Nextcloud: Ownership check missing when updating or deleting attachments

Summary:

Ownership check is missing for attachments.

Steps To Reproduce:

1. Open mail app
2. Compose a new message
3. Attach some file
4. Send message
5. Copy the xhr request and modify the attachment ids
6. See that local_message_id is changed for a different user

When you compose a message and put them into the outbox to send them later we keep a reference for the attachments in oc_mail_attachments. An attacker is able to overwrite the local_message_id for an existing attachment or delete the given row. Impact is that for the given message in the outbox the attachment is unavailable.

• It’s not possible to delete the actual attachment on file. Only the database reference.
• It’s not possible to send another person’s attachment to you or someone else.

Supporting Material/References:

https://github.com/nextcloud/mail/blob/1752cbbba12285a4e93ec257d6e06ac1f790b171/lib/Db/LocalAttachmentMapper.php#L89-L118

Impact

For the given message in the outbox the attachment is unavailable.