Comments (5)
Dictionary attacks would become a concern, yes. Token enumeration is already possible if highly unlikely, although I assume the endpoint is brute force protected, so it's expensive and time consuming.
Could also lead to token leaks as two identical tokens aren't possible, so a (guest) user might try creating shares at random to guess at other tokens. If we add the userId
to the token, that could work as a preventative measure so each token only needs to be unique to each user space. The token controller will need to first check the userId
against the logged-in user so somebody can't fake the userId
in a request and try collision based guessing that way, but then the benefit of having a custom token is minimized.
If we do this, I'd recommend enforcing a password.
I'd also suggest a minimum length for the token. Not great if the user chooses something really short.
In short, there are definitely some risks to this, and I can't really see the benefits. Maybe a link shortener integration could be a viable alternative?
from server.
So should this be a separate app so that it can be removed during building the enterprise archive?
from server.
@szaimen yes.
Ideally we adapt and include https://apps.nextcloud.com/apps/cfg_share_links or https://apps.nextcloud.com/apps/sharerenamer in the community edition.
from server.
@miaulalala could you give an security opinion on that feature?
from server.
could be a security issue. Mitigations:
add a warning?
A warning is fine, yes. When you want to give a name, you want it to be easier visible.
optionally enforce password protection?
Optional if at all, but again, the point of giving a simple share name is the ability to remember. If you then have to remember a separate password it defeats the purpose and you might as well have pasted the complicated link.
enforce a minimum set of dictionary words? (minimal 2, optionally configurable?)
Straight no on that one. Again if you change the name you want it to be simple. :)
from server.
Related Issues (20)
- [Bug]: Nextcloud only downloads .php.html files / won't zip HOT 4
- [Bug]: Move files in the browser doesn't work
- [Bug]: iphone display error - empty content HOT 9
- i18n: Source strings are not understandable for translators and need improvements HOT 1
- When changing file extension ask for confirmation
- [Bug]: Talk Stun Server do not generate any request to connect HOT 1
- [Bug]: Unable to delete a file whose name begins with an emoji in a renamed directory
- Mail Server Account Creation/Deletion Support
- [Bug]: "X minutes ago" should switch to "An hour ago" a lot earlier HOT 8
- Restrict file extension / mime type for file drop share
- [Bug]: Dashboard with default background shows low resolution logo as full size background HOT 14
- [Bug]: Increased space between apps and name when hovering the apps menu HOT 5
- [Bug]: `files_external:scan` not work if mountpoint have `$user` in the path
- Expensive share queries called multiple times
- [Bug]: Appstore: Exception array_map(): Argument #2 ($array) must be of type array, null given HOT 3
- [UnifiedSearch] Allow to optionally disable available SearchProviders and/or set custom prefix-trigger
- [Bug]: Deletion of user does not request password and fails silently
- [App Files] Guest user sees himself with superadmin's mail address in the share menu for a Group Folder
- [App Files] Rights display for a Group Folder sync issue when changing the permissions' rules
- [Bug]: sqlite3 configured to only use mmap, no fallback to regular IO HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from server.