diff options
| author | Joas Schilling <coding@schilljs.com> | 2020-03-12 15:43:29 +0300 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2020-03-12 15:44:48 +0300 |
| commit | 3930ab8e8a72190933931b256aea78c3cd239953 (patch) | |
| tree | 8cf39781d84eca30734afefd0cabb5f966a0ba86 /apps/files_sharing/lib/Controller | |
| parent | a5b0f41a9ffc570319abbae24b1e82128f3171a6 (diff) | |
Don't allow anchors and queries in remote urls
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/files_sharing/lib/Controller')
| -rw-r--r-- | apps/files_sharing/lib/Controller/ExternalSharesController.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php index d9be124b2ee..f903871ffd6 100644 --- a/apps/files_sharing/lib/Controller/ExternalSharesController.php +++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php @@ -130,6 +130,9 @@ class ExternalSharesController extends Controller { * @return DataResponse */ public function testRemote($remote) { + if (strpos($remote, '#') !== false || strpos($remote, '?') !== false) { + return new DataResponse(false); + } if ( $this->testUrl('https://' . $remote . '/ocs-provider/') || $this->testUrl('https://' . $remote . '/ocs-provider/index.php') || |