From f0f62aa0558400cc78c7652996f77cbc3e1e9208 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Mon, 24 Oct 2016 10:30:59 +0200 Subject: [PATCH] Do not allow sharee enumeration via email option Signed-off-by: Joas Schilling --- core/ajax/share.php | 8 ++++++++ core/js/sharedialogmailview.js | 2 ++ 2 files changed, 10 insertions(+) diff --git a/core/ajax/share.php b/core/ajax/share.php index adcf31a0df..52eb118abf 100644 --- a/core/ajax/share.php +++ b/core/ajax/share.php @@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo $result = array(); if (isset($_GET['search'])) { $cm = OC::$server->getContactsManager(); + $allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes'; if (!is_null($cm) && $cm->isEnabled()) { $contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL')); foreach ($contacts as $contact) { @@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo } foreach($emails as $email) { + if (!$allowEnumeration && + $email !== $_GET['search'] && + $contact['FN'] !== $_GET['search'] + ) { + continue; + } + $result[] = array( 'id' => $contact['id'], 'email' => $email, diff --git a/core/js/sharedialogmailview.js b/core/js/sharedialogmailview.js index 04baaee217..df919f1feb 100644 --- a/core/js/sharedialogmailview.js +++ b/core/js/sharedialogmailview.js @@ -139,6 +139,8 @@ }, function(result) { if (result.status == 'success' && result.data.length > 0) { response(result.data); + } else { + response([]); } }); },