Merge pull request #1870 from nextcloud/do-not-allow-sharee-enumeration-via-email-option

Do not allow sharee enumeration via email option

core/ajax/share.php

@@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 			$result = array();
 			if (isset($_GET['search'])) {
 				$cm = OC::$server->getContactsManager();
+				$allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 				if (!is_null($cm) && $cm->isEnabled()) {
 					$contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
 					foreach ($contacts as $contact) {
@@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 						}
 
 						foreach($emails as $email) {
+							if (!$allowEnumeration &&
+								$email !== $_GET['search'] &&
+								$contact['FN'] !== $_GET['search']
+							) {
+								continue;
+							}
+
 							$result[] = array(
 								'id' => $contact['id'],
 								'email' => $email,

core/js/sharedialogmailview.js

@@ -139,6 +139,8 @@
 							}, function(result) {
 								if (result.status == 'success' && result.data.length > 0) {
 									response(result.data);
+								} else {
+									response([]);
 								}
 							});
 						},