nextcloud · CarlSchwan · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -569,7 +569,10 @@ private function getFile(IUser $user, int $fileSource): array {
 			$file = null;
 		}
 		$args = Filesystem::is_dir($file) ? ['dir' => $file] : ['dir' => dirname($file), 'scrollto' => $file];
-		$link = Util::linkToAbsolute('files', 'index.php', $args);
+		$urlGenerator = Server::get(IURLGenerator::class);
+		$link = $urlGenerator->getAbsoluteURL(
+			$urlGenerator->linkTo('files', 'index.php', $args)
+		);
 
 		return [$file, $link];
 	}

@@ -58,7 +58,7 @@ public function getForm() {
 			'restrictUserEnumerationFullMatchDisplayname' => $this->shareManager->matchDisplayName(),
 			'restrictUserEnumerationFullMatchEmail' => $this->shareManager->matchEmail(),
 			'restrictUserEnumerationFullMatchIgnoreSecondDN' => $this->shareManager->ignoreSecondDisplayName(),
-			'enforceLinksPassword' => Util::isPublicLinkPasswordRequired(false),
+			'enforceLinksPassword' => $this->shareManager->shareApiLinkEnforcePassword(false),
 			'enforceLinksPasswordExcludedGroups' => json_decode($excludedPasswordGroups) ?? [],
 			'enforceLinksPasswordExcludedGroupsEnabled' => $this->config->getSystemValueBool('sharing.allow_disabled_password_enforcement_groups', false),
 			'onlyShareWithGroupMembers' => $this->shareManager->shareWithGroupMembersOnly(),

@@ -20,7 +20,7 @@
 use OCP\IL10N;
 use OCP\IRequest;
 use OCP\Security\ISecureRandom;
-use OCP\Util;
+use OCP\ServerVersion;
 use Psr\Log\LoggerInterface;
 
 class AdminController extends Controller {
@@ -35,16 +35,16 @@ public function __construct(
 		private ITimeFactory $timeFactory,
 		private IL10N $l10n,
 		private LoggerInterface $logger,
+		private ServerVersion $serverVersion,
 	) {
 		parent::__construct($appName, $request);
 	}
 
 	/**
-	 * @param string $channel
-	 * @return DataResponse
+	 * @param 'beta'|'stable'|'enterprise'|'git' $channel
 	 */
 	public function setChannel(string $channel): DataResponse {
-		Util::setChannel($channel);
+		$this->serverVersion->setChannel($channel);
 		$this->appConfig->setValueInt('core', 'lastupdatedat', 0);
 		return new DataResponse(['status' => 'success', 'data' => ['message' => $this->l10n->t('Channel updated')]]);
 	}

@@ -18,6 +18,7 @@
 use OCP\IL10N;
 use OCP\IRequest;
 use OCP\Security\ISecureRandom;
+use OCP\ServerVersion;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use Test\TestCase;
@@ -56,6 +57,7 @@ protected function setUp(): void {
 			$this->timeFactory,
 			$this->l10n,
 			$this->logger,
+			$this->createMock(ServerVersion::class),
 		);
 	}
 

@@ -17,6 +17,7 @@
 use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException;
 use OC\AppFramework\Middleware\Security\Exceptions\SecurityException;
 use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException;
+use OC\Security\CSRF\CsrfTokenManager;
 use OC\Settings\AuthorizedGroupMapper;
 use OC\User\Session;
 use OCA\Talk\Controller\PageController as TalkPageController;
@@ -45,7 +46,7 @@
 use OCP\IURLGenerator;
 use OCP\IUserSession;
 use OCP\Security\Ip\IRemoteAddress;
-use OCP\Util;
+use OCP\Server;
 use Psr\Log\LoggerInterface;
 use ReflectionMethod;
 
@@ -193,7 +194,7 @@ public function beforeController($controller, $methodName) {
 			}
 		}
 		// CSRF check - also registers the CSRF token since the session may be closed later
-		Util::callRegister();
+		Server::get(CsrfTokenManager::class)->getToken()->getEncryptedValue();
 		if ($this->isInvalidCSRFRequired($reflectionMethod)) {
 			/*
 			 * Only allow the CSRF check to fail on OCS Requests. This kind of

@@ -11,6 +11,7 @@
 namespace OC\Template;
 
 use OC\Security\CSP\ContentSecurityPolicyNonceManager;
+use OC\Security\CSRF\CsrfTokenManager;
 use OC\TemplateLayout;
 use OCP\App\AppPathNotFoundException;
 use OCP\App\IAppManager;
@@ -40,7 +41,7 @@ public function __construct(
 	) {
 		$theme = \OC_Util::getTheme();
 
-		$requestToken = ($registerCall ? Util::callRegister() : '');
+		$requestToken = ($registerCall ? Server::get(CsrfTokenManager::class)->getToken()->getEncryptedValue() : '');
 		$cspNonce = Server::get(ContentSecurityPolicyNonceManager::class)->getNonce();
 
 		// fix translation when app is something like core/lostpassword

@@ -19,6 +19,7 @@
 use OCP\IURLGenerator;
 use OCP\IUserSession;
 use OCP\Server;
+use Override;
 use RuntimeException;
 
 class URLGenerator implements IURLGenerator {
@@ -316,4 +317,12 @@ public function getBaseUrl(): string {
 	public function getWebroot(): string {
 		return \OC::$WEBROOT;
 	}
+
+	#[Override]
+	public function linkToRemote(string $service): string {
+		$remoteBase = $this->linkTo('', 'remote.php') . '/' . $service;
+		return $this->getAbsoluteURL(
+			$remoteBase . (($service[strlen($service) - 1] != '/') ? '/' : '')
+		);
+	}
 }
@@ -6,6 +6,7 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 use OC\Authentication\Token\IProvider;
+use OC\Security\CSRF\CsrfTokenManager;
 use OC\SystemConfig;
 use OC\User\Database;
 use OC\User\DisabledUserException;
@@ -29,7 +30,6 @@
 use OCP\User\Events\BeforeUserLoggedInEvent;
 use OCP\User\Events\UserLoggedInEvent;
 use OCP\UserInterface;
-use OCP\Util;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -291,7 +291,7 @@ public static function getLogoutUrl(IURLGenerator $urlGenerator): string {
 		}
 
 		$logoutUrl = $urlGenerator->linkToRoute('core.login.logout');
-		$logoutUrl .= '?requesttoken=' . urlencode(Util::callRegister());
+		$logoutUrl .= '?requesttoken=' . urlencode(Server::get(CsrfTokenManager::class)->getToken()->getEncryptedValue());
 
 		return $logoutUrl;
 	}

@@ -565,44 +565,6 @@ public static function checkLoggedIn(): void {
 		}
 	}
 
-	/**
-	 * Check if the user is a admin, redirects to home if not
-	 *
-	 * @deprecated 32.0.0
-	 */
-	public static function checkAdminUser(): void {
-		self::checkLoggedIn();
-		if (!OC_User::isAdminUser(OC_User::getUser())) {
-			header('Location: ' . Util::linkToAbsolute('', 'index.php'));
-			exit();
-		}
-	}
-
-	/**
-	 * Returns the URL of the default page
-	 * based on the system configuration and
-	 * the apps visible for the current user
-	 *
-	 * @return string URL
-	 * @deprecated 32.0.0 use IURLGenerator's linkToDefaultPageUrl directly
-	 */
-	public static function getDefaultPageUrl() {
-		/** @var IURLGenerator $urlGenerator */
-		$urlGenerator = Server::get(IURLGenerator::class);
-		return $urlGenerator->linkToDefaultPageUrl();
-	}
-
-	/**
-	 * Redirect to the user default page
-	 *
-	 * @deprecated 32.0.0
-	 */
-	public static function redirectToDefaultPage(): void {
-		$location = self::getDefaultPageUrl();
-		header('Location: ' . $location);
-		exit();
-	}
-
 	/**
 	 * get an id unique for this instance
 	 *
@@ -618,45 +580,6 @@ public static function getInstanceId(): string {
 		return $id;
 	}
 
-	/**
-	 * Public function to sanitize HTML
-	 *
-	 * This function is used to sanitize HTML and should be applied on any
-	 * string or array of strings before displaying it on a web page.
-	 *
-	 * @param string|string[] $value
-	 * @return ($value is array ? string[] : string)
-	 * @deprecated 32.0.0 use \OCP\Util::sanitizeHTML instead
-	 */
-	public static function sanitizeHTML($value) {
-		if (is_array($value)) {
-			$value = array_map(function ($value) {
-				return self::sanitizeHTML($value);
-			}, $value);
-		} else {
-			// Specify encoding for PHP<5.4
-			$value = htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');
-		}
-		return $value;
-	}
-
-	/**
-	 * Public function to encode url parameters
-	 *
-	 * This function is used to encode path to file before output.
-	 * Encoding is done according to RFC 3986 with one exception:
-	 * Character '/' is preserved as is.
-	 *
-	 * @param string $component part of URI to encode
-	 * @return string
-	 * @deprecated 32.0.0 use \OCP\Util::encodePath instead
-	 */
-	public static function encodePath($component) {
-		$encoded = rawurlencode($component);
-		$encoded = str_replace('%2F', '/', $encoded);
-		return $encoded;
-	}
-
 	/**
 	 * Check if current locale is non-UTF8
 	 *

@@ -8,10 +8,14 @@
  */
 namespace OCP;
 
+use OCP\AppFramework\Attribute\Consumable;
+
 /**
  * Class to generate URLs
+ *
  * @since 6.0.0
  */
+#[Consumable(since: '6.0.0')]
 interface IURLGenerator {
 	/**
 	 * Regex for matching http(s) urls
@@ -115,4 +119,11 @@ public function getBaseUrl(): string;
 	 * @since 23.0.0
 	 */
 	public function getWebroot(): string;
+
+	/**
+	 * Return the url to the remote DAV handler.
+	 *
+	 * @since 34.0.0
+	 */
+	public function linkToRemote(string $service): string;
 }
@@ -91,6 +91,16 @@ public function getChannel(): string {
 		return $this->channel;
 	}
 
+	/**
+	 * Set current update channel.
+	 *
+	 * @param 'beta'|'stable'|'enterprise'|'git' $channel
+	 * @since 34.0.0
+	 */
+	public function setChannel(string $channel): void {
+		Server::get(IConfig::class)->setSystemValue('updater.release.channel', $channel);
+	}
+
 	/**
 	 * @since 31.0.0
 	 */