Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: the complete server installation path is visible in cloud/user endpoint #33883

Closed
5 of 9 tasks
bohwaz opened this issue Sep 2, 2022 · 3 comments
Closed
5 of 9 tasks

[Bug]: the complete server installation path is visible in cloud/user endpoint #33883

bohwaz opened this issue Sep 2, 2022 · 3 comments
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug

Comments

@bohwaz
Copy link

bohwaz commented Sep 2, 2022

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • Nextcloud Server is running on 64bit capable CPU, PHP and OS.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

When doing a GET request on /ocs/v1.php/cloud/user?format=json the server returns user data, including one containing the full local server path:

            "storageLocation": "/home/bohwaz/www/tmp/nextcloud/data/bohwaz",

This is not a big security issue (as you need to be logged-in to get that response), but this is data that an attacker shouldn't be able to know easily.

This happens on a brand new install after using the web installer.

Steps to reproduce

  1. Do a GET request on /ocs/v1.php/cloud/user?format=json

Expected behavior

No sensitive information being sent to the client.

Installation method

Community Web installer on a VPS or web space

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.1

Web server

Other

Database engine version

SQlite

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

No response

List of activated Apps

not important

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response
@bohwaz bohwaz added 0. Needs triage Pending check for reproducibility or if it fits our roadmap bug labels Sep 2, 2022
@kesselb

This comment was marked as resolved.

Sign in to view
@szaimen
Copy link
Contributor

szaimen commented Jan 23, 2023

Hi, please update to 24.0.9 or better 25.0.3 and report back if it fixes the issue. Thank you!

My goal is to add a label like e.g. 25-feedback to this ticket of an up-to-date major Nextcloud version where the bug could be reproduced. However this is not going to work without your help. So thanks for all your effort!

If you don't manage to reproduce the issue in time and the issue gets closed but you can reproduce the issue afterwards, feel free to create a new bug report with up-to-date information by following this link: https://github.com/nextcloud/server/issues/new?assignees=&labels=bug%2C0.+Needs+triage&template=BUG_REPORT.yml&title=%5BBug%5D%3A+

@nickvergessen
Copy link
Member

Fixed with #36094

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. Needs triage Pending check for reproducibility or if it fits our roadmap bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nickvergessen @bohwaz @kesselb @szaimen