[Bug]: Improper input validation in PublicPreviewController triggers internal server error · nextcloud/server#59229

2026-03-26T14:03:10.000Z

### ⚠️ This issue respects the following points: ⚠️ - [x] This is a **bug**, not a question or a configuration/webserver/proxy issue. - [x] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_. - [x] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [x] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description An incomplete input validation in PublicPreviewController can trigger an internal server error. ### Steps to reproduce #### Case A 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130 - Default for `$file` is an empty string. - `$file = $node->get('');` is still an Folder instance - getPreview expectes File #### Case B 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142 - `get` and `getPreview` both throw NotFoundException. - However the branch with mimetype fallback only works if the preview not exists, not if the node not exists. ### Expected behavior No internal server error

(1 comment) (0 reactions) (0 assignees)PHP (34,953 stars) (4,865 forks)batch import

0. Needs triage32-feedbackbugfeature: previews and thumbnailsfeature: sharinggood first issue

Description

⚠️ This issue respects the following points: ⚠️

This is a bug, not a question or a configuration/webserver/proxy issue.
This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
I agree to follow Nextcloud's Code of Conduct.

Bug description

An incomplete input validation in PublicPreviewController can trigger an internal server error.

Steps to reproduce

Case A

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130

Default for $file is an empty string.
$file = $node->get(''); is still an Folder instance
getPreview expectes File

Case B

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142

get and getPreview both throw NotFoundException.
However the branch with mimetype fallback only works if the preview not exists, not if the node not exists.

Expected behavior

No internal server error

Contributor guide

Tech stack: php
Domain: backendapi
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: clear
Prerequisites: Basic PHPFamiliarity with Nextcloud public sharingUnderstanding of exception handling
Newbie friendliness: 75
Research direction: Investigate the PublicPreviewController.php file, particularly lines 122-142. The bug occurs when an empty $file parameter or a non existent file path is passed. The code should check if the node is a File instance before calling getPreview, and handle NotFoundException appropriately. Consider modifying the logic to return a proper error response instead of triggering an exception. Also, review the existing tests for public previews.