Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Share20OcsController no longer provides info whether public link share is password-protected #35541

Closed
felix-schwarz opened this issue Jun 14, 2019 · 13 comments
Closed

Share20OcsController no longer provides info whether public link share is password-protected #35541

felix-schwarz opened this issue Jun 14, 2019 · 13 comments
Assignees
@IljaN
Labels
3 - To Review p2-high Escalation, on top of current planning, release blocker security
Milestone
development

Comments

@felix-schwarz
Copy link

Steps to reproduce

  1. Retrieve list of shares

Expected behaviour

For public link shares with a password, the record included share_with and share_with_displayname with values, looking like this:

  <element>
   <id>29</id>
   <share_type>3</share_type>
   <uid_owner>admin</uid_owner>
   <displayname_owner>admin</displayname_owner>
   <permissions>1</permissions>
…
   <share_with>some value</share_with>
   <share_with_displayname>some value</share_with_displayname>
…
   <name>Public link</name>
  </element>

For public link shares without password, the share_with and share_with_displayname records were not included:

  <element>
   <id>29</id>
   <share_type>3</share_type>
   <uid_owner>admin</uid_owner>
   <displayname_owner>admin</displayname_owner>
   <permissions>1</permissions>
…
   <name>Public link</name>
  </element>

Actual behaviour

The share_with and share_with_displayname tags are now always included for all public links, regardless of whether they have a password set:

  <element>
   <id>29</id>
   <share_type>3</share_type>
   <uid_owner>admin</uid_owner>
   <displayname_owner>admin</displayname_owner>
   <permissions>1</permissions>
…
   <share_with>***redacted***</share_with>
   <share_with_displayname>***redacted***</share_with_displayname>
…
   <name>Public link</name>
  </element>

Possible solutions

I believe this code segment to be responsible for this:

		} elseif ($share->getShareType() === Share::SHARE_TYPE_LINK) {
			$result['share_with'] = '***redacted***';
			$result['share_with_displayname'] = '***redacted***';
			$result['name'] = $share->getName();

If it only returned the two tags ***redacted*** if the share has a password set, it'd match past behaviour. Speculatively, the code would look something like this then:

		} elseif ($share->getShareType() === Share::SHARE_TYPE_LINK) {
			if ($share->getSharedWith()) {
				$result['share_with'] = '***redacted***';
				$result['share_with_displayname'] = '***redacted***';
			}
			$result['name'] = $share->getName();

Impact

This change in Share20OcsController currently breaks the new ios-sdk's ability to provide accurate information to the app on whether a public link share has its password set. It currently indicates this for all public link shares for server versions returning ***redacted***.

Server configuration

Reproduced using demo.owncloud.org running ownCloud 10.2.0 (stable).
felix-schwarz added a commit to owncloud/ios-sdk that referenced this issue Jun 14, 2019
@felix-schwarz
- Temporarily remove public link share password protection checks due…
fa70e38 
… to owncloud/core#35541
@micbar
Copy link
Contributor

micbar commented Jun 14, 2019
edited
Loading

@felix-schwarz
This comes from https://github.com/owncloud/security-tracker/issues/301
PR was: #34691

@micbar
Copy link
Contributor

micbar commented Jun 14, 2019

Seems to be a security issue.

@micbar
Copy link
Contributor

micbar commented Jun 14, 2019

@felix-schwarz I agree with your proposal. Lets make it conditional.

I will add it to the sprint.
Maybe we could add it to the Hotfix Release.

@pmaier1 @patrickjahns

@micbar micbar added 1 - To develop p2-high Escalation, on top of current planning, release blocker labels Jun 14, 2019
@micbar micbar added this to the development milestone Jun 14, 2019
@IljaN
Copy link
Member

IljaN commented Jun 14, 2019

@felix-schwarz Not sure If I understand the proposed fix (or maybe the problem). To my understanding ShareWith() will always be empty for public links as they have no explicit recipient.

If it only returned the two tags redacted if the share has a password set, it'd match past behaviour.

Before the fix both field share_with and share_with_displayname contained the password.
31b47dc. When password was null the field was filtered out because we remove empty/null fields before sending the response.

So I propose we rather check for $share->getPassword() instead of $share->getSharedWith(). If a password is set we fill respective fields with "redacted".

IljaN added a commit that referenced this issue Jun 14, 2019
@IljaN
Return "password fields" only if public-link password is set. #35541
e82aef1 
The iOS client uses the presence of these fields to determine if a
password is required.

Despite their names they are historically used to store pw-hashes for public-links.
@IljaN IljaN mentioned this issue Jun 14, 2019
Merged
11 tasks
@IljaN
Copy link
Member

IljaN commented Jun 14, 2019

@micbar @felix-schwarz WIP fix here: #35544, please comment/test.

@micbar
Copy link
Contributor

micbar commented Jun 14, 2019

@IljaN Your proposal makes sense.

@michaelstingl @felix-schwarz Is there a blue ticket for this?
I remember seeing a case where the sync client shows that a pw is set, even if it is not set at the server side.

Does the fix work for this problem too?
What are the clients expecting?

@felix-schwarz
Copy link
Author

felix-schwarz commented Jun 14, 2019
edited
Loading

@IljaN Thanks for the explanation! Was just best-guessing above (I'm not familiar with the internals of the OC server sources).

#35544 looks exactly like what's needed then. Thanks! Is there any easy way for me to quickly bring up an instance with these changes, so I can run the OC iOS SDK's unit tests against it?

@micbar micbar mentioned this issue Jun 14, 2019
Closed
@micbar
Copy link
Contributor

micbar commented Jun 14, 2019

@felix-schwarz
basically you need a local LAMP (or in docker)

  • Git clone owncloud/core
  • git checkout stable10_fix_35541
  • Run make
  • Run php occ maintenance:install with the needed parameters

@michaelstingl
Copy link

@michaelstingl @felix-schwarz Is there a blue ticket for this?
I remember seeing a case where the sync client shows that a pw is set, even if it is not set at the server side.

Yeah, I think I've seen something similar, but I can't find it right now.

We'll need QA with all client platforms on Monday. (maybe also adjustments in the smoke tests) /cc @jesmrec @HanaGemela

Is there any easy way for me to quickly bring up an instance with these changes, so I can run the OC iOS SDK's unit tests against it?

@felix-schwarz Just patch the apps/files_sharing/lib/Controller/Share20OcsController.php in the 10.2 Docker?

IljaN added a commit that referenced this issue Jun 14, 2019
@IljaN
Return "password fields" only if public-link password is set. #35541
0c09977 
The iOS client uses the presence of these fields to determine if a
password is required.

Despite their names they are historically used to store pw-hashes for public-links.
IljaN added a commit that referenced this issue Jun 14, 2019
@IljaN
Return "password fields" only if public-link password is set. #35541
060d32a 
The iOS client uses the presence of these fields to determine if a
password is required.

Despite their names they are historically used to store pw-hashes for public-links.
@IljaN IljaN mentioned this issue Jun 14, 2019
Merged
@felix-schwarz
Copy link
Author

@michaelstingl Good idea. Tried to do this, but couldn't proceed past trying to fire up a fresh 10.2 instance.

Using this minimal docker-compose.yml

version: '3'

services:
  owncloud:
    image: owncloud/server:latest
    restart: always
    ports:
      - 36080:8080
      - 36180:80
      - 36443:443

… the server is stuck during startup both using Docker for Mac as well as trying the same with Docker running in an Ubuntu instance. Both do not proceed past starting apache:

Creating owncloud_owncloud_1 ... done
Attaching to owncloud_owncloud_1
owncloud_1  | Creating volume folders...
owncloud_1  | Creating hook folders...
owncloud_1  | Removing custom folder...
owncloud_1  | Linking custom folder...
owncloud_1  | Removing config folder...
owncloud_1  | Linking config folder...
owncloud_1  | Writing config file...
owncloud_1  | Fixing base perms...
owncloud_1  | Fixing data perms...
owncloud_1  | Fixing hook perms...
owncloud_1  | Installing server database...
owncloud_1  | creating sqlite db
owncloud_1  | ownCloud was successfully installed
owncloud_1  | ownCloud is already latest version
owncloud_1  | Writing objectstore config...
owncloud_1  | Writing php config...
owncloud_1  | Updating htaccess config...
owncloud_1  | .htaccess has been updated
owncloud_1  | Writing apache config...
owncloud_1  | Enabling cron background...
owncloud_1  | Set mode for background jobs to 'cron'
owncloud_1  | Touching cron configs...
owncloud_1  | Starting cron daemon...
owncloud_1  | Starting apache daemon...
owncloud_1  | [Sat Jun 15 20:20:29.419408 2019] [mpm_prefork:notice] [pid 179] AH00163: Apache/2.4.29 (Ubuntu) configured -- resuming normal operations
owncloud_1  | [Sat Jun 15 20:20:29.419500 2019] [core:notice] [pid 179] AH00094: Command line: '/usr/sbin/apache2 -f /etc/apache2/apache2.conf -D FOREGROUND'

It's not possible to connect to this server, then.

This docker-compose.yml used to work fine with previous ownCloud releases.

@HanaGemela
Copy link
Contributor

@micbar the issues related to password are
owncloud/client#7189
#35419

@micbar
Copy link
Contributor

micbar commented Jun 17, 2019

@micbar the issues related to password are
owncloud/client#7189
#35419

Thank you!

patrickjahns pushed a commit that referenced this issue Jun 17, 2019
@IljaN @patrickjahns
Return "password fields" only if public-link password is set. #35541
d78e246 
The iOS client uses the presence of these fields to determine if a
password is required.

Despite their names they are historically used to store pw-hashes for public-links.
@patrickjahns patrickjahns mentioned this issue Jun 17, 2019
Merged
10 tasks
patrickjahns pushed a commit that referenced this issue Jun 18, 2019
@IljaN @patrickjahns
Return "password fields" only if public-link password is set. #35541
afd5036 
The iOS client uses the presence of these fields to determine if a
password is required.

Despite their names they are historically used to store pw-hashes for public-links.
patrickjahns added a commit that referenced this issue Jun 18, 2019
@patrickjahns
Merge pull request #35563 from owncloud/release-10.2.1-35541
470f781 
[release-10.2.1] Return "password fields" only if public-link password is set. #35541
felix-schwarz added a commit to owncloud/ios-sdk that referenced this issue Jun 24, 2019
@felix-schwarz
Release/1.0.1 merge
b543087 
Squashed commits:
commit 00b0904
Author: Felix Schwarz <[email protected]>
Date:   Mon Jun 24 09:24:52 2019 +0200

    - Rename NSString+OCParentPath to NSString+OCPath and add additional methods to
            - normalize strings representing directories
            - compose paths following the OCPath schema (whereby all directories need to end with a trailing "/")
    - Adopt the new OCPath methods across the SDK
    - Fix issue where, when creating a folder, a placeholder item with an incorrect path (missing the trailing "/") would be created, leading to issue when creating an OCQuery on that placeholder item

commit 31f6a85
Author: Michael Neuwert <[email protected]>
Date:   Tue Jun 18 21:40:01 2019 +0200

    Added [OCLogFileWriter rotate] public API

commit 5305d4f
Author: Michael Neuwert <[email protected]>
Date:   Tue Jun 18 21:34:07 2019 +0200

    Changed log file name

commit 8a183b9
Author: Matthias Hühne <[email protected]>
Date:   Tue Jun 18 21:26:26 2019 +0200

    - added missing localization strings
    - added format string to localized string to append item name

commit 8054a1f
Author: Matthias Hühne <[email protected]>
Date:   Mon Jun 17 13:36:18 2019 +0200

    removed static ownCloud.log file name with dynamic (branded) app name for log files (QA finding 15)

commit fa70e38
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 17:20:25 2019 +0200

    - Temporarily remove public link share password protection checks due to owncloud/core#35541

commit 64c68af
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 17:00:46 2019 +0200

    - Fix broken/fragile tests

commit 9525b4d
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 15:56:55 2019 +0200

    - Add support for "oc:checksum" XML decoding
    - Uploads that result in a "PRECONDITION FAILED" (in this case, WebDAV code for "a file already exists here") don't immediately return an error, but instead request the checksum of the remote file. If the checksum of the file to upload matches the checksum of the file on the server, no error is returned

commit b9c1d57
Author: Felix Schwarz <[email protected]>
Date:   Thu Jun 13 23:40:29 2019 +0200

    - Add option to indicate whether a thumbnail request while offline should wait for connectivity to resume - or return with an error when offline

commit 48fc614
Author: Felix Schwarz <[email protected]>
Date:   Thu Jun 13 22:54:05 2019 +0200

    - OCCore+ConnectionStatus: reschedule dropped requests that require the online signal

commit ab17381
Author: Felix Schwarz <[email protected]>
Date:   Wed Jun 12 12:12:53 2019 +0200

    - Improved logging for OCHTTPPipeline recovery and OCHTTPPipelineTask description
    - OCCore+ConnectionStatus now recognizes more "connection unavailable" / "offline" errors and handles them accordingly
felix-schwarz added a commit to owncloud/ios-sdk that referenced this issue Jun 24, 2019
@felix-schwarz
SDK release/1.0.1
d1fcc9f 
squashed commit of the following commits:

commit 00b0904
Author: Felix Schwarz <[email protected]>
Date:   Mon Jun 24 09:24:52 2019 +0200

    - Rename NSString+OCParentPath to NSString+OCPath and add additional methods to
            - normalize strings representing directories
            - compose paths following the OCPath schema (whereby all directories need to end with a trailing "/")
    - Adopt the new OCPath methods across the SDK
    - Fix issue where, when creating a folder, a placeholder item with an incorrect path (missing the trailing "/") would be created, leading to issue when creating an OCQuery on that placeholder item

commit 31f6a85
Author: Michael Neuwert <[email protected]>
Date:   Tue Jun 18 21:40:01 2019 +0200

    Added [OCLogFileWriter rotate] public API

commit 5305d4f
Author: Michael Neuwert <[email protected]>
Date:   Tue Jun 18 21:34:07 2019 +0200

    Changed log file name

commit 8a183b9
Author: Matthias Hühne <[email protected]>
Date:   Tue Jun 18 21:26:26 2019 +0200

    - added missing localization strings
    - added format string to localized string to append item name

commit 8054a1f
Author: Matthias Hühne <[email protected]>
Date:   Mon Jun 17 13:36:18 2019 +0200

    removed static ownCloud.log file name with dynamic (branded) app name for log files (QA finding 15)

commit fa70e38
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 17:20:25 2019 +0200

    - Temporarily remove public link share password protection checks due to owncloud/core#35541

commit 64c68af
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 17:00:46 2019 +0200

    - Fix broken/fragile tests

commit 9525b4d
Author: Felix Schwarz <[email protected]>
Date:   Fri Jun 14 15:56:55 2019 +0200

    - Add support for "oc:checksum" XML decoding
    - Uploads that result in a "PRECONDITION FAILED" (in this case, WebDAV code for "a file already exists here") don't immediately return an error, but instead request the checksum of the remote file. If the checksum of the file to upload matches the checksum of the file on the server, no error is returned

commit b9c1d57
Author: Felix Schwarz <[email protected]>
Date:   Thu Jun 13 23:40:29 2019 +0200

    - Add option to indicate whether a thumbnail request while offline should wait for connectivity to resume - or return with an error when offline

commit 48fc614
Author: Felix Schwarz <[email protected]>
Date:   Thu Jun 13 22:54:05 2019 +0200

    - OCCore+ConnectionStatus: reschedule dropped requests that require the online signal

commit ab17381
Author: Felix Schwarz <[email protected]>
Date:   Wed Jun 12 12:12:53 2019 +0200

    - Improved logging for OCHTTPPipeline recovery and OCHTTPPipelineTask description
    - OCCore+ConnectionStatus now recognizes more "connection unavailable" / "offline" errors and handles them accordingly
@micbar micbar closed this as completed Jun 25, 2019
@davitol davitol mentioned this issue Jun 25, 2019
Closed
11 tasks
@HanaGemela
Copy link
Contributor

Tested with desktop client 2.5.4 and server 10.2.1.RC1
When user creates a public link in the desktop client or WebUI without a password, the password checkbox is not checked in the desktop client

@jesmrec jesmrec mentioned this issue Jun 27, 2019
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IljaN IljaN

Labels
3 - To Review p2-high Escalation, on top of current planning, release blocker security
Projects
None yet
Milestone
development
Development

No branches or pull requests
5 participants
@michaelstingl @IljaN @felix-schwarz @micbar @HanaGemela