-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to specify the token of a public share / share renaming #45440
Comments
So should this be a separate app so that it can be removed during building the enterprise archive? |
@szaimen yes. |
@miaulalala could you give an security opinion on that feature? |
A warning is fine, yes. When you want to give a name, you want it to be easier visible.
Optional if at all, but again, the point of giving a simple share name is the ability to remember. If you then have to remember a separate password it defeats the purpose and you might as well have pasted the complicated link.
Straight no on that one. Again if you change the name you want it to be simple. :) |
Dictionary attacks would become a concern, yes. Token enumeration is already possible if highly unlikely, although I assume the endpoint is brute force protected, so it's expensive and time consuming. Could also lead to token leaks as two identical tokens aren't possible, so a (guest) user might try creating shares at random to guess at other tokens. If we add the If we do this, I'd recommend enforcing a password. I'd also suggest a minimum length for the token. Not great if the user chooses something really short. In short, there are definitely some risks to this, and I can't really see the benefits. Maybe a link shortener integration could be a viable alternative? |
this is basically an accepted risk - it is meant for small home user instances where I might want to share vacation photos with family using an easy to remember link. That that makes the link easy to find is something we will warn about in the UI, but it's inherent to the solution. Adding a (mandatory) password would defeat the purpose of this ;-) On large instances it's a rather dumb idea to do it, but then we don't intend to promote it for that. It's pure for home users. FWIW, I use the app that implements this myself. |
The simplest way to address the enterprise migration part I think is to have a separate custom share token alongside the generated token that is available on community instances and disabled on enterprise automatically with a check. This removes the complexity of having to "migrate" anything such as overwriting a custom token that may have been set in-place of the generated token, as would be needed based on the implementations in the apps mentioned previously. To detect this we can use: Unfortunately the code is quite tightly coupled at the moment which makes it infeasible to simply add a hook/plugin in a separate app to handle custom tokens. But allowing custom tokens in the existing code is not complicated. |
I think this brings confusion if one version of Nextcloud (community vs enterprise) hard disables features for the other. I think we should instead make this available to all versions, but add two admin settings:
Both should be simple to add to the sharing controller. I know also some bigger instances that would like to have this feature, one use case is to provide short sharing URLs for their customers. As the only use case for this feature is sharing "by paper" (otherwise clicking or copy past is available which does not care about the length) and this is mainly something you do with e.g. "upload pictures" on a private event like a wedding / birthday, but also for customers on e.g. a flyer. |
My thinking was that the switch to an enterprise image would be secure by default rather than requiring an admin manually opting in to security. Would be fine with going with whatever @nextcloud/security thinks is reasonable |
cc @nickvergessen do you think the approach recently discussed would be ok? |
How about to enable by default for new installations, so if you set up Nextcloud you need to configure a lot of stuff anyways can disable this if you like. |
That's also a no from my side.
I think that's a good way to go instead of doing magic and potentially upsetting things like #48248 (it opens the door to hell). It should have a visible admin setting in An idea regarding the update scenario that I could see: Default the config to "allow specifying short links" for new installation. And on updates we set it to "disallow" if:
This way most "enterprisy" or "we care about security" instance would be on the save side while updating and all the "usability focused" instances have the fancy feature at hand. As for further comments, there should be a warning text at the setting as well as on the share option itself stating that this can lead to "easy access", similarly as Jan stated in #45440 (comment) As for requirements for the token:
Unsure:
With all that in mind, we can then simply set the token in the code place of #47265 to whatever was entered in the interface (if config allows) and check for uniqueness. Then we don't even need a database migration as we can simply utilize the existing table column. |
Hello @Pytal, small "new" req for this feature, which is to have it disabled by default! Depending on the approach you're taking this could mean: If it's an app, ship it but disable it by default. If it's not an app, add a setting to turn this on/off (off by default). |
Thanks for your insights @nickvergessen!
My question with this approach, as opposed to the separate custom share token column I proposed, is if the feature is disabled then what happens to the shares with custom tokens and how do we detect whether a token is custom or not as they can use the same characters? |
I would say: Nothing. Keep them like if they were native tokens. Otherwise every share would be invalidated.
Is this needed? |
They would still be accessible then which is a security issue no?
With this approach then we have to have a way to invalidate custom shares |
I also don't think cleaning up automatically will be needed. Just because you disable generating such links in the future, doesn't mean you want to break all existing ones as well. We can simply explain this in a description next to the setting. |
Sounds reasonable :) I'll go with the replace existing token way and add a button to create a generated token as well so it's easy to make the share link non-guessable. |
random token should still be the default and setting a simple token should be the part that requires a button being pressed 🙊 |
Is the intent to make an own version of this feature or to contribute to one of Configurable Share Links or ShareRenamer (and in that case which)? |
I probably will be part of Nextcloud core, so directly implemented in the |
The text was updated successfully, but these errors were encountered: