Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a278c156 authored by Arnau Vàzquez's avatar Arnau Vàzquez
Browse files

Merge branch 'autocomplete-user-leak' into 'master' 

Autocomplete user leak

See merge request !10
parents 77945b39 0f0e37ee

Dockerfile

+2 −1
Original line number Diff line number Diff line
@@ -7,13 +7,14 @@ RUN mkdir -p /var/www/skeleton/Documents && mkdir -p /var/www/skeleton/Images 
COPY patches/ /tmp/build_patches/

COPY custom_entrypoint.sh /

RUN chmod +x /custom_entrypoint.sh

RUN sed -i 's/19,0,8,1/19,0,8,3/' ${BASE_DIR}/version.php

RUN sed -i 's/19,0,8,1/19,0,8,6/' ${BASE_DIR}/version.php



# Patches

#RUN patch -u ${BASE_DIR}/core/signature.json -i /tmp/build_patches/001-sha512-signature.patch

RUN patch -u ${BASE_DIR}/core/Controller/LoginController.php -i /tmp/build_patches/002-login-without-domain.patch

RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i /tmp/build_patches/003-contact-search-removal.patch

RUN patch -u ${BASE_DIR}/core/Controller/ContactsMenuController.php -i /tmp/build_patches/004-contact-search-controller-removal.patch

RUN cd ${BASE_DIR} && patch -p0 < /tmp/build_patches/005-autocomplete-user-leak.patch

RUN rm -rf /tmp/build_patches/



# Custom apps

patches/005-autocomplete-user-leak.patch

0 → 100644
+161 −0
Original line number Diff line number Diff line 
--- lib/private/User/Database.php	2021-01-25 15:56:05.000000000 +0100

+++ lib/private/User/Database-new.php	2021-02-16 14:54:37.161624233 +0100

@@ -284,7 +284,7 @@

 		$result = $query->execute();

 		$displayNames = [];

 		while ($row = $result->fetch()) {

-			$displayNames[(string)$row['uid']] = (string)$row['displayname'];

+			$displayNames[(string)$row['uid']] = (string)$row['uid'];

 		}

 

 		return $displayNames;

--- lib/private/Collaboration/Collaborators/UserPlugin.php	2021-01-25 15:56:05.000000000 +0100

+++ lib/private/Collaboration/Collaborators/UserPlugin-new.php	2021-02-16 14:56:26.778152834 +0100

@@ -92,7 +92,7 @@

 			}

 		} else {

 			// Search in all users

-			$usersTmp = $this->userManager->searchDisplayName($search, $limit, $offset);

+			$usersTmp = $this->userManager->search($search, $limit, $offset);

 			foreach ($usersTmp as $user) {

 				if ($user->isEnabled()) { // Don't keep deactivated users

 					$users[$user->getUID()] = $user;

@@ -114,7 +114,7 @@

 			$uid = (string) $uid;

 			if (

 				$lowerSearch !== '' && (strtolower($uid) === $lowerSearch ||

-				strtolower($userDisplayName) === $lowerSearch ||

+//				strtolower($userDisplayName) === $lowerSearch ||

 				strtolower($userEmail) === $lowerSearch)

 			) {

 				if (strtolower($uid) === $lowerSearch) {

--- lib/private/Collaboration/Collaborators/MailPlugin.php	2021-02-16 14:55:37.281914086 +0100

+++ lib/private/Collaboration/Collaborators/MailPlugin-new.php	2021-02-19 16:22:07.662189199 +0100

@@ -36,6 +36,7 @@

 use OCP\IConfig;

 use OCP\IGroupManager;

 use OCP\IUser;

+use OCP\IUserManager;

 use OCP\IUserSession;

 use OCP\Share;

 

@@ -56,12 +57,13 @@

 	/** @var IUserSession */

 	private $userSession;

 

-	public function __construct(IManager $contactsManager, ICloudIdManager $cloudIdManager, IConfig $config, IGroupManager $groupManager, IUserSession $userSession) {

+	public function __construct(IManager $contactsManager, ICloudIdManager $cloudIdManager, IConfig $config, IGroupManager $groupManager, IUserSession $userSession, IUserManager $userManager) {

 		$this->contactsManager = $contactsManager;

 		$this->cloudIdManager = $cloudIdManager;

 		$this->config = $config;

 		$this->groupManager = $groupManager;

 		$this->userSession = $userSession;

+		$this->userManager = $userManager;

 

 		$this->shareeEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';

 		$this->shareWithGroupOnly = $this->config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';

@@ -185,43 +187,79 @@

 						if ($exactEmailMatch) {

 							$searchResult->markExactIdMatch($emailType);

 						}

-						$result['exact'][] = [

-							'label' => $displayName,

-							'uuid' => $contact['UID'],

-							'name' => $contact['FN'],

-							'type' => $emailAddressType ?? '',

-							'value' => [

-								'shareType' => Share::SHARE_TYPE_EMAIL,

-								'shareWith' => $emailAddress,

-							],

-						];

+						

+						$isUserinInstance = $this->userManager->get($emailAddress);

+						if ($isUserinInstance === null) {

+							// /e/ user is not in ecloud

+

+							$result['exact'][] = [

+								'label' => $displayName,

+								'uuid' => $contact['UID'],

+								'name' => $contact['FN'],

+								'type' => $emailAddressType ?? '',

+								'value' => [

+									'shareType' => Share::SHARE_TYPE_EMAIL,

+									'shareWith' => $emailAddress,

+								],

+							];

+						} else {

+							// /e/ user IS an ecloud user, convert to user share type

+							if (!$isUserinInstance->isEnabled()) {

+							// Ignore disabled users

+							continue;

+							}

+							$result['exact'][] = [

+								'label' => $displayName,

+								'value' => [

+									'shareType' => Share::SHARE_TYPE_USER,

+									'shareWith' => $emailAddress,

+								],

+							];

+						}

 					} else {

-						$result['wide'][] = [

-							'label' => $displayName,

-							'uuid' => $contact['UID'],

-							'name' => $contact['FN'],

-							'type' => $emailAddressType ?? '',

-							'value' => [

-								'shareType' => Share::SHARE_TYPE_EMAIL,

-								'shareWith' => $emailAddress,

-							],

-						];

+						$isUserinInstance = $this->userManager->get($emailAddress);

+						if ($isUserinInstance === null) {

+							// /e/ user is not in ecloud

+							$result['wide'][] = [

+								'label' => $displayName,

+								'uuid' => $contact['UID'],

+								'name' => $contact['FN'],

+								'type' => $emailAddressType ?? '',

+								'value' => [

+									'shareType' => Share::SHARE_TYPE_EMAIL,

+									'shareWith' => $emailAddress,

+								],

+							];

+						} else {

+							// /e/ user IS an ecloud user, convert to user share type

+							if (!$isUserinInstance->isEnabled()) {

+							// Ignore disabled users

+							continue;

+							}	

+							$result['wide'][] = [

+								'label' => $displayName,

+								'value' => [

+									'shareType' => Share::SHARE_TYPE_USER,

+									'shareWith' => $emailAddress,

+								],

+							];

+						}

 					}

 				}

 			}

 		}

 

 		$reachedEnd = true;

-		if (!$this->shareeEnumeration) {

-			$result['wide'] = [];

-			$userResults['wide'] = [];

-		} else {

+//		if (!$this->shareeEnumeration) {

+//			$result['wide'] = [];

+//			$userResults['wide'] = [];

+//		} else {

 			$reachedEnd = (count($result['wide']) < $offset + $limit) &&

 				(count($userResults['wide']) < $offset + $limit);

 

 			$result['wide'] = array_slice($result['wide'], $offset, $limit);

 			$userResults['wide'] = array_slice($userResults['wide'], $offset, $limit);

-		}

+//		}

 

 

 		if (!$searchResult->hasExactIdMatch($emailType) && filter_var($search, FILTER_VALIDATE_EMAIL)) {
 
 No newline at end of file