nextcloud / richdocuments

📑 Collabora Online for Nextcloud
https://nextcloud.com/collaboraonline
354 stars 116 forks source link

"Save As" from CODE in link-shared folder can save in the folder of the user who created the share. #3830

Open A-Aurel opened 3 months ago

A-Aurel commented 3 months ago

Describe the bug When a guest "Saves as", guest can save in the folder of the user who created the share.

To Reproduce Steps to reproduce the behavior:

USER creates a folder and shares a link with write access. GUEST enters the folder, creates an Opendocument sheet, and opens it via Nextcloud Richdocuments app, with CODE. GUEST "Saves as" or ("Export") to /File.ods

Expected behavior The "/" is related to the files of USER, not to the share. GUEST should be restricted to writing in the shared folder only.

Screenshots N/A

Client details:

Server details

Operating system: Fedora

Web server: Apache

Database: Mariadb

PHP version: 8.3.8

Nextcloud version: 29.0.3

Version of the richdocuments app 8.4.3

Version of Collabora Online COOLWSD version: 24.04.4.2 git hash: fbf97e9 (E)

Configuration of the richdocuments app

    "apps": {
        "richdocuments": {
            "canonical_webroot": "",
            "disable_certificate_verification": "",
            "enabled": "yes",
            "external_apps": "",
            "installed_version": "8.4.3",
            "public_wopi_url": "https:\/\/office.xxx.xxx:443",
            "types": "prevent_group_restriction",
            "wopi_allowlist": "10.88.0.0\/16",
            "wopi_url": "https:\/\/office.xxx.xxx:443"
        }
    }
}
joshtrichards commented 3 months ago

https://github.com/nextcloud/richdocuments?tab=security-ov-file#readme

A-Aurel commented 3 months ago

Hello,

Thanks for reading and trying to reproduce.

I did retry, with same behavior. Perhaps I was not clear enough: I share the folder as a link to a person who does not have an account. So per se, there is no GUEST root folder, just access through web interface to the USER's /shared folder. Is it what you did, or did GUEST have an account ?

Since one could not override existing files, I did not report it as security, but I guess one GUEST can mess up the folders of the sharing user and that can be some deal.

Do you recommend I report it as a security thing ?

Thanks Regards

Le dim. 21 juil. 2024 à 17:35, Josh @.***> a écrit :

For what it's worth, I cannot reproduce this behavior so far. As the share receiver, I use Save as (or Export) and save to /blah.odt. This file ends up in the root of the share receiver (guest in your example). The file does not appear in the share sender (user in your example) account.

— Reply to this email directly, view it on GitHub https://github.com/nextcloud/richdocuments/issues/3830#issuecomment-2241632206, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFW35F657PBJG7UJ5A75B4TZNPBLJAVCNFSM6AAAAABLGVTGK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBRGYZTEMRQGY . You are receiving this because you authored the thread.Message ID: @.***>

joshtrichards commented 3 months ago

Yes, please report it there. Thanks! :+1: