diff --git a/apps/files_sharing/appinfo/info.xml b/apps/files_sharing/appinfo/info.xml
index 03078b5404064..0b4ebfd031943 100644
--- a/apps/files_sharing/appinfo/info.xml
+++ b/apps/files_sharing/appinfo/info.xml
@@ -14,7 +14,7 @@
Turning the feature off removes shared files and folders on the server for all share recipients, and also on the sync clients and mobile apps. More information is available in the Nextcloud Documentation.
- 1.24.0
+ 1.24.1
agpl
Michael Gapczynski
Bjoern Schiessle
diff --git a/apps/files_sharing/composer/composer/autoload_classmap.php b/apps/files_sharing/composer/composer/autoload_classmap.php
index 92751ead730b4..dda5b5c7f7728 100644
--- a/apps/files_sharing/composer/composer/autoload_classmap.php
+++ b/apps/files_sharing/composer/composer/autoload_classmap.php
@@ -81,6 +81,7 @@
'OCA\\Files_Sharing\\Migration\\Version24000Date20220208195521' => $baseDir . '/../lib/Migration/Version24000Date20220208195521.php',
'OCA\\Files_Sharing\\Migration\\Version24000Date20220404142216' => $baseDir . '/../lib/Migration/Version24000Date20220404142216.php',
'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => $baseDir . '/../lib/Migration/Version31000Date20240821142813.php',
+ 'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => $baseDir . '/../lib/Migration/Version32000Date20251017081948.php',
'OCA\\Files_Sharing\\MountProvider' => $baseDir . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => $baseDir . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',
diff --git a/apps/files_sharing/composer/composer/autoload_static.php b/apps/files_sharing/composer/composer/autoload_static.php
index 6ca952007a130..195b4f0583689 100644
--- a/apps/files_sharing/composer/composer/autoload_static.php
+++ b/apps/files_sharing/composer/composer/autoload_static.php
@@ -96,6 +96,7 @@ class ComposerStaticInitFiles_Sharing
'OCA\\Files_Sharing\\Migration\\Version24000Date20220208195521' => __DIR__ . '/..' . '/../lib/Migration/Version24000Date20220208195521.php',
'OCA\\Files_Sharing\\Migration\\Version24000Date20220404142216' => __DIR__ . '/..' . '/../lib/Migration/Version24000Date20220404142216.php',
'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => __DIR__ . '/..' . '/../lib/Migration/Version31000Date20240821142813.php',
+ 'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => __DIR__ . '/..' . '/../lib/Migration/Version32000Date20251017081948.php',
'OCA\\Files_Sharing\\MountProvider' => __DIR__ . '/..' . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => __DIR__ . '/..' . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',
diff --git a/apps/files_sharing/lib/Migration/Version32000Date20251017081948.php b/apps/files_sharing/lib/Migration/Version32000Date20251017081948.php
new file mode 100644
index 0000000000000..15038dc0ec04c
--- /dev/null
+++ b/apps/files_sharing/lib/Migration/Version32000Date20251017081948.php
@@ -0,0 +1,38 @@
+getTable('share_external');
+ $column = $table->getColumn('owner');
+ if ($column->getLength() < 255) {
+ $column->setLength(255);
+ return $schema;
+ }
+ return null;
+ }
+}
diff --git a/lib/private/Federation/CloudIdManager.php b/lib/private/Federation/CloudIdManager.php
index c599d9046a67e..b0996d5179c6c 100644
--- a/lib/private/Federation/CloudIdManager.php
+++ b/lib/private/Federation/CloudIdManager.php
@@ -108,7 +108,7 @@ public function resolveCloudId(string $cloudId): ICloudId {
// We accept slightly more chars when working with federationId than with a local userId.
// We remove those eventual chars from the UserId before using
// the IUserManager API to confirm its format.
- $this->userManager->validateUserId(str_replace('=', '-', $user));
+ $this->validateUser($user, $remote);
if (!empty($user) && !empty($remote)) {
$remote = $this->ensureDefaultProtocol($remote);
@@ -118,6 +118,36 @@ public function resolveCloudId(string $cloudId): ICloudId {
throw new \InvalidArgumentException('Invalid cloud id');
}
+ protected function validateUser(string $user, string $remote): void {
+ // Check the ID for bad characters
+ // Allowed are: "a-z", "A-Z", "0-9", spaces and "_.@-'" (Nextcloud)
+ // Additional: "=" (oCIS)
+ if (preg_match('/[^a-zA-Z0-9 _.@\-\'=]/', $user)) {
+ throw new \InvalidArgumentException('Invalid characters');
+ }
+
+ // No empty user ID
+ if (trim($user) === '') {
+ throw new \InvalidArgumentException('Empty user');
+ }
+
+ // No whitespace at the beginning or at the end
+ if (trim($user) !== $user) {
+ throw new \InvalidArgumentException('User contains whitespace at the beginning or at the end');
+ }
+
+ // User ID only consists of 1 or 2 dots (directory traversal)
+ if ($user === '.' || $user === '..') {
+ throw new \InvalidArgumentException('User must not consist of dots only');
+ }
+
+ // User ID is too long
+ if (strlen($user . '@' . $remote) > 255) {
+ // TRANSLATORS User ID is too long
+ throw new \InvalidArgumentException('Cloud id is too long');
+ }
+ }
+
public function getDisplayNameFromContact(string $cloudId): ?string {
$cachedName = $this->displayNameCache->get($cloudId);
if ($cachedName !== null) {