diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 8e1dc4ed949a1..dff1886e400d2 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -77,6 +77,9 @@ */ class ShareAPIController extends OCSController { + /** Maximum length of a custom share token, matching the oc_share.token database column. */ + private const TOKEN_MAX_LENGTH = 32; + private ?Node $lockedNode = null; /** @var array $trustedServerCache */ private array $trustedServerCache = []; @@ -1370,7 +1373,7 @@ public function updateShare( throw new OCSForbiddenException($this->l->t('Custom share link tokens have been disabled by the administrator')); } if (!$this->validateToken($token)) { - throw new OCSBadRequestException($this->l->t('Tokens must contain at least 1 character and may only contain letters, numbers, or a hyphen')); + throw new OCSBadRequestException($this->l->t('Tokens must be between 1 and %s characters long and may only contain letters, numbers, or a hyphen', [self::TOKEN_MAX_LENGTH])); } $share->setToken($token); } @@ -1409,7 +1412,8 @@ public function updateShare( } private function validateToken(string $token): bool { - if (mb_strlen($token) === 0) { + $length = mb_strlen($token); + if ($length === 0 || $length > self::TOKEN_MAX_LENGTH) { return false; } if (!preg_match('/^[a-z0-9-]+$/i', $token)) {