Skip to content
This repository has been archived by the owner on Nov 1, 2020. It is now read-only.

Possible Information Disclosure: Password Protecting Public Share Links Does not Work (at least for me) #512

Open
gohrner opened this issue Apr 13, 2019 · 0 comments
Open

Possible Information Disclosure: Password Protecting Public Share Links Does not Work (at least for me) #512

gohrner opened this issue Apr 13, 2019 · 0 comments
Labels
1. to develop Accepted and waiting to be taken care of bug Something isn't working

Comments

@gohrner
Copy link

gohrner commented Apr 13, 2019

Bug report

Steps to reproduce

  1. open a folder in gallery
  2. click the "Share" triangle on the right of the breadcrumb bar
  3. click "Share link"
  4. click "Password protect" (possibly named slightly differently, I translated from the German UI strings)
  5. enter a password and press the tab key

Expected behaviour

  • The password field should somehow indicate that a password had been entered.
  • Invoking the public link in another browser should ask for a password before displaying the images.

Actual behaviour

  • The password text field looks empty again.
  • The gallery folder is accessible without any password from another browser if the share link is entered. (Even though the "Password protect" checkbox is still checked in the "Share" dialog.)

Server configuration

Operating system: Debian 9 Stretch

Web server: Apache 2.4.25-3+deb9u7

Database: MariaDB 10.1.37-0+deb9u1

PHP version: 7.0.33-0+deb9u3

Nextcloud configuration

Nextcloud version: 15.0.7

Updated from an older installation or fresh install: updated from originally 15.0.1

List of activated apps:

App list 
Enabled:
  - accessibility: 1.1.0
  - activity: 2.8.2
  - calendar: 1.6.4
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - contacts: 3.1.0
  - dav: 1.8.1
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - impersonate: 1.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - mail: 0.11.1
  - nextcloud_announcements: 1.4.0
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - polls: 0.10.2
  - provisioning_api: 1.5.0
  - richdocuments: 3.2.4
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - support: 1.0.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud configuration:

Are you using external storage, if yes which one: none

Are you using encryption: no

Are you using custom gallery.cnf config files: not that I'd be aware of (didn't create them manually)
@skjnldsv skjnldsv added 1. to develop Accepted and waiting to be taken care of bug Something isn't working labels Sep 3, 2019
@oparoz oparoz mentioned this issue Sep 3, 2019
Open
2 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skjnldsv @gohrner