Skip to content

fix(files_sharing): validate empty file parameter in PublicPreviewController#59460

Closed
psimaker wants to merge 1 commit intonextcloud:masterfrom
psimaker:fix/59229-public-preview-input-validation
Closed

fix(files_sharing): validate empty file parameter in PublicPreviewController#59460
psimaker wants to merge 1 commit intonextcloud:masterfrom
psimaker:fix/59229-public-preview-input-validation

Conversation

@psimaker
Copy link
Copy Markdown
Contributor

@psimaker psimaker commented Apr 5, 2026

Fixes #59229

Summary

The getPreview() method in PublicPreviewController had two input validation issues
that caused internal server errors:

Case A: When requesting a public preview for a folder share without a file parameter,
$node->get('') returns the Folder itself. getPreview() then crashes because it expects
a File instance, not a Folder.

Case B: When requesting a non-existent file with mimeFallback=true, the NotFoundException
from $node->get($file) falls into the catch block where $file->getMimeType() is called.
At that point $file is still the original string parameter, not a Node object, causing a
fatal error.

Changes

  • Add early return with 400 Bad Request when $file is empty on folder shares
  • Split the try-catch into two blocks: one for node resolution, one for preview generation
  • This ensures $file is always a valid Node object when mimeFallback code executes

Test plan

  • Added testPreviewFolderEmptyFile — empty file parameter returns 400
  • Added testPreviewFolderInvalidFileWithMimeFallback — non-existent file with mimeFallback returns 404
  • Added testPreviewFolderValidFileNoPreviewWithMimeFallback — valid file, no preview, mimeFallback redirects to mime icon
  • Existing tests still pass (no regressions)

@psimaker
fix(files_sharing): validate empty file parameter in
40887ce 
  PublicPreviewController

  Fixes nextcloud#59229

  - Return 400 Bad Request when file parameter is empty for folder shares
  - Separate node resolution from preview generation to prevent crash
    when mimeFallback is used with non-existent files

  Signed-off-by: Umo <umut.erdem@protonmail.com>

Signed-off-by: Umo <umut.erdem@protonmail.com>
@psimaker psimaker requested a review from a team as a code owner April 5, 2026 14:46
@psimaker psimaker requested review from artonge, leftybournes, provokateurin and salmart-dev and removed request for a team April 5, 2026 14:46
@psimaker psimaker mentioned this pull request Apr 5, 2026
Open
4 tasks
@solracsf
Copy link
Copy Markdown
Member

solracsf commented Apr 5, 2026

Thanks but this is duplicate ongoing #59253

@solracsf solracsf closed this Apr 5, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@salmart-dev salmart-dev Awaiting requested review from salmart-dev salmart-dev is a code owner automatically assigned from nextcloud/server-backend

@artonge artonge Awaiting requested review from artonge artonge is a code owner automatically assigned from nextcloud/server-backend

@leftybournes leftybournes Awaiting requested review from leftybournes leftybournes is a code owner automatically assigned from nextcloud/server-backend

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

feedback-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Improper input validation in PublicPreviewController triggers internal server error

2 participants

@psimaker @solracsf