Merge pull request #30245 from nextcloud/backport/30156/stable23

MichaIng · web-flow · commit 66e464a407bb · 2021-12-13T15:19:36.000+01:00
[stable23] Only wildcard search if enumeration is allowed
diff --git a/apps/dav/lib/CardDAV/AddressBookImpl.php b/apps/dav/lib/CardDAV/AddressBookImpl.php
@@ -107,6 +107,8 @@ public function getDisplayName() {
 	 * 	- 'escape_like_param' - If set to false wildcards _ and % are not escaped
 	 * 	- 'limit' - Set a numeric limit for the search results
 	 * 	- 'offset' - Set the offset for the limited search results
+	 * 	- 'wildcard' - Whether the search should use wildcards
+	 * @psalm-param array{types?: bool, escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 *  example result:
 	 *  [
diff --git a/apps/dav/lib/CardDAV/CardDavBackend.php b/apps/dav/lib/CardDAV/CardDavBackend.php
@@ -1024,6 +1024,8 @@ public function updateShares(IShareable $shareable, $add, $remove) {
 	 *    - 'escape_like_param' - If set to false wildcards _ and % are not escaped, otherwise they are
 	 *    - 'limit' - Set a numeric limit for the search results
 	 *    - 'offset' - Set the offset for the limited search results
+	 *    - 'wildcard' - Whether the search should use wildcards
+	 * @psalm-param array{escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 */
 	public function search($addressBookId, $pattern, $searchProperties, $options = []): array {
@@ -1055,13 +1057,15 @@ public function searchPrincipalUri(string $principalUri,
 	 * @param string $pattern
 	 * @param array $searchProperties
 	 * @param array $options
+	 * @psalm-param array{types?: bool, escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 	 * @return array
 	 */
 	private function searchByAddressBookIds(array $addressBookIds,
 											string $pattern,
 											array $searchProperties,
 											array $options = []): array {
 		$escapePattern = !\array_key_exists('escape_like_param', $options) || $options['escape_like_param'] !== false;
+		$useWildcards = !\array_key_exists('wildcard', $options) || $options['wildcard'] !== false;
 
 		$query2 = $this->db->getQueryBuilder();
 
@@ -1103,7 +1107,9 @@ private function searchByAddressBookIds(array $addressBookIds,
 
 		// No need for like when the pattern is empty
 		if ('' !== $pattern) {
-			if (!$escapePattern) {
+			if (!$useWildcards) {
+				$query2->andWhere($query2->expr()->eq('cp.value', $query2->createNamedParameter($pattern)));
+			} elseif (!$escapePattern) {
 				$query2->andWhere($query2->expr()->ilike('cp.value', $query2->createNamedParameter($pattern)));
 			} else {
 				$query2->andWhere($query2->expr()->ilike('cp.value', $query2->createNamedParameter('%' . $this->db->escapeLikeParameter($pattern) . '%')));
diff --git a/apps/federatedfilesharing/lib/Notifier.php b/apps/federatedfilesharing/lib/Notifier.php
@@ -255,7 +255,12 @@ protected function getDisplayNameFromContact($federatedCloudId) {
 			}
 		}
 
-		$addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD']);
+		$addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookEntries as $entry) {
 			if (isset($entry['CLOUD'])) {
 				foreach ($entry['CLOUD'] as $cloudID) {
diff --git a/apps/files/lib/Activity/Provider.php b/apps/files/lib/Activity/Provider.php
@@ -560,7 +560,12 @@ protected function getDisplayNameFromAddressBook(string $search): string {
 			return $this->displayNames[$search];
 		}
 
-		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD']);
+		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['isLocalSystemBook'])) {
 				continue;
diff --git a/apps/files_sharing/lib/Activity/Providers/Base.php b/apps/files_sharing/lib/Activity/Providers/Base.php
@@ -203,7 +203,12 @@ protected function getDisplayNameFromAddressBook(string $search): string {
 			return $this->displayNames[$search];
 		}
 
-		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD']);
+		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['isLocalSystemBook'])) {
 				continue;
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -334,8 +334,12 @@ protected function formatShare(IShare $share, Node $recipientNode = null): array
 	 * @return string
 	 */
 	private function getDisplayNameFromAddressBook(string $query, string $property): string {
-		// FIXME: If we inject the contacts manager it gets initialized bofore any address books are registered
-		$result = \OC::$server->getContactsManager()->search($query, [$property]);
+		// FIXME: If we inject the contacts manager it gets initialized before any address books are registered
+		$result = \OC::$server->getContactsManager()->search($query, [$property], [
+			'limit' => 1,
+			'enumeration' => false,
+			'strict_search' => true,
+		]);
 		foreach ($result as $r) {
 			foreach ($r[$property] as $value) {
 				if ($value === $query && $r['FN']) {
diff --git a/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php b/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php
@@ -4417,7 +4417,11 @@ public function testFormatShare(array $expects, \OCP\Share\IShare $share, array
 
 		$cm->method('search')
 			->willReturnMap([
-				['user@server.com', ['CLOUD'], [],
+				['user@server.com', ['CLOUD'], [
+					'limit' => 1,
+					'enumeration' => false,
+					'strict_search' => true,
+				],
 					[
 						[
 							'CLOUD' => [
@@ -4427,7 +4431,11 @@ public function testFormatShare(array $expects, \OCP\Share\IShare $share, array
 						],
 					],
 				],
-				['user@server.com', ['EMAIL'], [],
+				['user@server.com', ['EMAIL'], [
+					'limit' => 1,
+					'enumeration' => false,
+					'strict_search' => true,
+				],
 					[
 						[
 							'EMAIL' => [
diff --git a/apps/sharebymail/lib/Activity.php b/apps/sharebymail/lib/Activity.php
@@ -362,7 +362,12 @@ protected function generateUserParameter($uid) {
 	 * @return string
 	 */
 	protected function getContactName($email) {
-		$addressBookContacts = $this->contactsManager->search($email, ['EMAIL']);
+		$addressBookContacts = $this->contactsManager->search($email, ['EMAIL'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['isLocalSystemBook'])) {
diff --git a/lib/private/Collaboration/Collaborators/MailPlugin.php b/lib/private/Collaboration/Collaborators/MailPlugin.php
@@ -86,12 +86,7 @@ public function __construct(IManager $contactsManager,
 	}
 
 	/**
-	 * @param $search
-	 * @param $limit
-	 * @param $offset
-	 * @param ISearchResult $searchResult
-	 * @return bool
-	 * @since 13.0.0
+	 * {@inheritdoc}
 	 */
 	public function search($search, $limit, $offset, ISearchResult $searchResult) {
 		$currentUserId = $this->userSession->getUser()->getUID();
@@ -101,7 +96,16 @@ public function search($search, $limit, $offset, ISearchResult $searchResult) {
 		$emailType = new SearchResultType('emails');
 
 		// Search in contacts
-		$addressBookContacts = $this->contactsManager->search($search, ['EMAIL', 'FN'], ['limit' => $limit, 'offset' => $offset]);
+		$addressBookContacts = $this->contactsManager->search(
+			$search,
+			['EMAIL', 'FN'],
+			[
+				'limit' => $limit,
+				'offset' => $offset,
+				'enumeration' => (bool) $this->shareeEnumeration,
+				'fullmatch' => (bool) $this->shareeEnumerationFullMatch,
+			]
+		);
 		$lowerSearch = strtolower($search);
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['EMAIL'])) {
diff --git a/lib/private/Collaboration/Collaborators/RemotePlugin.php b/lib/private/Collaboration/Collaborators/RemotePlugin.php
@@ -67,7 +67,12 @@ public function search($search, $limit, $offset, ISearchResult $searchResult) {
 		$resultType = new SearchResultType('remotes');
 
 		// Search in contacts
-		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD', 'FN'], ['limit' => $limit, 'offset' => $offset]);
+		$addressBookContacts = $this->contactsManager->search($search, ['CLOUD', 'FN'], [
+			'limit' => $limit,
+			'offset' => $offset,
+			'enumeration' => false,
+			'fullmatch' => false,
+		]);
 		foreach ($addressBookContacts as $contact) {
 			if (isset($contact['isLocalSystemBook'])) {
 				continue;
diff --git a/lib/private/Contacts/ContactsMenu/ContactsStore.php b/lib/private/Contacts/ContactsMenu/ContactsStore.php
@@ -96,7 +96,10 @@ public function __construct(
 	 * @return IEntry[]
 	 */
 	public function getContacts(IUser $user, $filter, ?int $limit = null, ?int $offset = null) {
-		$options = [];
+		$options = [
+			'enumeration' => $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes',
+			'fullmatch' => $this->config->getAppValue('core', 'shareapi_restrict_user_enumeration_full_match', 'yes') === 'yes',
+		];
 		if ($limit !== null) {
 			$options['limit'] = $limit;
 		}
@@ -270,7 +273,9 @@ public function findOne(IUser $user, $shareType, $shareWith) {
 				return null;
 		}
 
-		$contacts = $this->contactsManager->search($shareWith, $filter);
+		$contacts = $this->contactsManager->search($shareWith, $filter, [
+			'strict_search' => true,
+		]);
 		$match = null;
 
 		foreach ($contacts as $contact) {
diff --git a/lib/private/ContactsManager.php b/lib/private/ContactsManager.php
@@ -42,13 +42,35 @@ class ContactsManager implements IManager {
 	 * 	- 'escape_like_param' - If set to false wildcards _ and % are not escaped
 	 * 	- 'limit' - Set a numeric limit for the search results
 	 * 	- 'offset' - Set the offset for the limited search results
+	 * 	- 'enumeration' - (since 23.0.0) Whether user enumeration on system address book is allowed
+	 * 	- 'fullmatch' - (since 23.0.0) Whether matching on full detail in system address book is allowed
+	 * 	- 'strict_search' - (since 23.0.0) Whether the search pattern is full string or partial search
+	 * @psalm-param array{escape_like_param?: bool, limit?: int, offset?: int, enumeration?: bool, fullmatch?: bool, strict_search?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 */
 	public function search($pattern, $searchProperties = [], $options = []) {
 		$this->loadAddressBooks();
 		$result = [];
 		foreach ($this->addressBooks as $addressBook) {
-			$r = $addressBook->search($pattern, $searchProperties, $options);
+			$searchOptions = $options;
+			$strictSearch = array_key_exists('strict_search', $options) && $options['strict_search'] === true;
+
+			if ($addressBook->isSystemAddressBook()) {
+				$fullMatch = !\array_key_exists('fullmatch', $options) || $options['fullmatch'] !== false;
+				if (!$fullMatch) {
+					// Neither full match is allowed, so skip the system address book
+					continue;
+				}
+				if ($strictSearch) {
+					$searchOptions['wildcard'] = false;
+				} else {
+					$searchOptions['wildcard'] = !\array_key_exists('enumeration', $options) || $options['enumeration'] !== false;
+				}
+			} else {
+				$searchOptions['wildcard'] = !$strictSearch;
+			}
+
+			$r = $addressBook->search($pattern, $searchProperties, $searchOptions);
 			$contacts = [];
 			foreach ($r as $c) {
 				$c['addressbook-key'] = $addressBook->getKey();
diff --git a/lib/private/Federation/CloudIdManager.php b/lib/private/Federation/CloudIdManager.php
@@ -90,7 +90,12 @@ public function resolveCloudId(string $cloudId): ICloudId {
 	}
 
 	protected function getDisplayNameFromContact(string $cloudId): ?string {
-		$addressBookEntries = $this->contactsManager->search($cloudId, ['CLOUD']);
+		$addressBookEntries = $this->contactsManager->search($cloudId, ['CLOUD'], [
+			'limit' => 1,
+			'enumeration' => false,
+			'fullmatch' => false,
+			'strict_search' => true,
+		]);
 		foreach ($addressBookEntries as $entry) {
 			if (isset($entry['CLOUD'])) {
 				foreach ($entry['CLOUD'] as $cloudID) {
diff --git a/lib/private/Share/Share.php b/lib/private/Share/Share.php
@@ -593,7 +593,12 @@ public static function getItems($itemType, $item = null, $shareType = null, $sha
 				$row['share_with_displayname'] = $shareWithUser === null ? $row['share_with'] : $shareWithUser->getDisplayName();
 			} elseif (isset($row['share_with']) && $row['share_with'] != '' &&
 				$row['share_type'] === IShare::TYPE_REMOTE) {
-				$addressBookEntries = \OC::$server->getContactsManager()->search($row['share_with'], ['CLOUD']);
+				$addressBookEntries = \OC::$server->getContactsManager()->search($row['share_with'], ['CLOUD'], [
+					'limit' => 1,
+					'enumeration' => false,
+					'fullmatch' => false,
+					'strict_search' => true,
+				]);
 				foreach ($addressBookEntries as $entry) {
 					foreach ($entry['CLOUD'] as $cloudID) {
 						if ($cloudID === $row['share_with']) {
diff --git a/lib/public/Contacts/IManager.php b/lib/public/Contacts/IManager.php
@@ -93,6 +93,10 @@ interface IManager {
 	 * 	- 'escape_like_param' - If set to false wildcards _ and % are not escaped
 	 * 	- 'limit' - Set a numeric limit for the search results
 	 * 	- 'offset' - Set the offset for the limited search results
+	 * 	- 'enumeration' - (since 23.0.0) Whether user enumeration on system address book is allowed
+	 * 	- 'fullmatch' - (since 23.0.0) Whether matching on full detail in system addresss book is allowed
+	 * 	- 'strict_search' - (since 23.0.0) Whether the search pattern is full string or partial search
+	 * @psalm-param array{escape_like_param?: bool, limit?: int, offset?: int, enumeration?: bool, fullmatch?: bool, strict_search?: bool} $options
 	 * @return array an array of contacts which are arrays of key-value-pairs
 	 * @since 6.0.0
 	 */
diff --git a/lib/public/IAddressBook.php b/lib/public/IAddressBook.php
@@ -67,6 +67,8 @@ public function getDisplayName();
 		 * 	- 'escape_like_param' - If set to false wildcards _ and % are not escaped
 		 * 	- 'limit' - Set a numeric limit for the search results
 		 * 	- 'offset' - Set the offset for the limited search results
+		 * 	- 'wildcard' - (since 23.0.0) Whether the search should use wildcards
+		 * @psalm-param array{types?: bool, escape_like_param?: bool, limit?: int, offset?: int, wildcard?: bool} $options
 		 * @return array an array of contacts which are arrays of key-value-pairs
 		 *  example result:
 		 *  [

Original file line number	Diff line number	Diff line change
`@@ -255,7 +255,12 @@ protected function getDisplayNameFromContact($federatedCloudId) {`
`255`	`255`	`}`
`256`	`256`	`}`
`257`	`257`
`258`		`- $addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD']);`
	`258`	`+ $addressBookEntries = $this->contactsManager->search($federatedCloudId, ['CLOUD'], [`
	`259`	`+ 'limit' => 1,`
	`260`	`+ 'enumeration' => false,`
	`261`	`+ 'fullmatch' => false,`
	`262`	`+ 'strict_search' => true,`
	`263`	`+ ]);`
`259`	`264`	`foreach ($addressBookEntries as $entry) {`
`260`	`265`	`if (isset($entry['CLOUD'])) {`
`261`	`266`	`foreach ($entry['CLOUD'] as $cloudID) {`
Original file line number	Diff line number	Diff line change
`@@ -4417,7 +4417,11 @@ public function testFormatShare(array $expects, \OCP\Share\IShare $share, array`
`4417`	`4417`
`4418`	`4418`	`$cm->method('search')`
`4419`	`4419`	`->willReturnMap([`
`4420`		`- ['user@server.com', ['CLOUD'], [],`
	`4420`	`+ ['user@server.com', ['CLOUD'], [`
	`4421`	`+ 'limit' => 1,`
	`4422`	`+ 'enumeration' => false,`
	`4423`	`+ 'strict_search' => true,`
	`4424`	`+ ],`
`4421`	`4425`	`[`
`4422`	`4426`	`[`
`4423`	`4427`	`'CLOUD' => [`
`@@ -4427,7 +4431,11 @@ public function testFormatShare(array $expects, \OCP\Share\IShare $share, array`
`4427`	`4431`	`],`
`4428`	`4432`	`],`
`4429`	`4433`	`],`
`4430`		`- ['user@server.com', ['EMAIL'], [],`
	`4434`	`+ ['user@server.com', ['EMAIL'], [`
	`4435`	`+ 'limit' => 1,`
	`4436`	`+ 'enumeration' => false,`
	`4437`	`+ 'strict_search' => true,`
	`4438`	`+ ],`
`4431`	`4439`	`[`
`4432`	`4440`	`[`
`4433`	`4441`	`'EMAIL' => [`