| > Plus as far as I know neither ownCloud nor nextCloud went through a security audit This is inaccurate. Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens, ...) There's also a bug bounty program that pays pretty decently considering the company size: https://hackerone.com/nextcloud. (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad) > and they are big piles of PHP with a lot more complexity than Seafile I did a small audit of Seafile years ago and I don't think that argument flies. For example, they copied https://github.com/django/django/blob/23c612199a8aaef52c3c7e... to https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9... and removed some security-critical checks. They removed the check for the password hasht here. (https://github.com/django/django/blob/23c612199a8aaef52c3c7e...) Furthermore, the Django secret key was generated as shown at https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9.... ```
def random_string():
"""
Generate a random string (currently a random number as a string)
"""
return str(random.randint(0,100000))
``` That's not really secure and copy-pasting Django core code and then removing security checks ... is shady at best. Disclaimer: I wrote a significant part of the ownCloud code (https://github.com/owncloud/core/graphs/contributors), then forked it into Nextcloud. After some years I moved to Facebook to do application security there :-) |
Thanks for this comment, and your work on {own/Next}Cloud!