Public links creation - brute forcing potential?


Do public links exist for all files automatically, or are the URLs only created when clicking “Copy public link” (when request a public link)?

If public links exist for all files automatically, isn’t it possible for someone to brute-force URLs in order to access files?

I am hoping public links are only accessible when requested. :blush:

Thank you

I think not. In my case:

15 charaters (upper, lower, numbers): e.g. bxjQSHgH45HEQQ4

26+26+10 = 62

62^15 = 7,689*10^26

But i am not a programmer and not a hacker. :wink:

I think the problem is more the e-mail you send the link to another people.
It can make sense to use an additonal password and send it through another way e.g. WhatsApp. Also it can make sense to use different users on the nextclod e.g. with Guests app.

Or the computers of sender and receiver were hacked. Then nothing helps you. Because e.g. Emotet only works on Windows perhaps a change to another operating system like Linux or MacOS helps you.

I think you’re right - that is a lot of possibilities…

But do public links already exist for each file, or only when I request one?

They are only generated when you create them…

Do you or someone else know the position in the nextcloud code?

Thank you. Would be interested to know where this code is located as @devnull mentioned.