From 73bb3a22f63e0758056d2f28cf81e2b5563a5b99 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 28 Apr 2015 10:33:19 +0200
Subject: [PATCH 1/2] Password set via OCS API should not be double escaped

---
 lib/private/share/share.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index 227a3d5a41..f22bd0c520 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -1218,7 +1218,7 @@ class Share extends \OC\Share\Constants {
 		$qb->update('`*PREFIX*share`')
 			->set('`share_with`', ':pass')
 			->where('`id` = :shareId')
-			->setParameter(':pass', is_null($password) ? 'NULL' : $qb->expr()->literal(\OC::$server->getHasher()->hash($password)))
+			->setParameter(':pass', is_null($password) ? 'NULL' : \OC::$server->getHasher()->hash($password))
 			->setParameter(':shareId', $shareId);
 
 		$qb->execute();

From 02269b6464844696f4d33067f04640953dd6ec32 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Tue, 28 Apr 2015 14:00:36 +0200
Subject: [PATCH 2/2] Added unit test

---
 tests/lib/share/share.php | 46 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/tests/lib/share/share.php b/tests/lib/share/share.php
index 124ad450e2..cda895a437 100644
--- a/tests/lib/share/share.php
+++ b/tests/lib/share/share.php
@@ -1158,6 +1158,52 @@ class Test_Share extends \Test\TestCase {
 		\OC\Share\Share::setPassword($userSession, $connection, $config, 1, 'pass');
 	}
 
+	public function testPasswords() {
+		$pass = 'secret';
+
+		$this->shareUserTestFileAsLink();
+
+		$userSession = \OC::$server->getUserSession();
+		$connection = \OC::$server->getDatabaseConnection();
+		$config = $this->getMockBuilder('\OCP\IConfig')
+		               ->disableOriginalConstructor()
+		               ->getMock();
+
+		// Find the share ID in the db
+		$qb = $connection->createQueryBuilder();
+		$qb->select('`id`')
+		   ->from('`*PREFIX*share`')
+		   ->where('`item_type` = :type')
+		   ->andWhere('`item_source` = :source')
+		   ->andWhere('`uid_owner` = :owner')
+		   ->andWhere('`share_type` = :share_type')
+		   ->setParameter('type', 'test')
+		   ->setParameter('source', 'test.txt')
+		   ->setParameter('owner', $this->user1)
+		   ->setParameter('share_type', \OCP\Share::SHARE_TYPE_LINK);
+
+		$res = $qb->execute()->fetchAll();
+		$this->assertCount(1, $res);
+		$id = $res[0]['id'];
+
+		// Set password on share
+		$res = \OC\Share\Share::setPassword($userSession, $connection, $config, $id, $pass);
+		$this->assertTrue($res);
+
+		// Fetch the hash from the database
+		$qb = $connection->createQueryBuilder();
+		$qb->select('`share_with`')
+		   ->from('`*PREFIX*share`')
+		   ->where('`id` = :id')
+		   ->setParameter('id', $id);
+		$hash = $qb->execute()->fetch()['share_with'];
+
+		$hasher = \OC::$server->getHasher();
+
+		// Verify hash
+		$this->assertTrue($hasher->verify($pass, $hash));
+	}
+
 	/**
 	 * Test setting a password when everything is fine
 	 */