Skip to content

fix(files_sharing): reject custom share tokens longer than the db column#61630

Merged
AndyScherzinger merged 2 commits into
nextcloud:masterfrom
amitmishra11:fix/share-token-length-validation
Jun 30, 2026
Merged

fix(files_sharing): reject custom share tokens longer than the db column#61630
AndyScherzinger merged 2 commits into
nextcloud:masterfrom
amitmishra11:fix/share-token-length-validation

Conversation

@amitmishra11

Copy link
Copy Markdown
Contributor

validateToken() in ShareAPIController only checked that a custom share token was non-empty and matched the allowed character set, but never checked its length. The oc_share.token database column is varchar(32), so a longer token currently passes validation and then fails at the database layer with a raw, unhelpful SQL error instead of a clean validation message.

This adds a max-length check matching the column size and updates the error message to mention the limit.

  • Testing

Added a test for validateToken() covering the empty, valid, and invalid-character cases plus the new 32/33-character boundary (32 should pass, 33 should fail).

This PR was prepared with AI assistance (Claude Code); I reviewed the change before submitting it.

@amitmishra11 amitmishra11 requested a review from a team as a code owner June 27, 2026 15:45
@amitmishra11 amitmishra11 requested review from Altahrim, come-nc, icewind1991 and provokateurin and removed request for a team June 27, 2026 15:45
@susnux susnux added bug 3. to review Waiting for reviews feature: sharing sharing AI assisted community pull requests from community and removed sharing labels Jun 27, 2026
@joshtrichards joshtrichards changed the title fix(files_sharing): reject custom share tokens longer than the databa… fix(files_sharing): reject custom share tokens longer than the db column Jun 29, 2026

@joshtrichards joshtrichards left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just a minor nitpick, which is non-blocking. My other two comments can be handled in a follow-up PR -- or skipped entirely -- unless you prefer to include them now.

Comment thread apps/files_sharing/lib/Controller/ShareAPIController.php Outdated
Comment thread apps/files_sharing/tests/Controller/ShareAPIControllerTest.php
@joshtrichards joshtrichards added this to the Nextcloud 35 milestone Jun 29, 2026
@joshtrichards

Copy link
Copy Markdown
Member

/backport to stable34

@joshtrichards

Copy link
Copy Markdown
Member

/backport to stable33

@CarlSchwan CarlSchwan enabled auto-merge June 29, 2026 14:47
@CarlSchwan CarlSchwan force-pushed the fix/share-token-length-validation branch from efdc19f to 1e2dce6 Compare June 29, 2026 15:01
@joshtrichards joshtrichards added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels Jun 29, 2026
amitmishra11 and others added 2 commits June 30, 2026 15:56
…se column

validateToken() only checked for an empty string and an invalid
character set, not length. A custom share token longer than 32
characters passes validation, then fails at the database layer
(oc_share.token is varchar(32)) with a raw SQL exception instead of
a clear validation error.

Add a max-length check matching the column size, and mention the
limit in the existing error message.

Assisted-by: ClaudeCode:claude-sonnet-4-6
Signed-off-by: Amit Mishra <amit.mishra.eee21@itbhu.ac.in>
Co-authored-by: Josh <josh.t.richards@gmail.com>
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
@AndyScherzinger AndyScherzinger force-pushed the fix/share-token-length-validation branch from 1e2dce6 to a40a092 Compare June 30, 2026 13:56
@AndyScherzinger AndyScherzinger disabled auto-merge June 30, 2026 13:58
@AndyScherzinger AndyScherzinger merged commit 2e1e03d into nextcloud:master Jun 30, 2026
127 of 132 checks passed
@welcome

welcome Bot commented Jun 30, 2026

Copy link
Copy Markdown

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

4. to release Ready to be released and/or waiting for tests to finish AI assisted bug community pull requests from community feature: sharing

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: public shares: Over-length custom token: Fails silently

6 participants