Merge pull request #5205 from nextcloud/backport/5202/stable32

juliusknorr · web-flow · commit ccca7d2021b8 · 2025-11-27T11:11:53.000+01:00
[stable32] fix: Properly handle authenticated links being an array
diff --git a/lib/Controller/DocumentAPIController.php b/lib/Controller/DocumentAPIController.php
@@ -65,9 +65,11 @@ public function create(string $mimeType, string $fileName, string $directoryPath
 				$share = $this->shareManager->getShareByToken($shareToken);
 
 				if ($share->getPassword()) {
-					if (!$this->session->exists('public_link_authenticated')
-						|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-					) {
+					$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+					$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+					$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+					if (!$isAuthenticated) {
 						throw new Exception('Invalid password');
 					}
 				}
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
@@ -242,9 +242,11 @@ public function remote(string $shareToken, string $remoteServer, string $remoteS
 			$share = $this->shareManager->getShareByToken($shareToken);
 			// not authenticated ?
 			if ($share->getPassword()) {
-				if (!$this->session->exists('public_link_authenticated')
-					|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-				) {
+				$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+				$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+				$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+				if (!$isAuthenticated) {
 					throw new Exception('Invalid password');
 				}
 			}
@@ -459,9 +461,12 @@ private function getFileForUser(int $fileId, ?string $path = null): File {
 	private function getFileForShare(IShare $share, ?int $fileId, ?string $path = null): File {
 		// not authenticated ?
 		if ($share->getPassword()) {
-			if (!$this->session->exists('public_link_authenticated')
-				|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
-			) {
+			$authenticatedLinks = $this->session->get('public_link_authenticated');
+
+			$isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));
+			$isAuthenticated = $isAuthenticated || ($authenticatedLinks === (string)$share->getId());
+
+			if (!$isAuthenticated) {
 				throw new NotPermittedException('Invalid password');
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -65,9 +65,11 @@ public function create(string $mimeType, string $fileName, string $directoryPath`
`65`	`65`	`$share = $this->shareManager->getShareByToken($shareToken);`
`66`	`66`
`67`	`67`	`if ($share->getPassword()) {`
`68`		`- if (!$this->session->exists('public_link_authenticated')`
`69`		`- \|\| $this->session->get('public_link_authenticated') !== (string)$share->getId()`
`70`		`- ) {`
	`68`	`+ $authenticatedLinks = $this->session->get('public_link_authenticated');`
	`69`	`+`
	`70`	`+ $isAuthenticated = (is_array($authenticatedLinks) && in_array($share->getId(), $authenticatedLinks));`
	`71`	`+ $isAuthenticated = $isAuthenticated \|\| ($authenticatedLinks === (string)$share->getId());`
	`72`	`+ if (!$isAuthenticated) {`
`71`	`73`	`throw new Exception('Invalid password');`
`72`	`74`	`}`
`73`	`75`	`}`