feat: release 10.16.3 (#41559)

* fix(security): OC10-75 - restrict AppConfigController read methods to full admins only (#41550)

* fix(security): restrict AppConfigController read methods to full admins only

OC10-75: Subadmins could read all oc_appconfig values including SMTP
passwords and LDAP credentials via getApps/getKeys/getValue endpoints.
Remove @NoAdminRequired so AdminMiddleware enforces full-admin-only access,
consistent with the write methods.

CVSS: 7.7
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: replace OC.AppConfig.getValue in users.js with server-rendered checkbox state

The umgmt_set_password value is already rendered server-side into
#CheckBoxPasswordOnUserCreate's checked attribute. Remove the redundant
AJAX call which would now return 403 for Subadmins after the security fix.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* chore: add changelog entry for OC10-75 (#41550)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(comments): prevent IDOR in WebDAV comments API (#41558)

* test(comments): stub objectType/objectId in EntityCollection happy-path tests

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* test(comments): add failing IDOR regression tests for EntityCollection

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix(comments): prevent IDOR in WebDAV comments API by checking comment ownership

An authenticated user could PROPFIND/DELETE/PROPPATCH any comment by
supplying an arbitrary comment_id paired with any file_id they own.
EntityCollection::getChild() and childExists() now verify that the
fetched comment's objectType and objectId match the collection's own
entity type and file ID before returning or confirming the node.

Fixes OC10-53

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* docs: add changelog entry for OC10-53 IDOR fix in WebDAV comments API

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): update phpseclib/phpseclib to 3.0.52 for CVE-2026-40194

CVE-2026-40194: timing attack in SSH binary packet processing fixed in 3.0.51.
Also picks up 3.0.52 correctness fixes (ASN.1 hardening, OpenSSL 3.2+ RSA compat).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix(security): update symfony/routing to 5.4.52 for CVE-2026-45065

CVE-2026-45065: UrlGenerator regex alternation anchoring bypass allowing
off-site URL injection via route requirement validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: check for the identifier alias for the storage backend (#41538)

* fix: check for the identifier alias for the storage backend

* test: add unit tests to local external storage

* chore: add changelog entry

* fix: move backend checks to a different place

* fix: adjust unit tests

* fix: visibility for local storage for the admin based on flag

Without the visibility, the admin won't be able to create local
storages, and the previously created local mounts will be hidden and
inaccessible

* fix: review comments

* fix: remove user mounting check in controller and rely on validation

* fix: adjust code based on reviews

(cherry picked from commit 5c7dfc0)
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: use the right user id when changing the email (#41539)

* fix: use the right user id when changing the email

* test: adjust unit test to ensure the mail is set for the user2

Previously, the test only used one user, so it was difficult to verify
that the mail was changed for the user2 instead of user1

* docs: add changelog entry for PR #41539

* fix: include test to ensure the mail of the caller isn't changed

---------

Co-authored-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
(cherry picked from commit 3ff2884)
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* chore: add changelog for 10.16.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* ci: fix lint pipeline and sync with master

* chore: set version properly and generate changelog

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Juan Pablo Villafañez <jpvillafanez@izertis.com>

Author: 3 people

.github/workflows/lint-and-codestyle.yml

@@ -59,16 +59,3 @@ jobs:
       - name: Run PHP Phan
         run: |
           make test-php-phan
-
-  git-commit-messages:
-    name: Git Commit Messages
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Validate commit messages
-        uses: docker://aevea/commitsar:latest
-

CHANGELOG.md

@@ -1,5 +1,6 @@
 # Table of Contents
 
+* [Changelog for 10.16.3](#changelog-for-owncloud-core-10163-2026-05-22)
 * [Changelog for 10.16.2](#changelog-for-owncloud-core-10162-2026-04-02)
 * [Changelog for 10.16.1](#changelog-for-owncloud-core-10161-2026-02-18)
 * [Changelog for 10.16.0](#changelog-for-owncloud-core-10160-2025-10-23)
@@ -27,6 +28,77 @@
 * [Changelog for 10.4.1](#changelog-for-owncloud-core-1041-2020-03-30)
 * [Changelog for 10.4.0](#changelog-for-owncloud-core-1040-2020-02-10)
 * [Changelog for 10.3.2](#changelog-for-owncloud-core-1032-2019-12-04)
+# Changelog for ownCloud Core [10.16.3] (2026-05-22)
+
+The following sections list the changes in ownCloud core 10.16.3 relevant to
+ownCloud admins and users.
+
+[10.16.3]: https://github.com/owncloud/core/compare/v10.16.2...v10.16.3
+
+## Summary
+
+* Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
+* Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
+* Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
+* Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
+* Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
+* Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
+
+## Details
+
+* Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
+
+   CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing.
+   Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
+
+   https://github.com/owncloud/core/pull/41529
+   https://github.com/owncloud/core/pull/41541
+   https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
+
+* Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
+
+   Subadmin users could read all oc_appconfig values including SMTP passwords, LDAP
+   bind credentials, and encryption master keys via the Settings API. Removed
+   @NoAdminRequired from getApps, getKeys, and getValue so that the AdminMiddleware
+   enforces full-admin-only access, consistent with the write methods.
+
+   https://github.com/owncloud/core/pull/41550
+
+* Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
+
+   CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex
+   alternation allowing off-site URL injection. Upgraded symfony/routing from
+   5.4.48 to 5.4.52.
+
+   https://github.com/owncloud/core/pull/41559
+   https://symfony.com/cve-2026-45065
+
+* Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
+
+   Mounting a local storage was possible if the internal class name was used as
+   backend, despite local storage not allowed to be mounted. This problem is fixed
+   and the local storage can't be mounted if it was explicitly disallowed in the
+   configuration.
+
+   https://github.com/owncloud/core/pull/41538
+
+* Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
+
+   The admin API endpoint for changing a user's email address was incorrectly using
+   the requesting admin's user ID instead of the target user's ID, causing the
+   admin's email to be updated rather than the intended user's.
+
+   https://github.com/owncloud/core/pull/41539
+
+* Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
+
+   Authenticated users could read, edit, or delete comments on files they have no
+   access to by supplying an arbitrary comment ID in the WebDAV comments endpoint.
+   The fix verifies that a requested comment belongs to the file in the URL before
+   returning it.
+
+   https://github.com/owncloud/core/pull/41558
+
 # Changelog for ownCloud Core [10.16.2] (2026-04-02)
 
 The following sections list the changes in ownCloud core 10.16.2 relevant to

apps/comments/lib/Dav/EntityCollection.php

@@ -98,6 +98,10 @@ public function getId() {
 	public function getChild($name) {
 		try {
 			$comment = $this->commentsManager->get($name);
+			// objectType/objectId identify the entity (e.g. file) the comment is attached to
+			if ($comment->getObjectType() !== $this->name || $comment->getObjectId() !== $this->id) {
+				throw new NotFound();
+			}
 			return new CommentNode(
 				$this->commentsManager,
 				$comment,
@@ -151,8 +155,10 @@ public function findChildren($limit = 0, $offset = 0, \DateTime $datetime = null
 	 */
 	public function childExists($name) {
 		try {
-			$this->commentsManager->get($name);
-			return true;
+			$comment = $this->commentsManager->get($name);
+			// objectType/objectId identify the entity (e.g. file) the comment is attached to
+			return $comment->getObjectType() === $this->name
+				&& $comment->getObjectId() === $this->id;
 		} catch (NotFoundException $e) {
 			return false;
 		}

apps/comments/tests/unit/Dav/EntityCollectionTest.php

@@ -70,10 +70,14 @@ public function testGetId(): void {
 	}
 
 	public function testGetChild(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('19');
+
 		$this->commentsManager->expects($this->once())
 			->method('get')
 			->with('55')
-			->will($this->returnValue($this->createMock(IComment::class)));
+			->willReturn($comment);
 
 		$node = $this->collection->getChild('55');
 		$this->assertInstanceOf(\OCA\Comments\Dav\CommentNode::class, $node);
@@ -118,6 +122,15 @@ public function testFindChildren(): void {
 	}
 
 	public function testChildExistsTrue(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
 		$this->assertTrue($this->collection->childExists('44'));
 	}
 
@@ -129,4 +142,60 @@ public function testChildExistsFalse(): void {
 
 		$this->assertFalse($this->collection->childExists('44'));
 	}
+
+	public function testGetChildWrongFile(): void {
+		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
+
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('999'); // different file
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('55')
+			->willReturn($comment);
+
+		$this->collection->getChild('55');
+	}
+
+	public function testGetChildWrongObjectType(): void {
+		$this->expectException(\Sabre\DAV\Exception\NotFound::class);
+
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('albums'); // wrong type
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('55')
+			->willReturn($comment);
+
+		$this->collection->getChild('55');
+	}
+
+	public function testChildExistsWrongFile(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('files');
+		$comment->method('getObjectId')->willReturn('999'); // different file
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
+		$this->assertFalse($this->collection->childExists('44'));
+	}
+
+	public function testChildExistsWrongObjectType(): void {
+		$comment = $this->createMock(IComment::class);
+		$comment->method('getObjectType')->willReturn('albums'); // wrong type
+		$comment->method('getObjectId')->willReturn('19');
+
+		$this->commentsManager->expects($this->once())
+			->method('get')
+			->with('44')
+			->willReturn($comment);
+
+		$this->assertFalse($this->collection->childExists('44'));
+	}
 }

apps/files_external/lib/Controller/GlobalStoragesController.php

@@ -86,15 +86,10 @@ public function create(
 		$applicableGroups,
 		$priority
 	) {
-		$canCreateNewLocalStorage = \OC::$server->getConfig()->getSystemValue('files_external_allow_create_new_local', false);
-
-		if ($backend === 'local' && $canCreateNewLocalStorage === false) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
+		// NOTE: files_external_allow_create_new_local is checked during backend
+		// registration, and it will remove the related storage visibility
+		// if applicable. If the storage isn't visible, the `validate` method
+		// will fail.
 		$newStorage = $this->createStorage(
 			$mountPoint,
 			$backend,

apps/files_external/lib/Controller/StoragesController.php

@@ -183,7 +183,7 @@ protected function validate(IStorageConfig $storage) {
 						$backend->getIdentifier()
 					])
 				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
+				Http::STATUS_FORBIDDEN
 			);
 		}
 		if (!$authMechanism->isVisibleFor($this->service->getVisibilityType())) {
@@ -194,7 +194,7 @@ protected function validate(IStorageConfig $storage) {
 						$authMechanism->getIdentifier()
 					])
 				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
+				Http::STATUS_FORBIDDEN
 			);
 		}
 
@@ -308,7 +308,7 @@ public function show($id, $testOnly = true) {
 		} catch (NotFoundException $e) {
 			return new DataResponse(
 				[
-					'message' => (string)$this->l10n->t('Storage with id "%i" not found', [$id])
+					'message' => (string)$this->l10n->t('Storage with id "%d" not found', [$id])
 				],
 				Http::STATUS_NOT_FOUND
 			);
@@ -335,7 +335,7 @@ public function destroy($id) {
 		} catch (NotFoundException $e) {
 			return new DataResponse(
 				[
-					'message' => (string)$this->l10n->t('Storage with id "%i" not found', [$id])
+					'message' => (string)$this->l10n->t('Storage with id "%d" not found', [$id])
 				],
 				Http::STATUS_NOT_FOUND
 			);

apps/files_external/lib/Controller/UserStoragesController.php

@@ -31,7 +31,6 @@
 use OCP\Files\External\IStorageConfig;
 use OCP\Files\External\NotFoundException;
 use OCP\Files\External\Service\IUserStoragesService;
-use OCP\IConfig;
 use OCP\IL10N;
 use OCP\ILogger;
 use OCP\IRequest;
@@ -45,15 +44,13 @@ class UserStoragesController extends StoragesController {
 	 * @var IUserSession
 	 */
 	private $userSession;
-	private IConfig $config;
 
 	public function __construct(
 		$AppName,
 		IRequest $request,
 		IL10N $l10n,
 		IUserStoragesService $userStoragesService,
 		IUserSession $userSession,
-		IConfig $config,
 		ILogger $logger
 	) {
 		parent::__construct(
@@ -64,7 +61,6 @@ public function __construct(
 			$logger
 		);
 		$this->userSession = $userSession;
-		$this->config = $config;
 	}
 
 	protected function manipulateStorageConfig(IStorageConfig $storage) {
@@ -82,12 +78,6 @@ protected function manipulateStorageConfig(IStorageConfig $storage) {
 	 * @return DataResponse
 	 */
 	public function index() {
-		if (!$this->isUserMountingAllowed()) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
 		return parent::index();
 	}
 
@@ -122,20 +112,11 @@ public function create(
 		$backendOptions,
 		$mountOptions
 	) {
-		if (!$this->isUserMountingAllowed()) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-		$canCreateNewLocalStorage = \OC::$server->getConfig()->getSystemValue('files_external_allow_create_new_local', false);
-		if ($backend === 'local' && $canCreateNewLocalStorage === false) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
+		// NOTE: local backend isn't allowed for regular users regardless
+		// of the value of files_external_allow_create_new_local. The backend
+		// won't be visible for regular users, so the `validate` method will fail.
+		// Only admins can create local storages (if files_external_allow_create_new_local
+		// is true)
 		$newStorage = $this->createStorage(
 			$mountPoint,
 			$backend,
@@ -188,12 +169,6 @@ public function update(
 		$mountOptions,
 		$testOnly = true
 	) {
-		if (!$this->isUserMountingAllowed()) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
 		$storage = $this->createStorage(
 			$mountPoint,
 			$backend,
@@ -241,17 +216,6 @@ public function update(
 	 * {@inheritdoc}
 	 */
 	public function destroy($id) {
-		if (!$this->isUserMountingAllowed()) {
-			return new DataResponse(
-				null,
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
 		return parent::destroy($id);
 	}
-
-	private function isUserMountingAllowed(): bool {
-		return $this->config->getAppValue('files_external', 'allow_user_mounting', 'no') === 'yes';
-	}
 }