Ensure the password is only hashed in case it's changed on the client - fixes #19950

1 files changed, 11 insertions, 7 deletions

diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index b015d7738b5..1b31df554cb 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -775,15 +775,19 @@ class Share extends Constants {
 					$updateExistingShare = true;
 				}
 
-				// Generate hash of password - same method as user passwords
-				if (is_string($shareWith) && $shareWith !== '') {
-					self::verifyPassword($shareWith);
-					$shareWith = \OC::$server->getHasher()->hash($shareWith);
+				// Generate hash of password if the password was changed on the client
+				if (isset($shareWith['passwordChanged']) && $shareWith['passwordChanged'] === 'true') {
+					$shareWith = $shareWith['password'];
+					if (is_string($shareWith) && $shareWith !== '') {
+						self::verifyPassword($shareWith);
+						$shareWith = \OC::$server->getHasher()->hash($shareWith);
+					}
 				} else {
-					// reuse the already set password, but only if we change permissions
-					// otherwise the user disabled the password protection
-					if ($checkExists && (int)$permissions !== (int)$oldPermissions) {
+					// reuse the existing password if it was not updated from the client
+					if ($updateExistingShare) {
 						$shareWith = $checkExists['share_with'];
+					} else {
+						$shareWith = '';
 					}
 				}