From 3930ab8e8a72190933931b256aea78c3cd239953 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 12 Mar 2020 13:43:29 +0100
Subject: Don't allow anchors and queries in remote urls

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 apps/files_sharing/lib/Controller/ExternalSharesController.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'apps/files_sharing/lib/Controller')

diff --git a/apps/files_sharing/lib/Controller/ExternalSharesController.php b/apps/files_sharing/lib/Controller/ExternalSharesController.php
index d9be124b2ee..f903871ffd6 100644
--- a/apps/files_sharing/lib/Controller/ExternalSharesController.php
+++ b/apps/files_sharing/lib/Controller/ExternalSharesController.php
@@ -130,6 +130,9 @@ class ExternalSharesController extends Controller {
 	 * @return DataResponse
 	 */
 	public function testRemote($remote) {
+		if (strpos($remote, '#') !== false || strpos($remote, '?') !== false) {
+			return new DataResponse(false);
+		}
 		if (
 			$this->testUrl('https://' . $remote . '/ocs-provider/') ||
 			$this->testUrl('https://' . $remote . '/ocs-provider/index.php') ||
-- 
cgit v1.2.3