mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Do not allow sharee enumeration via email option 

Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2016-10-24 10:30:59 +02:00
parent 4db595181d
commit f0f62aa055
No known key found for this signature in database
GPG Key ID: E166FD8976B3BAC8
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
core/ajax/share.php
View File

@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
$result = array();
if (isset($_GET['search'])) {
$cm = OC::$server->getContactsManager();
$allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
if (!is_null($cm) && $cm->isEnabled()) {
$contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
foreach ($contacts as $contact) {
@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
}
foreach($emails as $email) {
if (!$allowEnumeration &&
$email !== $_GET['search'] &&
$contact['FN'] !== $_GET['search']
) {
continue;
}
$result[] = array(
'id' => $contact['id'],
'email' => $email,

2
core/js/sharedialogmailview.js
View File

@ -139,6 +139,8 @@
}, function(result) {
if (result.status == 'success' && result.data.length > 0) {
response(result.data);
} else {
response([]);
}
});
},