[Bug]: Improper input validation in PublicPreviewController triggers internal server error · nextcloud/server#59229

2026-03-26T14:03:10.000Z

### ⚠️ This issue respects the following points: ⚠️ - [x] This is a **bug**, not a question or a configuration/webserver/proxy issue. - [x] This issue is **not** already reported on [Github](https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3Abug) OR [Nextcloud Community Forum](https://help.nextcloud.com/) _(I've searched it)_. - [x] Nextcloud Server **is** up to date. See [Maintenance and Release Schedule](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule) for supported versions. - [x] I agree to follow Nextcloud's [Code of Conduct](https://nextcloud.com/contribute/code-of-conduct/). ### Bug description An incomplete input validation in PublicPreviewController can trigger an internal server error. ### Steps to reproduce #### Case A 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130 - Default for `$file` is an empty string. - `$file = $node->get('');` is still an Folder instance - getPreview expectes File #### Case B 1. Create a public link for a folder 2. Send `GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1` 3. 💥 https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142 - `get` and `getPreview` both throw NotFoundException. - However the branch with mimetype fallback only works if the preview not exists, not if the node not exists. ### Expected behavior No internal server error

(1 留言) (0 反應) (0 負責人)PHP (34,953 star) (4,865 fork)batch import

0. Needs triage32-feedbackbugfeature: previews and thumbnailsfeature: sharinggood first issue

描述

⚠️ This issue respects the following points: ⚠️

This is a bug, not a question or a configuration/webserver/proxy issue.
This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
I agree to follow Nextcloud's Code of Conduct.

Bug description

An incomplete input validation in PublicPreviewController can trigger an internal server error.

Steps to reproduce

Case A

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L123-L130

Default for $file is an empty string.
$file = $node->get(''); is still an Folder instance
getPreview expectes File

Case B

Create a public link for a folder
Send GET https://server33.internal/index.php/apps/files_sharing/publicpreview/{token}?file=notexist.png&mimeFallback=1
💥

https://github.com/nextcloud/server/blob/7e9e1269a059ddfc7807f977707a1800e3a303e4/apps/files_sharing/lib/Controller/PublicPreviewController.php#L122-L142

get and getPreview both throw NotFoundException.
However the branch with mimetype fallback only works if the preview not exists, not if the node not exists.

Expected behavior

No internal server error

貢獻者指南

技術棧: php
領域: backendapi
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: Basic PHPFamiliarity with Nextcloud public sharingUnderstanding of exception handling
新手友善度: 75
研究方向: Investigate the PublicPreviewController.php file, particularly lines 122-142. The bug occurs when an empty $file parameter or a non existent file path is passed. The code should check if the node is a File instance before calling getPreview, and handle NotFoundException appropriately. Consider modifying the logic to return a proper error response instead of triggering an exception. Also, review the existing tests for public previews.