Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Server tadd trusted domain link leaks internal ip address for nc instance #12274

Closed
tspr opened this issue Nov 5, 2018 · 5 comments
Closed

Server tadd trusted domain link leaks internal ip address for nc instance #12274

tspr opened this issue Nov 5, 2018 · 5 comments
Labels
security

Comments

@tspr
Copy link

tspr commented Nov 5, 2018
edited
Loading

Hi,
just tried to debug my nc setup. I requested the login page vie ip (not fqdn) with curl from externally, i got the following:

curl -kv https://xxx.yyy.7.41/nextcloud/
....

<p style="text-align:center;">
	<a href="https://192.168.1.zzz/nextcloud/index.php/settings/admin?trustDomain=xxx.yyy.7.41" class="button">
		Add &quot;xxx.yyy.7.41&quot; as trusted domain		</a>
</p>

Shouldn't the admin link be set to include either the baseurl (fqdn) or as a relative link (as all the other links are)?

Thomas
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #10140 (Internal server error), #6994 (Internal Server Error), #2345 (Calendar invites: Sender is server instance, not user email address), #8547 (Server replied: Internal Server error), and #4941 (nc beta 4 internal server error due to totp backup codes).

@tspr tspr mentioned this issue Nov 5, 2018
Closed
@violoncelloCH
Copy link
Member

violoncelloCH commented Nov 5, 2018
edited
Loading

This is neccessary to give the admin the option to easily add the new domain to the trusted domain array...
If I'm right: To not expose the internal IP you can just set an other domain as default / first trusted domain...
What do you think @nextcloud/security ?

@tspr
Copy link
Author

tspr commented Nov 5, 2018

Well,
if the admin should operate from outside, the link won't work.

By the way, i'm running

NC V 13.0.5
php Version: 7.0.26
on freebsd/jail (versions somewhat mangled, unfornately)
nc

will update to 13.0.7 now to figure out, f problem persists.

@violoncelloCH violoncelloCH removed the bug label Nov 5, 2018
@rullzer
Copy link
Member

rullzer commented Nov 5, 2018

We actually killed this in Nextcloud 14. Because it never fully worked.

@MorrisJobke
Copy link
Member

Also have a look at the overwrite* options in sample config.php to enforce some domains (Nextcloud then stops guessing the domain;))

And as we removed this feature as well it will not occur once the overwrite* options are set.

Closing for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rullzer @MorrisJobke @tspr @nextcloud-bot @violoncelloCH