Skip to content
Normal view History Permalink
mail-enumeration-leak.patch 2.13 KiB
Newer Older
Hugo Renard's avatar
feat: patch autocomplete leak in mail app
Hugo Renard committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 
diff --git a/lib/Service/ContactsIntegration.php b/lib/Service/ContactsIntegration.php
index 1ad9db44d..a8f8b0aea 100644
--- a/lib/Service/ContactsIntegration.php
+++ b/lib/Service/ContactsIntegration.php
@@ -26,17 +26,30 @@ namespace OCA\Mail\Service;
 
 use OCP\Contacts\IManager;
 use OCP\IConfig;
+use OCP\IGroupManager;
+use OCP\IUserSession;
 
 class ContactsIntegration {
 
 	/** @var IManager */
 	private $contactsManager;
 
+	/** @var IGroupManager */
+	private $groupManager;
+
 	/** @var IConfig */
 	private $config;
 
-	public function __construct(IManager $contactsManager, IConfig $config) {
+	/** @var IUserSession */
+	private $userSession;
+
+	public function __construct(IManager $contactsManager, 
+								IGroupManager $groupManager,
+								IUserSession $userSession,
+								IConfig $config) {
 		$this->contactsManager = $contactsManager;
+		$this->groupManager = $groupManager;
+		$this->userSession = $userSession;
 		$this->config = $config;
 	}
 
@@ -54,12 +67,28 @@ class ContactsIntegration {
 		// If 'Allow username autocompletion in share dialog' is disabled in the admin sharing settings, then we must not
 		// auto-complete system users
 		$allowSystemUsers = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'no') === 'yes';
+		$allowSystemUsersInGroupOnly = $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_to_group', 'no') === 'yes';
 
 		$result = $this->contactsManager->search($term, ['FN', 'EMAIL']);
 		$receivers = [];
 		foreach ($result as $r) {
-			if (!$allowSystemUsers && isset($r['isLocalSystemBook']) && $r['isLocalSystemBook']) {
-				continue;
+			if (isset($r['isLocalSystemBook']) && $r['isLocalSystemBook']) {
+				if (!$allowSystemUsers) {
+					continue;
+				}
+				if ($allowSystemUsersInGroupOnly) {
+					$userGroups = $this->groupManager->getUserGroupIds($this->userSession->getUser());
+					$found = false;
+					foreach ($userGroups as $userGroup) {
+						if ($this->groupManager->isInGroup($r['UID'], $userGroup)) {
+							$found = true;
+							break;
+						}
+					}
+					if (!$found) {
+						continue;
+					}
+				}
 			}
 
 			$id = $r['UID'];