Vote notifications of polls with hidden results leaks names of voters to all subscribers

[kainhofer]

Steps to reproduce

If you set up a poll with hidden results ("Never show results" is selected), your users will not see who voted in the poll and how they voted. Even the header line does not show the count of votes received.

However, if any user checks "Receive notification email on activity", a notification is sent for each vote cast, including the name of the voter.

Expected behaviour

"Receive notification email on activity" for polls with "Never show results" should not inform normal users about other user's votings.
The "activity" that causes notifications should be limited to those changes that are visible to the user, like new comments.

Actual behaviour

A notification is sent for each vote cast, including the name of the voter, thus leaking information about who voted and when.

Server configuration detail

Operating system: Linux 4.15.0 #1 SMP Mon Dec 9 19:36:21 MSK 2019 x86_64

Webserver: Apache (fpm-fcgi)

Database: mysql 10.1.44

PHP version:

7.2.31
Modules loaded: Core, date, libxml, openssl, pcre, zlib, bz2, calendar, ctype, hash, filter, ftp, gettext, gmp, SPL, iconv, Reflection, session, standard, SimpleXML, sockets, mbstring, tokenizer, xml, cgi-fcgi, mysqlnd, apcu, bcmath, curl, dba, dom, enchant, fileinfo, gd, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, redis, soap, sodium, sqlite3, sysvmsg, sysvsem, sysvshm, tidy, xmlreader, xmlrpc, xmlwriter, xsl, zip, ionCube Loader, Zend OPcache

Nextcloud version: 18.0.6 - 18.0.6.0

Updated from an older Nextcloud/ownCloud or fresh install: installed 1.5 years ago

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps

Enabled:
 - accessibility: 1.4.0
 - activity: 2.11.0
 - admin_audit: 1.8.0
 - apporder: 0.10.0
 - bruteforcesettings: 1.6.0
 - calendar: 2.0.3
 - cloud_federation_api: 1.1.0
 - comments: 1.8.0
 - contacts: 3.3.0
 - dav: 1.14.0
 - documentserver_community: 0.1.7
 - drawio: 0.9.6
 - event_update_notification: 1.0.2
 - external: 3.5.0
 - federatedfilesharing: 1.8.0
 - federation: 1.8.0
 - files: 1.13.1
 - files_accesscontrol: 1.8.1
 - files_antivirus: 2.4.1
 - files_automatedtagging: 1.8.3
 - files_external: 1.9.0
 - files_markdown: 2.3.0
 - files_mindmap: 0.0.22
 - files_pdfviewer: 1.7.0
 - files_rightclick: 0.15.2
 - files_sharing: 1.10.1
 - files_trashbin: 1.8.0
 - files_versions: 1.11.0
 - files_videoplayer: 1.7.0
 - impersonate: 1.5.1
 - issuetemplate: 0.6.0
 - logreader: 2.3.0
 - lookup_server_connector: 1.6.0
 - notes: 3.5.1
 - notifications: 2.6.0
 - oauth2: 1.6.0
 - onlyoffice: 4.2.0
 - ownbackup: 19.9.0
 - password_policy: 1.8.0
 - photos: 1.0.0
 - polls: 1.4.3
 - privacy: 1.2.0
 - provisioning_api: 1.8.0
 - rainloop: 6.1.4
 - ransomware_detection: 0.7.1
 - ransomware_protection: 1.6.1
 - recommendations: 0.6.0
 - secondarymail: 0.0.1
 - serverinfo: 1.8.0
 - settings: 1.0.0
 - sharebymail: 1.8.0
 - sharerenamer: 2.7.3
 - spreed: 8.0.9
 - systemtags: 1.8.0
 - tasks: 0.13.1
 - text: 2.0.0
 - theming: 1.9.0
 - theming_customcss: 1.6.0
 - twofactor_backupcodes: 1.7.0
 - updatenotification: 1.8.0
 - viewer: 1.2.0
 - workflow_pdf_converter: 1.3.2
 - workflowengine: 2.0.0
Disabled:
 - encryption
 - firstrunwizard
 - nextcloud_announcements
 - support
 - survey_client
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.avoe.at"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "18.0.6.0",
    "overwrite.cli.url": "https:\/\/cloud.avoe.at",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "theme": "",
    "loglevel": 0,
    "default_language": "de_DE",
    "skeletondirectory": "",
    "mail_sendmailmode": "smtp",
    "data-fingerprint": "6f385c52f3b5d128bd818a8153a9de92",
    "app_install_overwrite": [
        "tasks",
        "secondarymail",
        "external",
        "polls",
        "ransomware_detection",
        "ownbackup",
        "sharerenamer",
        "mindmap_app"
    ],
    "updater.release.channel": "stable"
}

Are you using external storage, if yes which one:

Are you using encryption:

Are you using an external user-backend, if yes which one:

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Safari/537.36

Operating system: Ubuntu Linux

Logs

Web server error log

nothing relevant

Nextcloud log

nothing relevant

Browser log

nothing relevant