From 4eb7acbfe16f9ada1aac9ee9bc2533fcf7952fb2 Mon Sep 17 00:00:00 2001 From: Amit Mishra Date: Sat, 27 Jun 2026 21:02:44 +0530 Subject: [PATCH 1/2] fix(files_sharing): reject custom share tokens longer than the database column validateToken() only checked for an empty string and an invalid character set, not length. A custom share token longer than 32 characters passes validation, then fails at the database layer (oc_share.token is varchar(32)) with a raw SQL exception instead of a clear validation error. Add a max-length check matching the column size, and mention the limit in the existing error message. Assisted-by: ClaudeCode:claude-sonnet-4-6 Signed-off-by: Amit Mishra --- apps/files_sharing/lib/Controller/ShareAPIController.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 8e1dc4ed949a1..5788674428817 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -77,6 +77,9 @@ */ class ShareAPIController extends OCSController { + /** Maximum length of a custom share token, matching the oc_share.token database column. */ + private const TOKEN_MAX_LENGTH = 32; + private ?Node $lockedNode = null; /** @var array $trustedServerCache */ private array $trustedServerCache = []; @@ -1370,7 +1373,7 @@ public function updateShare( throw new OCSForbiddenException($this->l->t('Custom share link tokens have been disabled by the administrator')); } if (!$this->validateToken($token)) { - throw new OCSBadRequestException($this->l->t('Tokens must contain at least 1 character and may only contain letters, numbers, or a hyphen')); + throw new OCSBadRequestException($this->l->t('Tokens must be between 1 and %s characters long and may only contain letters, numbers, or a hyphen', [self::TOKEN_MAX_LENGTH])); } $share->setToken($token); } @@ -1409,7 +1412,7 @@ public function updateShare( } private function validateToken(string $token): bool { - if (mb_strlen($token) === 0) { + if (mb_strlen($token) === 0 || mb_strlen($token) > self::TOKEN_MAX_LENGTH) { return false; } if (!preg_match('/^[a-z0-9-]+$/i', $token)) { From 7900f746b15083f26d1fc282afbfa924b5e24629 Mon Sep 17 00:00:00 2001 From: Carl Schwan Date: Mon, 29 Jun 2026 16:47:17 +0200 Subject: [PATCH 2/2] refactor: Avoid calling mb_strlen twice refactor: Avoid calling mb_strlen twice Co-authored-by: Josh Signed-off-by: Carl Schwan [skip ci] --- apps/files_sharing/lib/Controller/ShareAPIController.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 5788674428817..dff1886e400d2 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -1412,7 +1412,8 @@ public function updateShare( } private function validateToken(string $token): bool { - if (mb_strlen($token) === 0 || mb_strlen($token) > self::TOKEN_MAX_LENGTH) { + $length = mb_strlen($token); + if ($length === 0 || $length > self::TOKEN_MAX_LENGTH) { return false; } if (!preg_match('/^[a-z0-9-]+$/i', $token)) {