.0
- spreed: 2.0.1
- survey_client: 1.0.0
- systemtags: 1.2.0
- tasks: 0.9.5
- theming: 1.3.0
- twofactor_backupcodes: 1.1.1
- twofactor_totp: 1.3.1
- updatenotification: 1.2.0
- user_external: 0.4
- workflowengine: 1.2.0
Disabled:
- encryption
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
],
"auth.bruteforce.protection.enabled": false,
"dbtype": "sqlite3",
"version": "12.0.3.3",
"installed": true,
"loglevel": 1,
"theme": "",
"maintenance": false,
"share_folder": "\/Shared",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": true,
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"forcessl": true,
"secret": "***REMOVED SENSITIVE VALUE***",
"trashbin_retention_obligation": "auto",
"updatechecker": false,
"appstore.experimental.enabled": false,
"updater.release.channel": "beta"
},
"apps": {
"activity": {
"installed_version": "2.5.2",
"types": "filesystem",
"enabled": "yes"
},
"admin_audit": {
"installed_version": "1.2.0",
"types": "logging",
"enabled": "yes"
},
"backgroundjob": {
"lastjob": "1230"
},
"bookmarks": {
"installed_version": "0.10.1",
"types": "",
"enabled": "yes"
},
"bruteforcesettings": {
"installed_version": "1.0.2",
"enabled": "yes",
"types": ""
},
"calendar": {
"installed_version": "1.5.6",
"types": "",
"enabled": "yes",
"signed": "true"
},
"comments": {
"installed_version": "1.2.0",
"types": "logging",
"enabled": "yes"
},
"contacts": {
"installed_version": "2.0.1",
"types": "",
"enabled": "yes",
"ocsid": "168708"
},
"core": {
"installedat": "1397392290.6372",
"lastupdatedat": "1509720303",
"remote_core.css": "\/core\/minimizer.php",
"remote_core.js": "\/core\/minimizer.php",
"public_files": "files_sharing\/public.php",
"public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
"remote_calendar": "dav\/appinfo\/v1\/caldav.php",
"remote_caldav": "dav\/appinfo\/v1\/caldav.php",
"public_calendar": "calendar\/share.php",
"public_caldav": "calendar\/share.php",
"remote_contacts": "dav\/appinfo\/v1\/carddav.php",
"remote_carddav": "dav\/appinfo\/v1\/carddav.php",
"public_gallery": "gallery\/public.php",
"remote_files": "dav\/appinfo\/v1\/webdav.php",
"remote_webdav": "dav\/appinfo\/v1\/webdav.php",
"remote_filesync": "files\/appinfo\/filesync.php",
"public_documents": "documents\/public.php",
"global_cache_gc_lastrun": "1442016702",
"lastupdateResult": "[]",
"remote_mozilla_sync": "mozilla_sync\/appinfo\/remote.php",
"lastcron": "1509722104",
"shareapi_default_expire_date": "yes",
"shareapi_enforce_expire_date": "no",
"shareapi_allow_mail_notification": "yes",
"shareapi_only_share_with_group_members": "yes",
"repairlegacystoragesdone": "yes",
"shareapi_allow_public_notification": "yes",
"backgroundjobs_mode": "cron",
"shareapi_expire_after_n_days": "14",
"remote_dav": "dav\/appinfo\/v2\/remote.php",
"shareapi_exclude_groups": "no",
"shareapi_exclude_groups_list": "[\"\"]",
"vendor": "nextcloud",
"updater.secret.created": "1508886371",
"OC_Channel": "production",
"moveavatarsdone": "yes",
"previewsCleanedUp": "1",
"umgmt_show_last_login": "false",
"umgmt_show_backend": "false",
"umgmt_show_email": "false",
"umgmt_show_storage_location": "false",
"installed.bundles": "[\"CoreBundle\"]",
"scss.variables": "e0e261f4f528e2a34df7e31bc842b708",
"umgmt_send_email": "true",
"oc.integritycheck.checker": "[]"
},
"dav": {
"installed_version": "1.3.0",
"types": "filesystem",
"enabled": "yes",
"OCA\\DAV\\Migration\\ValueFixInsert_ran": "true",
"buildCalendarSearchIndex": "yes"
},
"deck": {
"installed_version": "0.2.4",
"enabled": "yes",
"types": ""
},
"direct_menu": {
"enabled": "no",
"installed_version": "0.10.2",
"types": "",
"ocsid": "169148"
},
"documents": {
"installed_version": "0.8.2",
"types": "",
"enabled": "no",
"ocsid": "168711"
},
"drawio": {
"installed_version": "0.8.8",
"enabled": "yes",
"types": "filesystem"
},
"external": {
"installed_version": "1.2",
"ocsid": "166046",
"types": "",
"enabled": "no"
},
"federatedfilesharing": {
"installed_version": "1.2.0",
"types": "",
"enabled": "yes"
},
"federation": {
"installed_version": "1.2.0",
"types": "authentication",
"enabled": "yes"
},
"files": {
"installed_version": "1.7.2",
"types": "filesystem",
"enabled": "yes",
"backgroundwatcher_previous_file": "734",
"backgroundwatcher_previous_folder": "4701",
"cronjob_scan_files": "500"
},
"files_accesscontrol": {
"installed_version": "1.2.5",
"types": "filesystem",
"enabled": "yes"
},
"files_automatedtagging": {
"installed_version": "1.2.2",
"enabled": "yes",
"types": "filesystem"
},
"files_downloadactivity": {
"installed_version": "1.1.1",
"enabled": "yes",
"types": "filesystem"
},
"files_external": {
"installed_version": "1.3.0",
"ocsid": "166048",
"types": "filesystem",
"enabled": "yes",
"user_mounting_backends": "dav,owncloud,sftp,amazons3,dropbox,googledrive,swift,smb,\\OC\\Files\\Storage\\SFTP_Key,\\OC\\Files\\Storage\\SMB_OC"
},
"files_locking": {
"installed_version": "",
"types": "filesystem",
"enabled": "no"
},
"files_markdown": {
"enabled": "yes",
"installed_version": "2.0.1",
"types": ""
},
"files_pdfviewer": {
"installed_version": "1.1.1",
"types": "",
"enabled": "yes",
"ocsid": "166049"
},
"files_retention": {
"installed_version": "1.1.2",
"types": "filesystem",
"enabled": "yes"
},
"files_sharing": {
"installed_version": "1.4.0",
"types": "filesystem",
"enabled": "yes",
"lookupServerUploadEnabled": "no"
},
"files_texteditor": {
"installed_version": "2.4.1",
"types": "",
"enabled": "yes",
"ocsid": "166051"
},
"files_trashbin": {
"installed_version": "1.2.0",
"types": "filesystem",
"enabled": "yes"
},
"files_versions": {
"installed_version": "1.5.0",
"types": "filesystem",
"enabled": "yes"
},
"files_videoplayer": {
"installed_version": "1.1.0",
"types": "",
"enabled": "yes"
},
"files_videoviewer": {
"installed_version": "0.1.3",
"types": "",
"enabled": "no",
"ocsid": "166054"
},
"firstrunwizard": {
"installed_version": "2.1",
"types": "logging",
"enabled": "yes"
},
"gallery": {
"installed_version": "17.0.0",
"types": "",
"enabled": "yes"
},
"gpxpod": {
"enabled": "yes",
"installed_version": "2.2.0",
"types": "",
"ocsid": "174733"
},
"logreader": {
"installed_version": "2.0.0",
"ocsid": "170871",
"types": "",
"enabled": "yes"
},
"lookup_server_connector": {
"installed_version": "1.0.0",
"types": "authentication",
"enabled": "yes"
},
"mail": {
"enabled": "no",
"installed_version": "0.6.2",
"types": ""
},
"mozilla_sync": {
"installed_version": "1.4",
"enabled": "no",
"types": ""
},
"nextcloud_announcements": {
"installed_version": "1.1",
"types": "logging",
"enabled": "yes",
"pub_date": "Sat, 10 Dec 2016 00:00:00 +0100"
},
"notes": {
"installed_version": "2.3.1",
"types": "",
"enabled": "yes",
"ocsid": "174554"
},
"notifications": {
"installed_version": "2.0.0",
"types": "logging",
"enabled": "yes"
},
"oauth2": {
"installed_version": "1.0.5",
"types": "authentication",
"enabled": "yes"
},
"ocsms": {
"enabled": "yes",
"installed_version": "1.12.1",
"types": "",
"ocsid": "167289"
},
"ojsxc": {
"enabled": "no",
"installed_version": "3.1.1",
"types": "prelogin",
"serverType": "internal",
"xmppDomain": "navlost.eu",
"xmppResource": "nextcloud",
"xmppOverwrite": "true",
"xmppStartMinimized": "false",
"xmppPreferMail": "false",
"iceUrl": "",
"iceUsername": "",
"iceCredential": "",
"iceSecret": "",
"iceTtl": "",
"firefoxExtension": "",
"chromeExtension": "",
"externalServices": ""
},
"ownnote": {
"installed_version": "1.07",
"enabled": "no",
"types": ""
},
"password_policy": {
"installed_version": "1.2.2",
"types": "",
"enabled": "yes",
"enforceNonCommonPassword": "0",
"minLength": "3"
},
"provisioning_api": {
"installed_version": "1.2.0",
"types": "prevent_group_restriction",
"enabled": "yes"
},
"qownnotesapi": {
"enabled": "no",
"installed_version": "17.5.0",
"types": "",
"ocsid": "173817"
},
"quota_warning": {
"installed_version": "1.1.1",
"enabled": "yes",
"types": "filesystem"
},
"search_lucene": {
"installed_version": "0.5.3",
"types": "filesystem",
"enabled": "no",
"ocsid": "168709"
},
"serverinfo": {
"installed_version": "1.2.0",
"types": "",
"enabled": "yes"
},
"sharebymail": {
"installed_version": "1.2.0",
"types": "filesystem",
"enabled": "yes",
"sendpasswordmail": "no"
},
"spreed": {
"enabled": "yes",
"installed_version": "2.0.1",
"types": "prevent_group_restriction"
},
"survey_client": {
"installed_version": "1.0.0",
"types": "",
"enabled": "yes",
"last_sent": "1508855045",
"last_report": "{\"id\":\"oc33999c4043\",\"items\":[[\"server\",\"version\",\"12.0.2.0\"],[\"server\",\"code\",\"other\"],[\"server\",\"enable_avatars\",\"yes\"],[\"server\",\"enable_previews\",\"yes\"],[\"server\",\"memcache.local\",\"none\"],[\"server\",\"memcache.distributed\",\"none\"],[\"server\",\"asset-pipeline.enabled\",\"no\"],[\"server\",\"filelocking.enabled\",\"yes\"],[\"server\",\"memcache.locking\",\"none\"],[\"server\",\"debug\",\"no\"],[\"server\",\"cron\",\"cron\"],[\"php\",\"version\",\"7.1.6\"],[\"php\",\"memory_limit\",536870912],[\"php\",\"max_execution_time\",3600],[\"php\",\"upload_max_filesize\",535822336],[\"database\",\"type\",\"sqlite3\"],[\"database\",\"version\",\"3.8.10\"],[\"database\",\"size\",131177472],[\"apps\",\"files_videoviewer\",\"disabled\"],[\"apps\",\"updater\",\"disabled\"],[\"apps\",\"search_lucene\",\"disabled\"],[\"apps\",\"documents\",\"disabled\"],[\"apps\",\"mozilla_sync\",\"disabled\"],[\"apps\",\"external\",\"disabled\"],[\"apps\",\"files_locking\",\"disabled\"],[\"apps\",\"ownnote\",\"disabled\"],[\"apps\",\"templateeditor\",\"disabled\"],[\"apps\",\"qownnotesapi\",\"disabled\"],[\"apps\",\"direct_menu\",\"disabled\"],[\"apps\",\"ojsxc\",\"disabled\"],[\"apps\",\"mail\",\"disabled\"],[\"apps\",\"files_sharing\",\"1.4.0\"],[\"apps\",\"files_pdfviewer\",\"1.1.1\"],[\"apps\",\"calendar\",\"1.5.6\"],[\"apps\",\"files_versions\",\"1.5.0\"],[\"apps\",\"contacts\",\"2.0.1\"],[\"apps\",\"activity\",\"2.5.2\"],[\"apps\",\"firstrunwizard\",\"2.1\"],[\"apps\",\"gallery\",\"17.0.0\"],[\"apps\",\"files\",\"1.7.2\"],[\"apps\",\"files_texteditor\",\"2.4.1\"],[\"apps\",\"files_trashbin\",\"1.2.0\"],[\"apps\",\"files_external\",\"1.3.0\"],[\"apps\",\"provisioning_api\",\"1.2.0\"],[\"apps\",\"tasks\",\"0.9.5\"],[\"apps\",\"notes\",\"2.3.1\"],[\"apps\",\"notifications\",\"2.0.0\"],[\"apps\",\"user_external\",\"0.4\"],[\"apps\",\"federation\",\"1.2.0\"],[\"apps\",\"dav\",\"1.3.0\"],[\"apps\",\"systemtags\",\"1.2.0\"],[\"apps\",\"federatedfilesharing\",\"1.2.0\"],[\"apps\",\"comments\",\"1.2.0\"],[\"apps\",\"updatenotification\",\"1.2.0\"],[\"apps\",\"files_videoplayer\",\"1.1.0\"],[\"apps\",\"bookmarks\",\"0.10.1\"],[\"apps\",\"password_policy\",\"1.2.2\"],[\"apps\",\"serverinfo\",\"1.2.0\"],[\"apps\",\"survey_client\",\"1.0.0\"],[\"apps\",\"theming\",\"1.3.0\"],[\"apps\",\"workflowengine\",\"1.2.0\"],[\"apps\",\"admin_audit\",\"1.2.0\"],[\"apps\",\"files_accesscontrol\",\"1.2.5\"],[\"apps\",\"files_retention\",\"1.1.2\"],[\"apps\",\"nextcloud_announcements\",\"1.1\"],[\"apps\",\"logreader\",\"2.0.0\"],[\"apps\",\"lookup_server_connector\",\"1.0.0\"],[\"apps\",\"sharebymail\",\"1.2.0\"],[\"apps\",\"twofactor_backupcodes\",\"1.1.1\"],[\"apps\",\"spreed\",\"2.0.1\"],[\"apps\",\"gpxpod\",\"2.2.0\"],[\"apps\",\"ocsms\",\"1.12.1\"],[\"apps\",\"files_markdown\",\"2.0.1\"],[\"apps\",\"twofactor_totp\",\"1.3.1\"],[\"apps\",\"oauth2\",\"1.0.5\"],[\"apps\",\"bruteforcesettings\",\"1.0.2\"],[\"apps\",\"files_automatedtagging\",\"1.2.2\"],[\"apps\",\"files_downloadactivity\",\"1.1.1\"],[\"apps\",\"quota_warning\",\"1.1.1\"],[\"apps\",\"deck\",\"0.2.4\"],[\"apps\",\"drawio\",\"0.8.8\"],[\"stats\",\"num_files\",281232],[\"stats\",\"num_users\",4],[\"stats\",\"num_storages\",63],[\"stats\",\"num_storages_local\",1],[\"stats\",\"num_storages_home\",4],[\"stats\",\"num_storages_other\",58],[\"stats\",\"num_comments\",0],[\"stats\",\"num_comment_markers\",0],[\"stats\",\"num_systemtags\",3],[\"stats\",\"num_systemtags_mappings\",0],[\"files_sharing\",\"num_shares\",53],[\"files_sharing\",\"num_shares_user\",47],[\"files_sharing\",\"num_shares_groups\",3],[\"files_sharing\",\"num_shares_link\",3],[\"files_sharing\",\"num_shares_link_no_password\",3],[\"files_sharing\",\"num_fed_shares_sent\",0],[\"files_sharing\",\"num_fed_shares_received\",1],[\"files_sharing\",\"permissions_0_1\",\"4\"],[\"files_sharing\",\"permissions_3_1\",\"2\"],[\"files_sharing\",\"permissions_0_9\",\"1\"],[\"files_sharing\",\"permissions_0_15\",\"2\"],[\"files_sharing\",\"permissions_3_15\",\"1\"],[\"files_sharing\",\"permissions_0_17\",\"3\"],[\"files_sharing\",\"permissions_1_17\",\"1\"],[\"files_sharing\",\"permissions_0_19\",\"14\"],[\"files_sharing\",\"permissions_1_19\",\"1\"],[\"files_sharing\",\"permissions_0_31\",\"23\"],[\"files_sharing\",\"permissions_1_31\",\"1\"],[\"encryption\",\"enabled\",\"no\"],[\"encryption\",\"default_module\",\"no\"]]}"
},
"systemtags": {
"installed_version": "1.2.0",
"types": "logging",
"enabled": "yes"
},
"tasks": {
"installed_version": "0.9.5",
"types": "",
"enabled": "yes",
"ocsid": "164356",
"signed": "true"
},
"templateeditor": {
"installed_version": "0.2",
"types": "",
"enabled": "no"
},
"theming": {
"installed_version": "1.3.0",
"types": "logging",
"enabled": "yes"
},
"twofactor_backupcodes": {
"installed_version": "1.1.1",
"types": "",
"enabled": "yes"
},
"twofactor_totp": {
"enabled": "yes",
"installed_version": "1.3.1",
"types": ""
},
"updatenotification": {
"installed_version": "1.2.0",
"types": "",
"enabled": "yes",
"contacts": "2.0.1",
"core": "12.0.3.3",
"tasks": "0.9.5",
"calendar": "1.5.6",
"qownnotesapi": "17.5.0",
"gpxpod": "2.2.0",
"direct_menu": "0.10.2",
"ocsms": "1.12.1",
"bookmarks": "0.10.1",
"notes": "2.3.1",
"update_check_errors": "0",
"twofactor_totp": "1.3.1",
"quota_warning": "1.1.1",
"files_markdown": "2.0.1",
"files_accesscontrol": "1.2.5"
},
"updater": {
"installed_version": "0.4",
"types": "",
"enabled": "no",
"ocsid": "166059"
},
"user_external": {
"installed_version": "0.4",
"ocsid": "166060",
"types": "authentication,prelogin",
"enabled": "yes"
},
"workflowengine": {
"installed_version": "1.2.0",
"types": "filesystem",
"enabled": "yes"
}
}
}
Are you using external storage, if yes which one: All bar FTP
Are you using encryption: no
Are you using an external user-backend, if yes which one: Nil
Client configuration
Browser: Firefox
Operating system: Opensuse Tumbleweed
Logs
N/A