Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debug dump: No obfuscation at all, users who submit a report here are required to divulge private information #4018

Closed
Moini opened this issue Nov 30, 2021 · 2 comments
Closed

Debug dump: No obfuscation at all, users who submit a report here are required to divulge private information #4018

Moini opened this issue Nov 30, 2021 · 2 comments
Labels
enhancement enhancement of a already implemented feature/code high security technical debt

Comments

@Moini
Copy link

Moini commented Nov 30, 2021

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Expected behaviour

  • The Nextcloud desktop client should clean out all potentially sensitive data from the debug zip file contents
  • The Nextcloud desktop client should warn about which data is contained in the dump
  • (Additionally: file extension should be zip automatically, but there isn't any)

Actual behaviour

  • The debug log / databases contain sensitive data such as email addresses, nextcloud user names, private server addresses, local disk paths (which include local user names), something called oc_sessionPassphrase, file and folder names in the nextcloud, file checksums, a user's online times, file modification times, ... basically everything except the files themselves.
  • No visible effort has been made to obscure any of the sensitive data
  • Nextcloud team requires that such a dump is included in any reports about desktop client misbehavior in their issue template:

    desktop client logs are a hard requirement for bug reports because we don't know how to do magic here :)

To be honest, I'm shocked. Nextcloud boasts itself of respecting and improving their users' privacy, and then this?
As a temporary fix, the requirement should be removed from the issue template ASAP.
As a near-term fix, the user data should be cleaned before saving as a debug dump that is supposed to be posted into a public place.

Steps to reproduce

  1. Right-click on desktop client icon
  2. Select 'Settings'
  3. Select 'General' in top right corner
  4. Click on 'Create Debug Archive ...'
  5. Inspect resulting file

Client configuration

Any

Server configuration

Any
@Moini Moini added the bug label Nov 30, 2021
@allexzander allexzander added enhancement enhancement of a already implemented feature/code and removed bug labels Dec 9, 2021
@joshtrichards
Copy link
Member

Duplicate of #3189 + #3190

Let's consolidate there.

@Moini
Copy link
Author

Moini commented Nov 22, 2023

2 years old, and this was the first verbal reaction. Let's hope it doesn't take another two.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement enhancement of a already implemented feature/code high security technical debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joshtrichards @Moini @claell @allexzander