[Bug]: In share by link, setting password failure potentially exposes data

[kj-c]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

In some workflows, an attempt to configure a password protected link fails, leaving the share valid yet unprotected.

On mobile (android), a temporary notification is displayed, after which it disappears within seconds. On some mobile platforms (such as in my own case, prompting this report), floating action buttons obscure the message so it is hidden from the user at the time of failure.

On the web browser, the warning is permanent (requires dismissal) and more prominent. However, in some circumstances a user may still miss the message, for example by closing the browser window too quickly.

The end result of this common workflow is that sensitive data, intended to be password protected, may be accessible through a publicly disclosed link until the mistake is noticed.

Steps to reproduce

1. Create a new share link
2. Customize link
3. Set password = 123
4. Note transient nature of the failure notification
5. Customize link
6. Note that 'Set password' checkbox is set, but password field is blank.

In essence, by this method of enforcing good password standards, a blank password is allowed.

Expected behavior

Mitigations:

1. Permanent high priority notification of the Set Password failure in the menu bar notification area
2. Use random password rather than blank password as the failure mode default value

Expected behavior:

1. The shared link is invalidated if a password attempt was made, but failed. The link should remain invalid for as long as the Set Password checkbox is set but the value does not meet minimum security requirements.

Installation method

Community Docker image

Nextcloud Server version

28

Operating system

Other

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

No response

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

[joshtrichards]

Related: #49115