owner's email is leaked when we PROPFIND a Public Share

[davitol]

Steps to reproduce

1. Create a file
2. share the file via public link to an other user
3. Lock the file
4. PROPFIND the share.
   curl -u CZDxBNptzQTw9jV: -X PROPFIND http://10.40.40.222:9681/public.php/webdav/ -d "<?xml version='1.0' encoding='UTF-8'?> <d:propfind xmlns:d='DAV:'> <d:prop><d:lockdiscovery/></d:prop> </d:propfind>" | xmllint --format -

Expected behaviour

owners email should not be shown in the response

Actual behaviour

The email is leaked

Logs

ownCloud log (data/owncloud.log)

Note: We should hide it as an exception of the RFC, that says:

14.17.  owner XML Element
   Name:   owner
   Purpose:   Holds client-supplied information about the creator of a
      lock.
   Description:   Allows a client to provide information sufficient for
      either directly contacting a principal (such as a telephone number
      or Email URI), or for discovering the principal (such as the URL
      of a homepage) who created a lock.  The value provided MUST be
      treated as a dead property in terms of XML Information Item
      preservation.  The server MUST NOT alter the value unless the
      owner value provided by the client is empty. 

[ownclouders]

GitMate.io thinks possibly related issues are #21598 (Public share fails when master key is enabled), #11951 (Emit activity when sending a share email), #2846 (Slow PROPFIND on Shared folders), #5719 (sending share email link fails), and #18450 (PROPFIND on federated share takes long).

[phil-davis]

Note: this will also leak display name (if set to something interesting) and/or username (which often reflects the real name of the user).
Probably just do not supply this owner field when the propfind is from "the public"

[PVince81]

Fix is here #34348