Make configurable length of shared link token

[savely-krasovsky]

For example now, I have this:
l33t.host/s/CpjUhnJuFEyMQzn

And we can have this:
l33t.host/s/AvJHo

But It's my personal service for maybe 1000 or 10000 (max!) shared files.
And for this aim even 4-5 characters is enough. Why 15?

In Owncloud we don't have theming, now we have, and it's very cool. So why not?

[MariusBluem]

But It's my personal service for maybe 1000 or 10000 (max!) shared files.

You are right, but there are some other users, using more than 1000 files and shares 😜 I think shortening the URL makes sense anyway. An option for personalize the URLs would be nice. I think of something like l33t.host/s/pictures-of-party.

If the URL is too long for your use (e.g. Twitter) you could also shrink the URL with a service like goo.gl 😉

[savely-krasovsky]

@Mar1u5 okay, lets use simple math.
We have common formula for combinations:

Where is n = 52 (count of letter in Latin alphabet: lowercase + uppercase) and k is length of our token.
So now lets calculate:
For 4 symbols:
=
270 725!
For 5 symbols:
=
2 598 960!
For 6 symbols:
=
20 358 520!
If you really so scary for some strange users that are using over 20 millions shared links (LOL), just set 6+ symbols by default. But for me even THREE symbols is enough (22 100 combinations!).

Now we have 15 symbols for 4 481 381 406 320 combinations. Almost 5 trillion? Really? Why?

[rullzer]

It is not only about the number of possible shares. It is also about security. You don't want people to be able to guess your tokens.

[savely-krasovsky]

@rullzer okay, we can show people some attentions about security and by default set 15.
And I don't understand: If you already create SHARED link WITHOUT password, you shouldn't scary about security... Or should?.. Sorry, It's illogic for me.

PS. Sorry for my bad English...

[rullzer]

Well a password is yet another thing to distribute.

With 15 tokens you are fairly safe to somebody even finding a link that works. It is all about reducing the attack vector.

[savely-krasovsky]

@rullzer I understand that it's reducing. But It's not the "critical security point", it's just a little plus to security. I think it should be customizable with some attentions. Why I have to use goo.gl, bit.ly and other such services if I already have short domain name that enough for me?

I use Nextcloud with ShareX for fast creating gifs, screenshots, videos, etc. An indispensable thing (just try!) And I always get those long links! This is the only negative.

[MariusBluem]

If you already have a short domain name, https://yourls.org could be a workaround ... this is for hosting your own URL shortener. Maybe you could also develop an proper integration as an app 😉

[rullzer]

I get that it is one of things that is nice to have. but it is another configuration variable in the matrix. With the potential downside that if people mess up (and people will mess up) exposed data.

I agree with @Mar1u5 that an app that does shortning would be better.

[savely-krasovsky]

@Mar1u5 thanks for idea with yourls.org. Just installed it on my server. With ShareX I automated it:

[ernolf]

Hi @savely-krasovsky,

You made some errors and unfortunately no one has noticed it yet.

okay, lets use simple math.

Your math is not simple enough 😉

The character set is A-Z, a-z, and 0-9. This totals 62 characters (26 uppercase + 26 lowercase + 10 digits).
The character set is CHAR_HUMAN_READABLE:

server/lib/public/Security/ISecureRandom.php

Line 55 in dcdb4bb

public const CHAR_HUMAN_READABLE = 'abcdefgijkmnopqrstwxyzABCDEFGHJKLMNPQRSTWXYZ23456789';

This totals 52 characters.

The formula you used:

$$ \binom{52}{4} = \frac{52!}{4! \times 48!} = 270,725 $$

is for calculating the number of ways to choose 4 distinct items from a set of 52 without regard to order. This formula assumes that each character can only be used once. This calculation is correct for determining combinations when items cannot be repeated and the order does not matter.

But since in this case the string can be filled by any of the 52 characters with repetition allowed, the correct formula to calculate the number of possible combinations is

$$ k^n $$

.. where

• 𝑘 is the number of available characters (52 in this case).
• 𝑛 is the length of the string (4 in this example).

Calculation: $52^4$ = 7,311,616 possible variations

and for the others:

Tokenlength = 5
wrong:

$$ \binom{52}{5} = \frac{52!}{5! \times 47!} = 2,598,960 $$

correct: $52^5$ = 380,204,032 possible variations

Tokenlength = 6
wrong:

$$ \binom{52}{6} = \frac{52!}{6! \times 46!} = 20,358,520 $$

correct: $52^6$ = 19,770,609,664 possible variations

---

and here some more:

• Tokenlength = 7 = $52^7$ = 1,028,071,702,528 possible variations

• Tokenlength = 8 = $52^8$ = 53,459,728,531,456 possible variations

• Tokenlength = 9 = $52^9$ = 2,779,905,883,635,712 possible variations

• Tokenlength = 10 = $52^{10}$ = 144,555,105,949,057,024 possible variations

• Tokenlength = 11 = $52^{11}$ = 7,516,865,509,350,965,248 possible variations

• Tokenlength = 12 = $52^{12}$ = 390,877,006,486,250,192,896 possible variations

• Tokenlength = 13 = $52^{13}$ = 20,325,604,337,285,010,030,592 possible variations

• Tokenlength = 14 = $52^{14}$ = 1,056,931,425,538,820,521,590,784 possible variations

• Tokenlength = 15 (This is the default)
  $52^{15}$ = 54,960,434,128,018,667,122,720,768 possible variations

• Tokenlength = 16 = $52^{16}$ = 2,857,942,574,656,970,690,381,479,936 possible variations

• Tokenlength = 17 = $52^{17}$ = 148,613,013,882,162,475,899,836,956,672 possible variations

• Tokenlength = 18 = $52^{18}$ = 7,727,876,721,872,448,746,791,521,746,944 possible variations

• Tokenlength = 19 = $52^{19}$ = 401,849,589,537,367,334,833,159,130,841,088 possible variations

• Tokenlength = 20 = $52^{20}$ = 20,896,178,655,943,101,411,324,274,803,736,576 possible variations

and just f.y.i., the maximum possible

• Tokenlength = 32 = $52^{32}$ = 8,167,835,760,036,914,488,254,418,108,462,708,901,695,678,621,570,564,096 possible variations

---

I would classify the use of URL shortening services as a much greater security risk.

---

ernolf

[savely-krasovsky]

Thanks for the clarification, I would agree now after 8 years, especially after working for 3 years in information security :D