Validate reshare permissions against actual path that the user tries to share by juliusknorr · Pull Request #27820 · nextcloud/server

juliusknorr · 2021-07-06T07:11:32Z

Otherwise this could lead to taking the wrong user mount in case there
are multiple ones with different permissions that the user could use to
reshare

Possible reproduction:

A creates a folder and shares it with group without reshare permissions
A creates a subfolder inside of the share and shares it to B with reshare permisions
B is member of group
B Tries to create a share link of the subfolder

Before:
💥 Cannot increase permissions

After:
The proper source user mount is taken for permission comparison where the user has reshare permissions and the share link creation passes.

juliusknorr · 2021-07-06T07:12:42Z

Other bug found, to be filed separately:

B is offered resharing in the UI for the subfolder (but not children) when accessing it through the original share path, but the backend doesn't allow resharing there

juliusknorr · 2021-09-14T17:03:04Z

Unit tests should be fine now and were actually using the wrong source node in case of a reshare as then the share would always be created from the resharing users filesystem instead of using the owners user folder as a base.

lib/private/Share20/Manager.php

nickvergessen · 2021-09-28T11:44:44Z

We really need integrations tests for this.

juliusknorr · 2021-10-20T15:50:38Z

Will look into some tests for that and will double check the suggestion from @PVince81

…to share Otherwise this could lead to taking the wrong user mount in case there are multiple ones with different permissions that the user could use to reshare Signed-off-by: Julius Härtl <jus@bitgrid.net>

Signed-off-by: Julius Härtl <jus@bitgrid.net>

juliusknorr · 2021-10-28T09:55:42Z

Pushed another attempt as the share node might be the one located in the owners filesystem

server/lib/private/Share20/Share.php

Lines 182 to 186 in 215aef3

    
           if ($this->userManager->userExists($this->shareOwner)) { 
        
           	$userFolder = $this->rootFolder->getUserFolder($this->shareOwner); 
        
           } else { 
        
           	$userFolder = $this->rootFolder->getUserFolder($this->sharedBy); 
        
           }

compared to the previously assumed shared by users filesystem https://github.com/nextcloud/server/blob/master/lib/private/Share20/Manager.php#L271-L275

Signed-off-by: Julius Härtl <jus@bitgrid.net>

juliusknorr · 2023-11-06T11:48:03Z

Closing as I don't have time to properly finish this

juliusknorr added 2. developing Work in progress bug labels Jul 6, 2021

juliusknorr added 3. to review Waiting for reviews feature: sharing and removed 2. developing Work in progress labels Sep 14, 2021

juliusknorr marked this pull request as ready for review September 14, 2021 17:10

juliusknorr requested review from CarlSchwan, PVince81, icewind1991 and skjnldsv September 14, 2021 17:10

juliusknorr added this to the Nextcloud 23 milestone Sep 14, 2021

PVince81 reviewed Sep 16, 2021

View reviewed changes

lib/private/Share20/Manager.php Outdated Show resolved Hide resolved

skjnldsv mentioned this pull request Oct 13, 2021

23.0.0 beta 1 #29202

Merged

skjnldsv modified the milestones: Nextcloud 23, Nextcloud 24 Oct 15, 2021

juliusknorr force-pushed the bugfix/noid/check-reshare-permission-mountpoint branch from 627640e to 09a6305 Compare October 20, 2021 14:13

skjnldsv approved these changes Oct 20, 2021

View reviewed changes

juliusknorr added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Oct 20, 2021

juliusknorr added 3 commits October 28, 2021 11:54

Validate reshare permissions against actual path that the user tries …

b5bf60f

…to share Otherwise this could lead to taking the wrong user mount in case there are multiple ones with different permissions that the user could use to reshare Signed-off-by: Julius Härtl <jus@bitgrid.net>

Fix tests to use the proper node of the user creating the share

70845cf

Signed-off-by: Julius Härtl <jus@bitgrid.net>

Add test case

62f507e

Signed-off-by: Julius Härtl <jus@bitgrid.net>

juliusknorr force-pushed the bugfix/noid/check-reshare-permission-mountpoint branch from 8d8664e to 20fc6a7 Compare October 28, 2021 09:55

Match against share target and node path

a6c557c

Signed-off-by: Julius Härtl <jus@bitgrid.net>

juliusknorr force-pushed the bugfix/noid/check-reshare-permission-mountpoint branch from 20fc6a7 to a6c557c Compare October 28, 2021 10:50

blizzz mentioned this pull request Apr 13, 2022

24.0.0 RC1 #31962

Merged

blizzz modified the milestones: Nextcloud 24, Nextcloud 25 Apr 21, 2022

This was referenced Aug 12, 2022

25.0.0 beta 1 #33505

Merged

25.0.0 beta 2 #33592

Merged

This was referenced Aug 24, 2022

25.0.0 beta 3 #33674

Merged

25.0.0 beta 4 #33762

Merged

This was referenced Sep 6, 2022

25.0.0 beta 5 #33913

Merged

25.0.0 beta 6 #34002

Merged

skjnldsv mentioned this pull request Sep 15, 2022

25.0.0 beta 7 #34095

Merged

This was referenced Sep 20, 2022

25.0.0 beta 8 #34164

Closed

25.0.0 RC 1 #34185

Merged

blizzz modified the milestones: Nextcloud 25, Nextcloud 26 Sep 22, 2022

This comment was marked as abuse.

Sign in to view

blizzz mentioned this pull request Feb 1, 2023

26.0.0 beta 2 #36484

Merged

skjnldsv mentioned this pull request Feb 23, 2023

26.0.0 beta 5 #36834

Merged

blizzz mentioned this pull request Mar 7, 2023

26.0.0 RC2 #37078

Merged

blizzz modified the milestones: Nextcloud 26, Nextcloud 27 Mar 9, 2023

This was referenced May 3, 2023

27.0.0 beta 1 #38038

Merged

27.0.0 beta 2 #38137

Closed

27.0.0 beta 2 #38139

Merged

blizzz mentioned this pull request May 17, 2023

27.0.0 RC1 #38341

Merged

blizzz modified the milestones: Nextcloud 27, Nextcloud 28 May 23, 2023

skjnldsv mentioned this pull request Nov 1, 2023

chore: 28.0.0 beta 1 #41228

Merged

juliusknorr closed this Nov 6, 2023

nickvergessen deleted the bugfix/noid/check-reshare-permission-mountpoint branch November 6, 2023 13:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Validate reshare permissions against actual path that the user tries to share#27820

Validate reshare permissions against actual path that the user tries to share#27820
juliusknorr wants to merge 4 commits intomasterfrom
bugfix/noid/check-reshare-permission-mountpoint

juliusknorr commented Jul 6, 2021

Uh oh!

juliusknorr commented Jul 6, 2021 •

edited

Loading

Uh oh!

juliusknorr commented Sep 14, 2021

Uh oh!

Uh oh!

nickvergessen commented Sep 28, 2021

Uh oh!

juliusknorr commented Oct 20, 2021

Uh oh!

juliusknorr commented Oct 28, 2021

Uh oh!

This comment was marked as abuse.

juliusknorr commented Nov 6, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Uh oh!

Conversation

juliusknorr commented Jul 6, 2021

Uh oh!

juliusknorr commented Jul 6, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

juliusknorr commented Sep 14, 2021

Uh oh!

Uh oh!

nickvergessen commented Sep 28, 2021

Uh oh!

juliusknorr commented Oct 20, 2021

Uh oh!

juliusknorr commented Oct 28, 2021

Uh oh!

This comment was marked as abuse.

juliusknorr commented Nov 6, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

juliusknorr commented Jul 6, 2021 •

edited

Loading