fix: always validate share token if provided

benjaminfrueh · benjaminfrueh · commit 2f1a7a26908c · 2026-04-22T21:56:56.000+02:00
Signed-off-by: Benjamin Frueh &lt;benjamin.frueh@gmail.com&gt;
diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php
@@ -117,28 +117,24 @@ private function assertDocumentSession(ISessionAwareController $controller): voi
 	 */
 	private function assertUserOrShareToken(ISessionAwareController $controller): void {
 		$documentId = (int)$this->request->getParam('documentId');
-		if (null !== $userId = $this->userSession->getUser()?->getUID()) {
-			// Check if user has access to document
-			if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) {
-				throw new InvalidSessionException();
-			}
-			$controller->setUserId($userId);
-		} elseif ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
+		$shareToken = (string)$this->request->getParam('shareToken');
+
+		if ($shareToken !== '') {
 			try {
 				$share = $this->shareManager->getShareByToken($shareToken);
 			} catch (ShareNotFound) {
 				throw new InvalidSessionException();
 			}
 
-			// Check if shareToken has access to document
 			if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {
 				throw new InvalidSessionException();
 			}
 
 			/** @psalm-suppress RedundantConditionGivenDocblockType */
 			if ($share->getPassword() !== null) {
-				$shareId = $this->session->get('public_link_authenticated');
-				if ($share->getId() !== $shareId) {
+				$shareIds = $this->session->get('public_link_authenticated');
+				$shareIds = is_array($shareIds) ? $shareIds : [$shareIds];
+				if (!in_array($share->getId(), $shareIds, true)) {
 					throw new InvalidSessionException();
 				}
 			}
@@ -151,11 +147,21 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
 				throw new InvalidSessionException();
 			}
-		} else {
-			throw new InvalidSessionException();
+
+			$controller->setDocumentId($documentId);
+			return;
 		}
 
-		$controller->setDocumentId($documentId);
+		if (null !== $userId = $this->userSession->getUser()?->getUID()) {
+			if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) {
+				throw new InvalidSessionException();
+			}
+			$controller->setUserId($userId);
+			$controller->setDocumentId($documentId);
+			return;
+		}
+
+		throw new InvalidSessionException();
 	}
 
 	public function afterException($controller, $methodName, \Exception $exception): JSONResponse|Response {
