Merge pull request #55977 from nextcloud/backport/55819/stable32

[stable32] fix(federation): Allow outgoing and incoming federation with oCIS federated cloud ids

apps/files_sharing/appinfo/info.xml

@@ -14,7 +14,7 @@
 Turning the feature off removes shared files and folders on the server for all share recipients, and also on the sync clients and mobile apps. More information is available in the Nextcloud Documentation.
 
 	</description>
-	<version>1.24.0</version>
+	<version>1.24.1</version>
 	<licence>agpl</licence>
 	<author>Michael Gapczynski</author>
 	<author>Bjoern Schiessle</author>

apps/files_sharing/composer/composer/autoload_classmap.php

@@ -81,6 +81,7 @@ return array(
     'OCA\\Files_Sharing\\Migration\\Version24000Date20220208195521' => $baseDir . '/../lib/Migration/Version24000Date20220208195521.php',
     'OCA\\Files_Sharing\\Migration\\Version24000Date20220404142216' => $baseDir . '/../lib/Migration/Version24000Date20220404142216.php',
     'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => $baseDir . '/../lib/Migration/Version31000Date20240821142813.php',
+    'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => $baseDir . '/../lib/Migration/Version32000Date20251017081948.php',
     'OCA\\Files_Sharing\\MountProvider' => $baseDir . '/../lib/MountProvider.php',
     'OCA\\Files_Sharing\\Notification\\Listener' => $baseDir . '/../lib/Notification/Listener.php',
     'OCA\\Files_Sharing\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',

apps/files_sharing/composer/composer/autoload_static.php

@@ -96,6 +96,7 @@ class ComposerStaticInitFiles_Sharing
         'OCA\\Files_Sharing\\Migration\\Version24000Date20220208195521' => __DIR__ . '/..' . '/../lib/Migration/Version24000Date20220208195521.php',
         'OCA\\Files_Sharing\\Migration\\Version24000Date20220404142216' => __DIR__ . '/..' . '/../lib/Migration/Version24000Date20220404142216.php',
         'OCA\\Files_Sharing\\Migration\\Version31000Date20240821142813' => __DIR__ . '/..' . '/../lib/Migration/Version31000Date20240821142813.php',
+        'OCA\\Files_Sharing\\Migration\\Version32000Date20251017081948' => __DIR__ . '/..' . '/../lib/Migration/Version32000Date20251017081948.php',
         'OCA\\Files_Sharing\\MountProvider' => __DIR__ . '/..' . '/../lib/MountProvider.php',
         'OCA\\Files_Sharing\\Notification\\Listener' => __DIR__ . '/..' . '/../lib/Notification/Listener.php',
         'OCA\\Files_Sharing\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',

apps/files_sharing/lib/Migration/Version32000Date20251017081948.php

@@ -0,0 +1,38 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Files_Sharing\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\Migration\Attributes\ColumnType;
+use OCP\Migration\Attributes\ModifyColumn;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+use Override;
+
+#[ModifyColumn(table: 'share_external', name: 'owner', type: ColumnType::STRING, description: 'Change length to 255 characters')]
+class Version32000Date20251017081948 extends SimpleMigrationStep {
+	/**
+	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 */
+	#[Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		$table = $schema->getTable('share_external');
+		$column = $table->getColumn('owner');
+		if ($column->getLength() < 255) {
+			$column->setLength(255);
+			return $schema;
+		}
+		return null;
+	}
+}

lib/private/Federation/CloudIdManager.php

@@ -108,7 +108,7 @@ class CloudIdManager implements ICloudIdManager {
 			// We accept slightly more chars when working with federationId than with a local userId.
 			// We remove those eventual chars from the UserId before using
 			// the IUserManager API to confirm its format.
-			$this->userManager->validateUserId(str_replace('=', '-', $user));
+			$this->validateUser($user, $remote);
 
 			if (!empty($user) && !empty($remote)) {
 				$remote = $this->ensureDefaultProtocol($remote);
@@ -118,6 +118,36 @@ class CloudIdManager implements ICloudIdManager {
 		throw new \InvalidArgumentException('Invalid cloud id');
 	}
 
+	protected function validateUser(string $user, string $remote): void {
+		// Check the ID for bad characters
+		// Allowed are: "a-z", "A-Z", "0-9", spaces and "_.@-'" (Nextcloud)
+		// Additional: "=" (oCIS)
+		if (preg_match('/[^a-zA-Z0-9 _.@\-\'=]/', $user)) {
+			throw new \InvalidArgumentException('Invalid characters');
+		}
+
+		// No empty user ID
+		if (trim($user) === '') {
+			throw new \InvalidArgumentException('Empty user');
+		}
+
+		// No whitespace at the beginning or at the end
+		if (trim($user) !== $user) {
+			throw new \InvalidArgumentException('User contains whitespace at the beginning or at the end');
+		}
+
+		// User ID only consists of 1 or 2 dots (directory traversal)
+		if ($user === '.' || $user === '..') {
+			throw new \InvalidArgumentException('User must not consist of dots only');
+		}
+
+		// User ID is too long
+		if (strlen($user . '@' . $remote) > 255) {
+			// TRANSLATORS User ID is too long
+			throw new \InvalidArgumentException('Cloud id is too long');
+		}
+	}
+
 	public function getDisplayNameFromContact(string $cloudId): ?string {
 		$cachedName = $this->displayNameCache->get($cloudId);
 		if ($cachedName !== null) {