From: Joas Schilling <coding@schilljs.com>
Date: Mon, 24 Oct 2016 08:30:59 +0000 (+0200)
Subject: Do not allow sharee enumeration via email option
X-Git-Tag: v10.0.2~86^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f0f62aa0558400cc78c7652996f77cbc3e1e9208;p=nextcloud-server.git

Do not allow sharee enumeration via email option

Signed-off-by: Joas Schilling <coding@schilljs.com>
---

diff --git a/core/ajax/share.php b/core/ajax/share.php
index adcf31a0dfa..52eb118abf3 100644
--- a/core/ajax/share.php
+++ b/core/ajax/share.php
@@ -213,6 +213,7 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 			$result = array();
 			if (isset($_GET['search'])) {
 				$cm = OC::$server->getContactsManager();
+				$allowEnumeration = \OC::$server->getConfig()->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 				if (!is_null($cm) && $cm->isEnabled()) {
 					$contacts = $cm->search((string)$_GET['search'], array('FN', 'EMAIL'));
 					foreach ($contacts as $contact) {
@@ -226,6 +227,13 @@ if (isset($_POST['action']) && isset($_POST['itemType']) && isset($_POST['itemSo
 						}
 
 						foreach($emails as $email) {
+							if (!$allowEnumeration &&
+								$email !== $_GET['search'] &&
+								$contact['FN'] !== $_GET['search']
+							) {
+								continue;
+							}
+
 							$result[] = array(
 								'id' => $contact['id'],
 								'email' => $email,
diff --git a/core/js/sharedialogmailview.js b/core/js/sharedialogmailview.js
index 04baaee2173..df919f1feb9 100644
--- a/core/js/sharedialogmailview.js
+++ b/core/js/sharedialogmailview.js
@@ -139,6 +139,8 @@
 							}, function(result) {
 								if (result.status == 'success' && result.data.length > 0) {
 									response(result.data);
+								} else {
+									response([]);
 								}
 							});
 						},