SHARE API: shareType 4 (by email) creation allows non compliant password-policy passwords

[marcos-guerrero]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Stablish a password policy (Settings / admin / security) for example 8 minimal length, enforce upper and lower, enforce numeric chars, enforce special chars
2. Create (thru the API) a shareType 4 using a non compliant password (for example 4 length password, only lower case chars)

POST http://maqueta-refs-backend.isastur.local/ocs/v2.php/apps/files_sharing/api/v1/shares HTTP/1.1
Host: maqueta-refs-backend.isastur.local
Authorization: Basic **************
Connection: Keep-Alive
OCS-APIRequest: true
Accept: application/json, text/plain, */*
Content-Length: 113
Content-Type: application/x-www-form-urlencoded

path=%2FRefs%2F13%2Fd3%2Ff9%2FR_DIR_15F008&shareType=4&shareWith=TEST%40isastur.com&password=abcd

Expected behaviour

The server should not allow this share link as its password is not compliant with the password policy
(as the server does when generate a share type 3 with a non compliant password)

Actual behaviour

The server generate the link

Server configuration

Operating system: Ubuntu 20.04 LTS

Web server: Apache 2.4.36

Database: MariaDB 10.3.13

PHP version: 7.4.13

Nextcloud version: 20.0.4

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: manual instalation

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• bruteforcesettings: 2.0.1
• cloud_federation_api: 1.3.0
• dav: 1.16.2
• federatedfilesharing: 1.10.2
• files: 1.15.0
• files_external: 1.11.1
• files_rightclick: 0.17.0
• files_sharing: 1.12.1
• files_videoplayer: 1.9.0
• logreader: 2.5.0
• lookup_server_connector: 1.8.0
• oauth2: 1.8.0
• password_policy: 1.10.1
• photos: 1.2.1
• provisioning_api: 1.10.0
• serverinfo: 1.10.0
• settings: 1.2.0
• sharebymail: 1.10.0
• theming: 1.11.0
• twofactor_backupcodes: 1.9.0
• twofactor_totp: 5.0.0
• viewer: 1.4.0
• workflowengine: 2.2.0
  Disabled:
• accessibility
• activity
• admin_audit
• comments
• contactsinteraction
• dashboard
• encryption
• federation
• files_pdfviewer
• files_trashbin
• files_versions
• firstrunwizard
• nextcloud_announcements
• notifications
• privacy
• recommendations
• support
• survey_client
• systemtags
• text
• updatenotification
• user_ldap
• user_status
• weather_status

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{
"system": {
"version": "20.0.4.0",
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"maqueta-refs-backend.isastur.local",
"localhost"
],
"trusted_proxies": "REMOVED SENSITIVE VALUE",
"overwritecondaddr": "^192\.168\.109\.(3[2-9]|4[0-9]|5[0-9]|6[0-3])$",
"overwriteprotocol": "https",
"overwrite.cli.url": "http://localhost",
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"memcache.distributed": "\OC\Memcache\APCu",
"filelocking.enabled": true,
"memcache.locking": "\OC\Memcache\Redis",
"redis": {
"host": "REMOVED SENSITIVE VALUE",
"port": 6379,
"dbindex": 14,
"timeout": 5
},
"enable_previews": false,
"has_internet_connection": true,
"logfile": "/disco_datos_nextcloud/logs/nextcloud.log",
"loglevel": 2,
"htaccess.RewriteBase": "/",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "4000",
"mail_domain": "REMOVED SENSITIVE VALUE",
"maintenance": false
}
}

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[skjnldsv]

Fixxed in nc 22

[skjnldsv]

see #24364