From e39137de2d6adafcb6300bd7dc1b5f54ff0b71db Mon Sep 17 00:00:00 2001 From: Benjamin Gaussorgues Date: Thu, 28 Nov 2024 11:05:06 +0100 Subject: [PATCH] chore: stricter access to testremote endpoint Signed-off-by: Benjamin Gaussorgues --- apps/files_sharing/lib/Controller/ExternalSharesController.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php index 726e99345fafa..d62df7a071d4b 100644 --- a/apps/files_sharing/lib/Controller/ExternalSharesController.php +++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php @@ -118,9 +118,10 @@ protected function testUrl($remote, $checkVersion = false) { * * @param string $remote * @return DataResponse + * @AnonRateThrottle(limit=5, period=120) */ public function testRemote($remote) { - if (str_contains($remote, '#') || str_contains($remote, '?') || str_contains($remote, ';')) { + if (preg_match('%[!#$&\'()*+,;=?@[\]]%', $remote)) { return new DataResponse(false); }