Skip to content

[stable33] fix(security): don't propagate ValueError from Crypto::decrypt() fallback#61104

Merged
AndyScherzinger merged 1 commit into
stable33from
backport/60735/stable33
Jun 17, 2026
Merged

[stable33] fix(security): don't propagate ValueError from Crypto::decrypt() fallback#61104
AndyScherzinger merged 1 commit into
stable33from
backport/60735/stable33

Conversation

@backportbot

@backportbot backportbot Bot commented Jun 9, 2026

Copy link
Copy Markdown

Backport of PR #60735

@miaulalala @backportbot
fix(security): don't propagate ValueError from Crypto::decrypt() fall…
0cff2cd 
…back

When decrypting a v3 ciphertext with a mismatched secret, the first
attempt throws an Exception (HMAC mismatch). The fallback then calls
decryptWithoutSecret() with an empty string, which causes hash_hkdf()
to throw a ValueError. Since ValueError extends \Error rather than
\Exception, it bypassed the catch block and propagated as an unhandled
error, crashing the whole request.

Wrap the fallback in its own try/catch(\Throwable) and rethrow the
original Exception so callers get a meaningful HMAC mismatch error.

Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@backportbot backportbot Bot requested a review from a team as a code owner June 9, 2026 13:15
@backportbot backportbot Bot requested review from ArtificialOwl, CarlSchwan, come-nc, icewind1991, miaulalala, nickvergessen and provokateurin and removed request for a team June 9, 2026 13:15
@backportbot backportbot Bot added this to the Nextcloud 33.0.6 milestone Jun 9, 2026
@AndyScherzinger AndyScherzinger merged commit 82fc3b1 into stable33 Jun 17, 2026
177 of 185 checks passed
@AndyScherzinger AndyScherzinger deleted the backport/60735/stable33 branch June 17, 2026 17:10
@nextcloud-bot nextcloud-bot mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@miaulalala miaulalala miaulalala approved these changes

@come-nc come-nc Awaiting requested review from come-nc

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl ArtificialOwl is a code owner automatically assigned from nextcloud/server-backend

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@CarlSchwan CarlSchwan Awaiting requested review from CarlSchwan CarlSchwan is a code owner automatically assigned from nextcloud/server-backend

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin is a code owner automatically assigned from nextcloud/server-backend

Assignees

@miaulalala miaulalala

Labels

3. to review Waiting for reviews 34-feedback AI assisted bug regression

Projects

None yet

Milestone

Nextcloud 33.0.6

Development

Successfully merging this pull request may close these issues.

3 participants

@nickvergessen @miaulalala @AndyScherzinger