Security Issue on the External Storage Configuration Path #10100
Labels
0. Needs triage
Pending check for reproducibility or if it fits our roadmap
feature: external storage
feature: sharing
Comments
|
@icewind1991 please have a look |
|
@ASmith- in the future please use our Hacker1 Project to report security issues in a responsible way. |
|
This is not a security issue, this is at most a case of the ui not being fully clear. The configured path for local storages being the exact path that is mounted in Nextcloud seems the expected behaviour for me. |
skjnldsv
added
the
0. Needs triage
|
Based on icewin1991's comment I am closing this since it is working as expected. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Security Issue on the External Storage Configuration Path
It was suggested by others in the snap-nextcloud issues mods, users to re-post this NextCloud Security Issue here from the snap-nextcloud github issues site which I just closed moments ago and is found
here nextcloud-snap/nextcloud-snap#626
To recap, the current External Storage Configuration path information for a local mounted hard drive must be explicitly stated unless the Nextcloud administrator wants to share all the files in that locally mounted hard drive folder inside the Virtually named external storage Folder Name.
If the Nextcloud administrator uses the routine implied path, falsely thinking the Virtual Folder Name is identical to the folder they want to share on that locally mounted hard drive, All folders and All files on that entire local hard drive are tucked into the Virtually named external storage Folder Name and marked as sharable regardless if those folders, files were given adequate permissions to be shared, regardless of any lack of the administrations intention to do so.
Complicating this issue is the External Storage green A-OK icon is shown, masking a dangerous problem has occurred and many Nextcloud administrators could be easily lulled into a false sense that everything looks alright. Further digging through the new shared folder would soon reveal it is far from A-OK.
Rather than repost the screen-shots and further examples, findings, tests and proofs on this Security Issue, readers, developers and those that can include my two suggested solutions can review those at the above snap-nextcloud issues address nextcloud-snap/nextcloud-snap#626
Suggestions to the upstream Nextcloud developers
Add a bubble text if an administrator leaves out the folder-name in the configuration field asking them if they really want to share all the folders and files on that selected hard-drive inside a single folder Yes/No.
If any External storage shared parent Folder or External storage sub-Folder does not have the exact required permissions set, do not display a Green Icon telling Nextcloud administrators they are correctly set. Add the coding to test all of the permissions on all the designated External storage shared folders and files are in fact correct prior to displaying the Green Icon telling Nextcloud administrators that shared External storage Folder has the correct permissions properly set.
Thanks for your attention and consideration on this issue.
The text was updated successfully, but these errors were encountered: