Do not allow sharee enumeration via email option
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
parent
4db595181d
commit
f0f62aa055
|
@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
|
||||||
$result = array();
|
$result = array();
|
||||||
if (isset($_GET['search'])) {
|
if (isset($_GET['search'])) {
|
||||||
$cm = OC::$server->getContactsManager();
|
$cm = OC::$server->getContactsManager();
|
||||||
|
$allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
|
||||||
if (!is_null($cm) && $cm->isEnabled()) {
|
if (!is_null($cm) && $cm->isEnabled()) {
|
||||||
$contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
|
$contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
|
||||||
foreach ($contacts as $contact) {
|
foreach ($contacts as $contact) {
|
||||||
|
@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach($emails as $email) {
|
foreach($emails as $email) {
|
||||||
|
if (!$allowEnumeration &&
|
||||||
|
$email !== $_GET['search'] &&
|
||||||
|
$contact['FN'] !== $_GET['search']
|
||||||
|
) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
$result[] = array(
|
$result[] = array(
|
||||||
'id' => $contact['id'],
|
'id' => $contact['id'],
|
||||||
'email' => $email,
|
'email' => $email,
|
||||||
|
|
|
@ -139,6 +139,8 @@
|
||||||
}, function(result) {
|
}, function(result) {
|
||||||
if (result.status == 'success' && result.data.length > 0) {
|
if (result.status == 'success' && result.data.length > 0) {
|
||||||
response(result.data);
|
response(result.data);
|
||||||
|
} else {
|
||||||
|
response([]);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue