Error in Deleting Deck cards attachment reveals the full path of the website

## Summary: An error in deck cards when deleting an attachment reveals the full path of the website. ``` DELETE /apps/deck/cards/11/attachment/file:1 HTTP/2 Host: ctulhu.me/nc Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/plain, */* Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Sec-Ch-Ua-Platform: "macOS" Origin: https://ctulhu.me/nc Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` ### Response ``` HTTP/2 500 Internal Server Error Date: Wed, 29 Sep 2021 07:42:43 GMT Content-Type: application/json; charset=utf-8 Content-Length: 2057 Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' X-Robots-Tag: none Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-Xss-Protection: 1; mode=block Cf-Cache-Status: DYNAMIC Server: cloudflare Cf-Ray: 69639391d9741f21-FRA Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 {"status":500,"message":"There was an error retrieving the share. Maybe the link is wrong, it was unshared, or it was deleted.","exception":{"\u0000OC\\HintException\u0000hint":"","\u0000*\u0000message":"There was an error retrieving the share. Maybe the link is wrong, it was unshared, or it was deleted.","\u0000Exception\u0000string":"","\u0000*\u0000code":0,"\u0000*\u0000file":"\/var\/www\/██████████\/custom_apps\/deck\/lib\/Sharing\/DeckShareProvider.php","\u0000*\u0000line":586,"\u0000Exception\u0000trace":[{"file":"\/var\/www\/████████\/custom_apps\/deck\/lib\/Service\/FilesAppService.php","line":140,"function":"getShareById","class":"OCA\\Deck\\Sharing\\DeckShareProvider","type":"-\u003E"},{"file":"\/var\/www\/█████\/custom_apps\/deck\/lib\/Service\/AttachmentService.php","line":339,"function":"extendData","class":"OCA\\Deck\\Service\\FilesAppService","type":"-\u003E"},{"file":"\/var\/www\/██████████\/custom_apps\/deck\/lib\/Controller\/AttachmentController.php","line":96,"function":"delete","class":"OCA\\Deck\\Service\\AttachmentService","type":"-\u003E"},{"file":"\/var\/www\/███████\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":217,"function":"delete","class":"OCA\\Deck\\Controller\\AttachmentController","type":"-\u003E"},{"file":"\/var\/www\/███████\/lib\/private\/AppFramework\/Http\/Dispatcher.php","line":126,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"-\u003E"},{"file":"\/var\/www\/█████\/lib\/private\/AppFramework\/App.php","line":156,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"-\u003E"},{"file":"\/var\/www\/██████████\/lib\/private\/Route\/Router.php","line":301,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"\/var\/www\/██████\/lib\/base.php","line":1000,"function":"match","class":"OC\\Route\\Router","type":"-\u003E"},{"file":"\/var\/www\/█████████\/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"\u0000Exception\u0000previous":null}} ``` ## Steps To Reproduce: [add details for how we can reproduce the issue] * 0.) setup burpsuite * 1.) go to $website/apps/deck and pick any cards * 2.) attach a file to the card and delete it * 3.) On burp suite go to proxy > http history > find the request * 4.) send the request to repeater and run the request again ## Impact Full path disclosure