[Bug]: Improper input validation in PublicPreviewController triggers internal server error · nextcloud/server#59229

2026-03-26T14:03:10.000Z

### ⚠️ This issue respects the following points: ⚠️ - [x] This is a **bug**, not a question or a configuration/webserver/proxy issue. - [x] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_. - [x] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [x] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description An incomplete input validation in PublicPreviewController can trigger an internal server error. ### Steps to reproduce #### Case A 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130 - Default for `$file` is an empty string. - `$file = $node->get('');` is still an Folder instance - getPreview expectes File #### Case B 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142 - `get` and `getPreview` both throw NotFoundException. - However the branch with mimetype fallback only works if the preview not exists, not if the node not exists. ### Expected behavior No internal server error

(1 commento) (0 reazioni) (0 assegnatari)PHP (34.953 star) (4865 fork)batch import

0. Needs triage32-feedbackbugfeature: previews and thumbnailsfeature: sharinggood first issue

Descrizione

⚠️ This issue respects the following points: ⚠️

This is a bug, not a question or a configuration/webserver/proxy issue.
This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
I agree to follow Nextcloud's Code of Conduct.

Bug description

An incomplete input validation in PublicPreviewController can trigger an internal server error.

Steps to reproduce

Case A

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130

Default for $file is an empty string.
$file = $node->get(''); is still an Folder instance
getPreview expectes File

Case B

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142

get and getPreview both throw NotFoundException.
However the branch with mimetype fallback only works if the preview not exists, not if the node not exists.

Expected behavior

No internal server error

Guida contributor

Tech stack: php
Dominio: backend
Tipo issue: bug
Difficoltà: 2
Tempo stimato: 1-3 hours
Stato attività: active
Chiarezza: clear
Prerequisiti: Git
Adatta ai principianti: 75
Direzione di ricerca: Riproduci il bug seguendo i passaggi nell'issue, poi esamina il codice di PublicPreviewController alle righe indicate per capire perché input di file vuoti o inesistenti causano errori interni del server. Correggi aggiungendo una validazione dell'input per verificare che il nodo sia un'istanza di File prima di chiamare getPreview.