"Save As" from CODE in link-shared folder can save in the folder of the user who created the share.

[A-Aurel]

Describe the bug
When a guest "Saves as", guest can save in the folder of the user who created the share.

To Reproduce
Steps to reproduce the behavior:

USER creates a folder and shares a link with write access.
GUEST enters the folder, creates an Opendocument sheet, and opens it via Nextcloud Richdocuments app, with CODE.
GUEST "Saves as" or ("Export") to /File.ods

Expected behavior
The "/" is related to the files of USER, not to the share.
GUEST should be restricted to writing in the shared folder only.

Screenshots
N/A

Client details:

• OS: Linux
• Browser Chromium
• Version 126.0.6478.126
• Device: desktop

Server details

Operating system:
Fedora

Web server:
Apache

Database:
Mariadb

PHP version:
8.3.8

Nextcloud version:
29.0.3

Version of the richdocuments app
8.4.3

Version of Collabora Online
COOLWSD version:
24.04.4.2 git hash: fbf97e9 (E)

Configuration of the richdocuments app

    "apps": {
        "richdocuments": {
            "canonical_webroot": "",
            "disable_certificate_verification": "",
            "enabled": "yes",
            "external_apps": "",
            "installed_version": "8.4.3",
            "public_wopi_url": "https:\/\/office.xxx.xxx:443",
            "types": "prevent_group_restriction",
            "wopi_allowlist": "10.88.0.0\/16",
            "wopi_url": "https:\/\/office.xxx.xxx:443"
        }
    }
}

[joshtrichards]

https://github.com/nextcloud/richdocuments?tab=security-ov-file#readme

[A-Aurel]

Hello, Thanks for reading and trying to reproduce. I did retry, with same behavior. Perhaps I was not clear enough: I share the folder as a link to a person who does not have an account. So per se, there is no GUEST root folder, just access through web interface to the USER's /shared folder. Is it what you did, or did GUEST have an account ? Since one could not override existing files, I did not report it as security, but I guess one GUEST can mess up the folders of the sharing user and that can be some deal. Do you recommend I report it as a security thing ? Thanks Regards Le dim. 21 juil. 2024 à 17:35, Josh ***@***.***> a écrit :

…

For what it's worth, I cannot reproduce this behavior so far. As the share receiver, I use *Save as* (or *Export*) and save to /blah.odt. This file ends up in the root of the share receiver (guest in your example). The file does not appear in the share sender (user in your example) account. — Reply to this email directly, view it on GitHub <#3830 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BFW35F657PBJG7UJ5A75B4TZNPBLJAVCNFSM6AAAAABLGVTGK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBRGYZTEMRQGY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[joshtrichards]

Yes, please report it there. Thanks! 👍