Do not allow sharee enumeration via email option

author Joas Schilling <coding@schilljs.com>

Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)

committer Joas Schilling <coding@schilljs.com>

Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)
author Joas Schilling <coding@schilljs.com>
Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)
committer Joas Schilling <coding@schilljs.com>
Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)
diff --git a/core/ajax/share.php b/core/ajax/share.php

index adcf31a0dfa68a8b6daf4b7a3dc1c56386e3e86b..52eb118abf3e354867f6c9ad09f0cc9d6c3d2556 100644 (file)
--- a/core/ajax/share.php
+++ b/core/ajax/share.php
@@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
                         $result = array();
                         if (isset($_GET['search'])) {
                                 $cm = OC::$server->getContactsManager();
+                               $allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
                                 if (!is_null($cm) && $cm->isEnabled()) {
                                         $contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
                                         foreach ($contacts as $contact) {
@@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
                                                 }
  
                                                 foreach($emails as $email) {
+                                                       if (!$allowEnumeration &&
+                                                               $email !== $_GET['search'] &&
+                                                               $contact['FN'] !== $_GET['search']
+                                                       ) {
+                                                               continue;
+                                                       }
+
                                                         $result[] = array(
                                                                 'id' => $contact['id'],
                                                                 'email' => $email,
diff --git a/core/js/sharedialogmailview.js b/core/js/sharedialogmailview.js

index 04baaee217353bc2576ea1cd1a55260a7ead37bb..df919f1feb961144b117c96dfa0ff7bc97de1e9f 100644 (file)
--- a/core/js/sharedialogmailview.js
+++ b/core/js/sharedialogmailview.js
@@ -139,6 +139,8 @@
                                                         }, function(result) {
                                                                 if (result.status == 'success' && result.data.length > 0) {
                                                                         response(result.data);
+                                                               } else {
+                                                                       response([]);
                                                                 }
                                                         });
                                                 },
author	Joas Schilling <coding@schilljs.com>
	Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)
committer	Joas Schilling <coding@schilljs.com>
	Mon, 24 Oct 2016 08:30:59 +0000 (10:30 +0200)
core/ajax/share.php		patch \| blob \| history
core/js/sharedialogmailview.js		patch \| blob \| history